Talk:Firefox/Privacy

From ArchWiki
Jump to navigation Jump to search

Detailed insights

Hey, I'm not an expert in privacy and browser security but I thought I'd get the ball rolling. If anyone could write some more detailed insights into cookies, scripts, etc that would be appreciated. Once/if more plugins are added we can begin to make sub catergories, eg: "Cookie Management", "Script/Plugin Management".

Cheers,

--MagickFox (talk) 13:52, 24 June 2012 (UTC)

Flash, Java, user-agent uggestions

Check this site: https://panopticlick.eff.org Flash may track you using system fonts, to disable it:

  1. echo DisableDeviceFontEnumeration = 1 >> /etc/adobe/mms.cfg

The same problem should occur with Java another thing is to change the user agent to a more common one about:config -> general.useragent.override -> windows smth Are these suggestion worth in this page? Flu (talk) 19:22, 7 December 2012 (UTC)


Horray. Flash is disabled in Firefox. No work needed. Case closed :D Archaid (talk) 01:05, 2 September 2020 (UTC)
Not completely removed. Wait until December. -- Blackteahamburger (talk) 10:56, 2 September 2020 (UTC)

Disable Geolocation

Set geo.enabled to false. Pickfire (talk) 15:21, 25 November 2017 (UTC)

Rehashing of select prefs.js/user.js?

What we have here under #Configuration is for the most part a set of cherry-picked preferences which I feel only touch upon what is possible. Perhaps a revamp of the page is in order. Arguably the two most important preferences in terms of providing privacy are:

user_pref("javascript.enabled", false);
user_pref("network.cookie.cookieBehavior", 2);

Which effectively disable JavaScript and cookies altogether. Privacy (to me) with respect to FF is containing metadata leaks to third-parties (or even first-parties). For example, starting from FF 73, firefox.settings.services.mozilla.com cannot be blocked by any extension or by setting all pref URLs to "");. The solution is either a DNS sinkhole (hardware or software) or firewalling the resolved IP block.

~ $ dig @1.1.1.1 firefox.settings.services.mozilla.com
;; ANSWER SECTION:
firefox.settings.services.mozilla.com. 77 IN CNAME d2k03kvdk5cku0.cloudfront.net.
d2k03kvdk5cku0.cloudfront.net. 60 IN	A	13.226.251.19
d2k03kvdk5cku0.cloudfront.net. 60 IN	A	13.226.251.43
d2k03kvdk5cku0.cloudfront.net. 60 IN	A	13.226.251.27
d2k03kvdk5cku0.cloudfront.net. 60 IN	A	13.226.251.120

One might consider # ufw deny out to 13.226.0.0/16 port 443 since the domain resolved to 13.226.219.xxx for me only last week (load balancing moving target). But that essentially negates the use of a significant block of addresses leveraging the same subnet on Amazon AWS (locally for me, YMMV). Coverage should also be given to useful extensions such as Dark Reader which (unfortunately) submits frequent metadata streams to darkreader.github.io. An alternative is to curate a userContent.css to provide similar results, thereby negating the need for an extension with heartbeat callbacks. What do you guys think? Adamlau (talk) 10:54, 18 March 2020 (UTC)

Note: : Currently blocking 13.226.219.0/24 port 443 and 13.226.251.0/24 port 443 and will review local ufw logs over time.

The more I review #Configuration, the more I feel it should be reworked to reflect a more universal approach towards privacy versus a handful of settings Adamlau (talk) 12:47, 18 March 2020 (UTC)

  • Source modification is really the very best way to go about all of this as opposed to a series of bandaged solutions after everything is built Adamlau (talk) 13:18, 26 April 2020 (UTC)

First-Party Isolation

The privacy.firstparty.isolate option seems interesting and pertinent; it may cause problems on some sites, but maybe somebody finds a good way to mention it in the article before I find some time to play with it myself. -- Kynikos (talk) 10:54, 31 May 2020 (UTC)


That option should definitely be pushed forward over many of the others already listed :) Adamlau (talk) 04:56, 11 July 2020 (UTC)


Good one, is it privacy though or security? Keeping on that topic of limiting third-party shenanigans, the setting for "no third-party cookies" might be helpful for privacy. It's network.cookie.cookieBehavior to 1. When you change this setting in the Privacy tab, Firefox warns that it "may cause websites to break". I see above that people rejected the idea to disable cookies completely?
What about deleting the cookies on closing FF? Or do we believe that's what Private Browsing is for? I've come to the point where privacy concerned people (those visiting this page) would expect cookies to always be deleted on close (ie. network.cookie.lifetimePolicy to 2. This can be set from the Preferences > Privacy Tab also). If there are no objections I will add the two points I've mentioned to the page in the days ahead. Archaid (talk) 00:38, 2 September 2020 (UTC)


Remove the hidden extensions section?

This hidden extensions section is no longer applicable, with basically all the questionable extensions there being dropped (firefox/Privacy#Remove_system-wide_hidden_extensions). Should we set a deadline to remove it? March 2021? I changed the section today to inform those extensions are dropped. Archaid (talk) 00:58, 2 September 2020 (UTC)

Old packages are not supported, so there is no need to keep it: [1]. -- Blackteahamburger (talk) 13:03, 2 September 2020 (UTC)


Proxying

A) I've just added a section about firefox/Privacy#Proxying_your_web_searches. My opinion is its best practice for maintaining privacy but if there is a better process, or a FLOSS Firefox extension exists that makes the process described even easier, please adapt it.

B) there is a case for adding a sub-section on invidious, despite invidious giving the user a direct link to google servers for the mp4 file, and the user is revealed to google,

a) no js needs to be executed and given that we are now clearly instructing people to switch off js we need to offer a pathway to access video content without js,
b) invidious makes downloading media easy so the user might only be tracked as consuming the media once and not every time they watch/rewatch it
c) invidious has an audio only option, helpful in reducing bandwidth consumption for people with poor internet connections. Reducing bandwidth is helpful over Tor and I2P, with the latter known to be used with hardened Firefox installations, and
d) THIS ONE IS IMPORTANT invidious makes setting up an independent video hosting service easier (example/s can be provided) (anything that reduces the centralization of video delivery also increases privacy;
i) it reduces the size of the profile that the central power in this case, Google, can build on a person, and
ii) a person can host/publish their own videos on a user-friendly interface privately, not possible on Youtube.

For the above reasons, it's worthwhile that we include invidious in a Proxying section.

Please share your thoughts on this. If there are no objections I'll move forward in the days ahead. Archaid (talk) 23:31, 2 September 2020 (UTC)