Mozilla Firefox Spyware Mitigation Guide
After configuring Mozilla Firefox with Narsil's user.js, according to this guide it's rating changes like so:
Spyware Rating: High → Not Spyware
Narsil's user.js is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible. It's a fork of arkenfox's user.js, which was used in previous versions of this guide. But Narsil's enhance it for maximum privacy and minimizing automatic connections.
For extra privacy & security, disconnect your computer from the internet while following this guide, so that Firefox is unable to phone home by accident.
Mozilla Firefox has a huge amount of spyware features, but they can all be disabled by using predefined profile settings. To do this you need to create new Firefox profile:
- Run
firefox -no-remote -ProfileManager
- Create a new profile
- Exit.
Then open your Firefox user profiles directory. It should be located at:
OS | Path |
---|---|
Windows 7 | %APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name |
Linux | ~/.mozilla/firefox/XXXXXXXX.your_profile_name |
OS X | ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name |
Android | /data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name |
Sailfish OS + Alien Dalvik | /opt/alien/data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name |
Windows (portable) | [firefox directory]\Data\profile\ |
Delete everything from the new profile and get Narsil's user.js:
cd /path/to/your/profile && rm -r * && wget https://codeberg.org/Narsil/user.js/raw/branch/main/desktop/user.js
You may want to edit the file to your needs, if so:
$EDITOR user.js
If you want to enable OCSP, you should also modify these options in the user.js. These settings are disabled in Narsil's user.js because OCSP is a privacy breach, but it is also a security feature. It works by contacting other servers to verify the authenticity of the address you are connecting to.
You should think about it before making a decision. You can read more about OCSP here: https://scotthelme.co.uk/revocation-is-broken/ [web.archive.org].
user_pref("security.ssl.enable_ocsp_stapling", false);
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
With this installation method, if you change any of the settings in user.js through about:config or Firefox preferences dialogs, they will be reset to the user.js defined values after you restart Firefox. This makes sure they're always back to secure defaults when starting the browser.
Run firefox -no-remote -ProfileManager
again and start the profile you created. Delete any others if needed. Check to make sure, after the first start, that another profile which does not use our user.js was not created by Firefox.
We recommend to also check other user.js settings from "arkenfox-user.js docs"[1] for better understanding of what the user.js is doing. Note that Narsil's user.js is optimized for the maximum privacy and security, but feel free to adapt it to your needs.
Hosts file
Narsil's user.js mitigates most Firefox's privacy issues. But there are still two automatic connections that can't be disabled in the user.js settings. There are two solutions for this (Read Narsil's user.js README) but we will take the easiest path, which makes use of the hosts file. Unlike the other solution, it isn't overwritten with every Firefox update.
We will be using Mr Rawes hosts which blocks every connection that Firefox does. Using the user.js, there should be only two automatic connections left. Adding every connection to the hosts file, even the ones that we've already disabled, does not have any negative effect and it may help in case you launch Firefox with a profile not using the custom user.js.
Download the hosts file and add them to your system. In unix-like OSs it's located at /etc/hosts
.
Note that for updating addons you will need to remove addons.mozilla.org from the hosts file, go to about:addons
in your browser and in the options menu click on "Check for updates". This is necessary because the user.js disables
automatic updates. Firefox won't update itself either, make sure to keep it updated using your package manager.
Mozilla.cfg
This is unnecessary if you used the user.js method, but it's interesting to have this other option. Important settings are enforced/locked within mozilla.cfg, the major difference with the user.js is that those settings cannot be changed by addons/updates/Firefox or unwanted/accidental manipulation. To change those settings you can edit the mozilla.cfg.
We will use a modified mozilla.cfg from Narsil which is configured with a strong focus on privacy and security. Download it in a zip file from here and unzip it. You need to copy the config folder to the firefox installation path.
OS | Path |
---|---|
Windows | C:\Program Files\Mozilla Firefox\ or C:\Program Files (x86)\Mozilla Firefox\ |
Linux | /usr/lib/firefox/ |
OS X | Applications/Firefox.app/Contents/Resources/ |
This method may be preferable because settings can not be overwritten by addons or normal users, only by users with root privileges. Make sure to read through the mozilla.cfg to check if the settings suit your usecase, it's optimized for maximum privacy and security.
Other Guides
These are other guides and projects to help protect your privacy using Firefox. It's important to look at other perspectives instead of reading JUST this guide. So you should be comparing all of the guides that you can find to hear everyone's ideas about how this should be done, before you finish setting Firefox up. Librewolf is less of a guide and more of a project and series of tools and settings you can download to help you make Firefox private.
Note that these guides might not completely remove automatic connections. Consider using the hosts file.
- Privacy Related "about:config" Tweaks to Firefox [web.archive.org] [archive.is]
- Firefox Privacy – The Complete How-To Guide [web.archive.org] [archive.is]
- Librewolf, Firefox with privacy enhancements
Sources
- https://commons.wikimedia.org/wiki/File:Firefox_logo,_2019.svg (Firefox Logo)
- Narsil's user.js README [web.archive.org] [archive.is]
- arkenfox/user.js wiki [web.archive.org] [archive.is]
- https://github.com/arkenfox/user.jss/blob/master/README.md
This guide was updated on 08/22/2022
If you want to edit this article, or contribute your own article(s), visit us at the git repo on Codeberg. All contributions must be licensed under the CC0 license to be accepted.