Firefox Customisation

From Manjaro Linux
Jump to: navigation, search
29-May-2017:  
Veted & updated the A list of more & less useful internet testing sites
section, made some good additions & removed those that are now
redundant for one reason or another. 

Updated the Cookies section.

Updated the Firefox & derivatives, plus Pale Moon Privacy Add-ons
section.


Firefox & Pale Moon Customisation - Security First - User Options Second

Pale Moon pages of interest

Pale Moon Home page: [1]

Pale Moon forum: [2]


Introduction

Firefox.jpg


This page is adapted from one I wrote at the now defunct spiralinear.org forum. It has been most recently updated on the 19th April 2015).

We all have our personal preferences for the way we like to use the internet & how valuable our personal privacy is, so the way one person likes to setup their system/browser for their internet use can be completely different to the way another does it.

With that in my mind, I've updated this page which now shows my current preferences (& some). Hopefully, if nothing else the reader may find something of use that may help them optimise their own way of using the Web.

Note: Due to the recent security leak exposing the 
practice of the Unites States, National Security 
Agency of spying on internet users internationally. 
Specifically those users who make use of the likes of
Google, Facebook, Twitter & other such extremely popular
internet services. I suspect that the information on this 
wiki page (& the like) may have gained some credibility 
where once it had none.

Here [3] is a link that lists some alternatives that will 
help you to protect your privacy, which we do in an effort to
dis-empower those that choose to manipulate the ill-gotten
knowledge in their huge & ever growing databases of 
information harvested by secretly observing our supposedly
private lives. 

Many people have the attitude, (usually based on ignorance
of the facts) that "I don't do anything wrong, so let them 
track me". It is not you who is doing the wrong here,
it is these organisations who gain influence via 
manipulating the information in their databases with
the use of incredibly sophisticated software, allowing
them to then most effectively manipulate unwitting
populations of people to whatever ends these organisations
see fit at the time. 

When the people & technology used to implement this spying &
the aforementioned manipulation & implementation of the data
is worth billions of dollars, it has to be considered worth
the investment by the corporate/government(s) that use this
technology & employ the people in these secret agencies.

Whether the basis of these ends are political,
corporate, (more likely a combination of the two), or any
other motive. They are doing what they do, in a top
secret fashion. Public scrutiny is the number one enemy of
those that operate in secret. 

Is it worth thinking about? & why?


A list of more & less useful internet testing sites

BrowserSpy.dk - A Brilliant browser Security test site.

BrowserSpy Canvas FP check - Check on your Canvas Fingerprint.

BrowserSpy WebRTC check - Check if your browser is leaking your IP address everywhere it goes.

IPLeak - Great multifaceted test site created by the AirVPN team particularly for testing your ID leakage (WebRTC +).

Panopticlick.eff.org - A so-so FSF browser test.

HackerWatch.org - Port Scanner.

WhatsMyIP.org - Lots of info' here.

DownForEveryoneOrJustMe.com - Check your internet connection.

[4] - DNS Spoofability tests +.

[5] - Multiple trackers - IP; email; WhoIs...


The Quest for Web Browser Security

I'll put the ixquick created Startpage Search Engine in its own category as it seems to be the champion internet search engine with regards to the user's privacy, & it works brilliantly unlike some of the others I have tried because it uses the Google search engine.

Unfortunately we have lost the Scroogle Google scraper, though I'm sure that the Scroogle guy at least has some comfort in knowing that Startpage (which is run by a wealthier organisation & is therefore a more polished production) is available & becoming increasingly more popular in many parts of the world (Europe in particular it would seem).

Be sure to use the Startpage.com SSL version (it may be the only one these days) as there is big tracking trouble for those that search in http:// & get an https:// result. Have a read of this to see why.


Cookies

For many years I have manually handled cookies, creating black & white lists in Firefox & related browsers. I have now come to appreciate that by using one of the excellent cookie handling Firefox add-ons, that I don't have to. I still tell my Firefox (or associated) browser not to accept 3rd party cookies, but beyond that I use one of either Self Destructing Cookies or Cookie Exterminator. These days I'm using Cookie Exterminator. They are both excellent add-ons.

