Mozilla Firefox Spyware Mitigation Guide
After configuring Mozilla Firefox according to this guide it's rating changes like so:
Spyware Rating: High => Not Spyware
Before beginning this guide it is important that you try and cross-reference it with other guides, to see which prespective on this topic is the best way to do it for you. At the bottom of the page are links to other guides and projects like this one. You should strongly consider this as you may find other guides more useful than this one.
Mozilla Firefox has a huge amount of spyware features, but they all can be disabled by using predefined profile settings. To do this you need to create new Firefox profile:
- Run
firefox -no-remote -ProfileManager - Create a new profile
- Exit.
| OS | Path |
|---|---|
| Windows 7 | %APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name |
| Linux | ~/.mozilla/firefox/XXXXXXXX.your_profile_name |
| OS X | ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name |
| Android | /data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name |
| Sailfish OS + Alien Dalvik | /opt/alien/data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name |
| Windows (portable) | [firefox directory]\Data\profile\ |
Delete everything from the new profile and get ghack's user.js
- cd /path/to/your/profile && rm -r * && wget https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js
- yourtexteditor user.js
If you want to disable OCSP as well, you should also add this to your user.js. These settings are seperated because while OCSP is a privacy breach it is also a security feature, and so whether to have it on or off should be thought about before continuing. You can read about OCSP here: https://scotthelme.co.uk/revocation-is-broken/ [web.archive.org] . The problem is, that OCSP is a form of phoning home, and you might not want to make those requests.
user_pref("security.ssl.enable_ocsp_stapling", false);
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
With this installation method, if you change any of user.js settings through about:config or Firefox preferences dialogs,
they will be reset to the user.js defined values after you restart Firefox.
This makes sure they're always back to secure defaults when starting the browser.
At the end you need to delete several default plugins in Firefox directory at \Mozilla Firefox\browser\features\ that can violate privacy:
- firefox@getpocket.com.xpi - Pocket
- followonsearch@mozilla.com.xpi - Follow On Search
- activity-stream@mozilla.org.xpi - Activity Stream
- screenshots@mozilla.org.xpi - Screenshots
- onboarding@mozilla.org.xpi - Onboarding
- formautofill@mozilla.org.xpi - Autofill
- webcompat@mozilla.org.xpi - Web Compatibility Reporter
It is highly recommended to also check other user.js template settings from ongoing "ghacks-user.js project"[1] for further hardening Firefox privacy, security and anti-fingerprinting.
Other Guides
These are other guides and projects to help protect your privacy using Firefox. It's important to look at other prespectives instead of reading JUST this guide. So you should be comparing all of the guides that you can find to hear everyone's ideas about how this should be done, before you finish setting Firefox up. Librefox is less of a guide and more of a project and series of tools and settings you can download to help you make Firefox private.
Firefox: Privacy Related "about:config" Tweaks [web.archive.org] [archive.is]Firefox Privacy – The Complete How-To Guide [web.archive.org] [archive.is]
Librefox: Firefox with privacy enhancements [web.archive.org] [archive.is]
Sources
1.
ghacksuserjs/ghacks-user.js
[web.archive.org]
[archive.is]
This guide was created on 10/8/2018
This guide was last updated on 4/2/2020
If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on Codeberg. All contributions must be liscenced under the CC0 liscence to be accepted.
