FireFox privacy and security: How to not leave any footprint?
due to privacy reasons I try to set up FireFox in the best fashion I can. But I feel like all this effort is somehow useless, because I feel like I still get “tracked down”.
I would like to share my browser configuration, and see what you can tell me in addition to that.
Lets start with about:config, all values that are a) not standard and b) somehow connected to this topic: app.normandy.enabled;false browser.contentblocking.category;strict browser.search.region; (EMPTY) datareporting.healthreport.uploadEnabled;false geo.enabled;false identity.fxaccounts.toolbar.enabled;false identity.fxaccounts.enabled;false network.cookie.cookieBehavior;4 → Using AutoCookieDelete with Whitelisting feature. Guess that was modified by the AddOn network.dns.disablePrefetch;true network.predictor.cleaned-up;true network.predictor.enabled;false network.prefetch-next pdfjs.enabledCache.state;false plugin.state.flash;2 plugins.click_to_play;true privacy.trackingprotection.cryptomining.enabled;true -->Could be by some MiningBlocker privacy.trackingprotection.enabled;true services.sync.globalScore;0 services.sync.nextSync;0 toolkit.telemetry.enabled;false
Already some Q: 1. SafeBrowsing used by Google The about:config shows that for SafeBrowsing Google Services are used. Is there any other provider I can change to, or simply deactivate that feature/not use that feature?
2. Fonts: Fonts can be used to identify such unique mix on different systems. I want to take control of that, but the AddOns I tried are insufficient. Do you know any AddOn to take control of the Fonts that can be read out of the browser, or does anyone have some experiences which font should be left default, so the rest can be deactivated?
CanvasBlocker Trying to fake CanvasID of the pc rendering images.
Cookie AutoDelete Like I stated bevor, deleting everything after closing the tab except of whitelisted sites.
Decentraleyes Provides Libraries offline instead of contacting such servers: - Supported Networks: Google Hosted Libraries, Microsoft Ajax CDN, CDNJS (Cloudflare), jQuery CDN (MaxCDN), jsDelivr (MaxCDN), Yandex CDN, Baidu CDN, Sina Public Resources, and UpYun Libraries. - Bundled Resources: AngularJS, Backbone.js, Dojo, Ember.js, Ext Core, jQuery, jQuery UI, Modernizr, MooTools, Prototype, Scriptaculous, SWFObject, Underscore.js, and Web Font Loader.
Don't touch my tabs! (rel=noopener) Prevent tabs opened by a hyperlink from hijacking the previous tab by adding the rel=noopener attribute to all hyperlinks (excluding same-domain hyperlinks).
Don't track me Google Removes the annoying link-conversion at Google Search/maps/...
First Party Isolation First Party Isolation, also known as Cross-Origin Identifier Unlinkability is a concept from the Tor Browser. The idea is to key every source of browser identification with the domain in the URL bar (the first party). This makes all access to identifiers distinct between usage in the website itself and through third-party.
HTTPS Everywhere Encrypt the Web! Automatically use HTTPS security on many sites.
Malwarebytes Browser Extension
Smart Referer Enable smart referers everywhere (send referer only on same domain)
Temporary Containers Open tabs, websites, and links in automatically managed disposable containers. Containers isolate the data websites store (cookies, cache, and more) from each other, further enhancing your privacy while you browse.
minerBlock Blocks cryptocurrency miners all over the web.
User-Agent Switcher and Manager Spoofs User-Agent strings of your browser with a new one globally, randomly or per hostname
WebRTC Leak Shield Disable WebRTC and prevent IP leak.
YesScript2 Blocks scripts on sites with 3 states → for simplicity I use this at the moment and block everything, but ScriptSafe was used for advanced setting in the past aswell.
AddOns I do not use for the moment: AnonTab (disabled) Facebook Container (disabled) Google Container (disabled) IPvFoo (disabled) Proxy Switcher and Manager (disabled) ScriptSafe (disabled)
If I visit www.browserleaks.com:
IP Test: IPv4 - from VPN IPv6 – n/a Hostname – n/a WebRTC leak test – n/a Flash IP adress – from VPN TCP/IP passive, SYN: Linux 3.11 and newer | Language: Unknown | Link: Unknown | MTU: 1398 | Distance: 10 Hops -> Something that really bothers me. Maybe these are infos by the VPN Servers, but I feel like thats something I still have to take care of. How does my OS implement/modify the request made by FireFox in such a way that some protocol gets the kernel/OS? MTU is definitly wrong and by some other machine
User-Agent: As set by the AddOn Referer: As set by the AddOn
Battery Status API support: false Network Information API: false Even if showing false – nothing I set like this. So these are true results by some request. Q: How to fake those results?
FlashPlayer: Click to Activate. If activated: Operating System: Linux 4.1XXXXXX-generic - My true values Screen Resolution: My true values Installed Fonts: 169, and with cool Fingerprints…
Q: How to fake those results, if flash needs to be enabled?
Navigator Objects: Wrong data by the AddOns No WebGL No Java Applet CanvasFingerprint: As set by the AddOn
Content Filters and Proxy Detection: HTML5 Canvas Protection: Detected - not good! Q: Is there any known AddOn that is undetected you are aware of?
Adblock Subscriptions: Detected 10 Filters – from µBlock to EasyList to MinerBlock... Not good either! Any idea how they detect this? I can only imagine they readout the list file which has some notes, but this would require the browser to hand over the list which seems unlikely – or they detect it by cross-checking values that are known to be unique, but these seems not as precise as the results are (qouting me exactly what subscriptions I got). Q: Any suggestions how to prevent a readout and hide his aswell?
General behaviour: All Tabs are in his own container – cookies are deleted after closing such Tab. JS and flash is deactivated by default – they only receive referrers from the same domain – and the IP, UserAgent, Canvas and other values are fake. I do not use any social media or other big player services, like YouTube, with accounts. All accounts I use are just on small web community boards and shop systems.
But: At the end of the day the advertising industry and big players are able to identify me more or less. I see stuff that is too close to me to be random on a daily basis.
So I am asking myself: How?
The only thing to blame myself that I am aware of, is that I use FireFox on my a few desktops and mobile phones and set it up quite the same way. But every device of mine is behind VPN hops and use his own DNS, so it should not be any of that.
Eminye Imininingwane Yohlelo
- Shockwave Flash 32.0 r0
- I-ejenti Engumsebenzisi: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
You always leave a footprint. The point is whether this footprint is unique or that a lot have the same footprint, so they can't identify you as being unique, but identify you as belonging to a group. As long as you do not use a (trusted) VPN then you will be identifiable via your IP. If you randomly disable all kinds of settings that you think might be related then this makes you even more distinct because almost nobody would be doing this. You might be lucky that a lot of websites aren't broken in some way.