Those two are both totally effective (I've been using them both for a long time now). To the point that if you use either of these two add-ons you won't have to worry about being tracked by cookies (I think that they may also deal with DOM storage too, but don't take anyone else's word for it, use the about:config edit provided below - as well as in the other Firefox about:config edits page that is found in this section of the wiki.


The Web of Cookie Connections

I haven't tested this software for some time so it is
dated. I leave this section in place as the images
graphically demonstrate the cookie connection
problems that we all face. Those images were taken
years ago, this problem is now exponentially worse.

There has been a vastly superior version of Collusion created it is called Lightbeam. The mozilla foundation plus others have apparently put in a great deal of work in creating Lightbeam. I'll place a screenshot of it here above a screenshot of Collusion:

Lightbeam.png
  • I haven't a picture of lightbeam connected to other computers as the one of Collusion below has, for one of two reasons, 1. I have no unwanted connections OR 2. Lightbeam isn't functioning? I'll get back to you on this.
Cookies.only collusion.png
  • The screenshot to the left is of the display from a Firefox add-on called Collusion it shows you in a FF tab, all of the computers that your computer is connected to on the web. The aforementioned screenshot is set to show only cookies.

You can move your mouse pointer over each circle that represents one of these servers & get its url & see more info about it in a column on the left hand side. These computers basically connect to your computer via cookies of one kind or another.

When I first installed this software (roughly 8 months ago as of this writing) I ran the add-on for days & never had one computer show up on my screen. Even when I turned all my security add-ons off. The reason being I don't have any cookies on my machine unless I chose them.

DOM Collusion.png
  • After having been lulled into a false sense of security by that experience, I've found that my security had been compromised & that it is not so much cookies as DOM storage which is the newish but extremely widely used culprit. The screenshot to the left excludes the cookies that were shown in the previous screenshot shown above & shows only the DOM storage type connections. This is pretty scary.


Firefox & derivatives, plus Pale Moon Privacy Add-ons

There are add-ons that do stuff for us, & they make it a bit quicker than getting exactly the same result via editing the about:config page in our Firefox or any of the other true Firefox based browsers, & of course Pale Moon which has truly forked, though they have still kept the Firefox about:config page & it is compatible.

This means that there is stuff that is not added to the list below, due to it always being safer privacy/security wise, to use an about:config edit over using a browser add-on that does the same thing (plus whatever else it may or may not choose to do without telling us).

Ghostery no longer works on Pale Moon (& there is strong talk that those behind Ghostery are selling tracking info').
All of the following run fine on Pale Moon unless otherwise stated.

uBlock Origin is apart from the Firefox's, working fine with Pale Moon these days, which is great as it is vastly superior to Adblock Latitude the "native" Pale Moon ad blocker. uBlock Origin also integrates with uMatrix as you'll see when you set them up.

uMatrix - is made to protect your browsing privacy: it will look after your cookies (as you choose) & quite a number of other variables in an effort to protect your privacy. Even spoofs your User Agent string, changing it as often as you choose (default every 5 minutes).

Privacy Badger - created by the EFF, it is a work in progress, having the intention of blocking spying adds & trackers.

uBlock Origin - (wonderful update to Adblock Edge which updated Adblock Plus - powerful capabilities for those that choose to use them).

RequestPolicy - added (see below).

NoScript - the well known essential protection.

FP-Block - This is the best canvas fingerprint blocking add-on that I've tried. It really grabs the problem by the throat. It comes from the University of Luxembourg, check out this page.

Blender - "Blend in the crowd by faking to be the most common Firefox browser version, operating system and other stuff". It does what it says & more, it seems to work fine with FP-Block too.

ShareMeNot - stops you being tracked by the owners of the social media icons that you see on most web sites that exist today. Have a read about it on the makers' site at University of Washington's Computer Science & Engineering department: [6]

HTTPS-Everywhere - this one isn't essential though it is well worth knowing about.

Pale Moon Has forked HTTPS-Everywhere, the Pale Moon add-on is called Encrypted Web & can be found here: [7]

Swap Proxy - Easy to install & use if you are using Squid or another type of proxy. (I've not tested this with Pale Moon.)


A great source of protection from 3rd parties is RequestPolicy. Originally RequestPolicy was certainly most likely too hard for most users to live with;- these days it is very much easier, so it is worth giving it a try. If you don't like it, you can easily uninstall it via the Firefox Tools menu > Add-ons option. If you can get used to using it, it is a superb addition to our set of security tools.


On top of that, all Firefox users should have a look at uBlock Origin - which is a vast improvement on Adblock Edge, which was an effective improvement on Adblock plus.


Plus I've got DOM storage turned off in Firefox/Pale Moon, via about:config (see below) & some of the other about:config security options that follow. I've removed both Beef Taco & more recently Better Privacy as I've found them to be no longer helpful.

See the next section on modifying the /etc/hosts file, as it brings another extremely valuable layer of privacy protection to the table. (Though if you are using uBlock Origins / uMatrix you can avoid having to set up the hosts file if you set uBlock Origins to do it for you.)'


Modifying & using the .../hosts file for security purposes:

For an easy way (as it includes & highly regarded hosts file supplement) with a Windows how-to read this page.

Unless you are running Windows, forget the Windows how-to, just download, unzip & paste the supplied hosts file onto the end of your /etc/hosts after everything else.

You will need to open your text editor as root to do this. Replace the <editor-name> with the name of your preferred text editor in the following Terminal command-line:


sudo <editor-name>/etc/hosts


You can edit the /etc/hosts file, adding/removing what you want if you so desire. I've been using it in an unchanged state on both Linux & Win7 for years now. I did as of this edit (late 2015) update the host file (updates are from my observations fairly rare).

You can update the host file addition when new updates become available. You can also (if you are happy about doing so) register your email address to be notified when to go & download the new file.

Using this host file adds another strong, transparent & maintenance free layer of security & comfort (due to the advertisement related content that is blocked) which unfortunately these days we need.


about:config Edits

Firefox updates can restore default about:config
settings. We need to keep an eye on them, particularly
with the likes of turning off DOM storage.


About-config firefox.png




Turn off DOM Storage

DOM storage has become a much bigger threat to our privacy than the dreaded cookies were. Unfortunately this technology is certainly set to leave cookies in the dust, so changing the default value of this configuration to false is strongly recommended for security reasons. However, please note that it may cause a few web sites not to work properly at the same time.

Works with Pale Moon.

about:config Name: dom.storage.enabled

Default value: true

Modified value: false


The following is quoted from [8] though they have moved it for whatever reason, the above link now points to their main page on DOM:

HTML5 web storage, a better local storage than cookies. What is HTML5 Web Storage?

With HTML5, web pages can store data locally within the user's browser.

Earlier, this was done with cookies. However, Web Storage is more secure and faster. The data is not included with every server request, but used ONLY when asked for. It is also possible to store large amounts of data, without affecting the website's performance.

The data is stored in key/value pairs, and a web page can only access data stored by itself.


Turn off a number of Firefox "phone home" calls

I'll check Pale Moon out for this stuff, though I doubt
it will be applicable.

Read about the script here: [9]

Be warned if you use the script it will overwrite any
& all modifications that you have made to Firefox via
about:config edits...

Perhaps a better way to use the information in the script is to look at it here: [10] A then manually edit your about:config with any & all options that you choose to use.

This is very useful information, thanks to salome for bringing it to our attention in the forum.


Referrer Control

Works with Pale Moon.

about:config Name: network.http.sendRefererHeader

Default Value: 2

Modified Value: 0


By setting network.http.sendRefererHeader in about:config to 0, whenever you visit a link from one site, the destination site doesn't know the original site you were referred from.

This in effect makes the Firefox add-on RefControl (& others) redundant.

From the Knowledgebase:
network. http. sendRefererHeader	Integer
Determines when to send the Referer HTTP header.
0: Never send the referring URL
1: Send only on clicked links
2 (default): Send for links and image

If you find that you can't get into your online banking (or other) site, it can be due to you having set the integer to 0. You would then be best off using the integer value of 1. & Under such circumstances use the likes of RefControl as you can use whatever options you choose for your normal surfing & then choose a specific option that works with specific troublesome sites.

I am very rarely blocked from a site (for whatever reason) & under such circumstances I don't want to use the site anyway!


Prefetch Control

Works with Pale Moon.

about:config Name: network.prefetch-next

Default Value: true

Modified Value: false


By setting network.prefetch-next to false, we are controlling the following:

Link prefetching, is when a web page hints to the browser that certain pages are likely to be visited, so the browser downloads them immediately so they can be displayed immediately when the user request


How to Quash Firefox's Silent Requests

Works with Pale Moon.

about:config Name: network.http.speculative-parallel-limit

Default Value: 6

Modified Value: 0


By setting network.http.speculative-parallel-limit to 0, we are controlling the following:

Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required.

For more information on this topic see the following slashdot page: [11]


Classic Theme Restorer

Not needed for Pale Moon.

If you prefer some or most all of the ways that the firefox interface was pre v30, then you will most likely like what the Firefox add-on Classic Theme Restorer [12] does for the Firefox v3*. UI.

This add-on gives you a large number of options with which to configure the Firefox v3*. UI to suit your taste.


NoSquint - Customize the look of web sites

Now ONLY works with Pale Moon, Firefox upgraded NoSquint away
There are alternatives for Firefox, though they are inferior
at this stage. Also, NoSquint is no longer supported by its
creator, though the source code is available here: [13]
(see below for add-on link)

NoSquint is an awesome add-on for those of us that like to adjust the size of fonts &/or colours on web sites that we visit. NoSquint will also remember your settings so that you only have to make the quick & simple modifications in the easy to use NoSquint GUI once for the sites that you frequently visit.

You can still find the NoSquint add-on here: [14]


FEBE & other Firefox/Pale Moon Extensions by Chuck Baker

Chuck has created some brilliant browser add-ons. FEBE is my favourite, as it allows you to backup your browser (cross platform too) extensions, bookmarks, cookies & much, much more. It even gives you a backup directory with all of your add-ons/extensions turned into individual .xpi files so that you can reinstall them individually, or whatever. You can set it to backup on a schedule, backing up only what you choose, even if it is just your Bookmarks. :)

Check out his page which has all of his extensions, including links to each add-ons own dedicated page: [15]


Open With - Firefox/Pale Moon add-on

Works with Pale Moon.

Open With can be found here (various versions): [16]

Is a Firefox add-on that has quite a number of powerful capabilities. I'm only going to mention two of the simple ones here. They are useful for both convenience & privacy/security:

1. Frees us from needing to use Flash or any of the open-source Flash options. Instead we get to use the very capable mpv media player, which is both technologically up to date & lite on resources.

2. Provides us with a very easy & convenient way to download video's from the web via the youtube-dl program. Which is open-source & far more likely to respect our privacy than any of the Firefox add-ons that it replaces.

As of this writing Open With 5.6.3.1-signed is the most
recent version that will install/work with Pale Moon.


Open With to view web video's

Use the Open With add-on Preferences page to Add a new item.

Rather than use the mpv.desktop file I used /usr/bin/mpv to call the mpv media player (your choice).

Add the following in the Open With - Preferences (if it suits you):

--no-resume-playback

Then play around with the menu options in the left hand side of the Preferences screen until you get what suits you. (If you don't understand what they mean, just use trial & error to get what you want, there aren't that many options.)

You may wait (I'm using it on a slowish internet line via a VPN) a little longer before a youtube (or whatever) video starts to play in mpv. I found the performance in every way was superior to watching the video in a browser via flash, html5, or the flash substitutes.

Open With to download video's via youtube-dl

I made a tiny little ~/.config/youtube-dl/config file which does all I need.

There was no config file installed on the machine in
~/.config (local user) or /etc (all users), so unless
things change, you will need to create the config file
& the directories in ~/.config manually. 

I change the names of any downloaded video files manually when required (if you want to know how to do more with youtube-dl have a look at the man page & elsewhere on the web - there exist an absolutely huge range of possibilities):

My ~/.config/youtube-dl/config file

# youtube-dl config file:

# recode video to mp4 format (if needed):
--recode-video mp4

# download path:
--output "~/data/downloads/unzip/dload-vids/%(title)s.%(ext)s" 


Using the above config file you only need to call youtube-dl with no arguments in the Open With - Preferences page. Change the ~/data/downloads/unzip/dload-vids/ section in the config file to specify your download location's path.

After you've set that up, just choose the youtube-dl option that you created, from the RMB menu that pops up in Pale Moon/Firefox to have it download your selected video to the folder specified in the config file shown above.

The config file has the added benefit of working for youtube-dl when used from the Terminal command line (or anywhere else).


See Also


Support

Following is a link to this page's forum counterpart where you can post any related feedback: [17]