Firefox bullshit removal via about:config

about:config.md

Firefox bullshit removal

Due to the incessant swarm of complete and utter nonsense that has been forcing its way into Firefox over time, I've decided to start collecting my personal list of “must-have” about:config tweaks required to turn Firefox into a functional brower.

NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.

WebSockets

These can be used for nefarious purposes and to bypass access restrictions.

network.websocket.enabled=false

JavaScript spy vectors

These can be used for fingerprinting or data collection about the host system.

dom.event.clipboardevents.enabled=false
dom.battery.enabled=false
browser.send_pings=false
webgl.disabled=true

Pocket integration

This is a proprietary tie-in service that is a risk to your privacy.

1. Drag the “pocket” icon off your toolbar. This step is important.
2. browser.pocket.enabled=false

WebRTC

This is an inter-browser communication standard that is a very significant risk to your privacy and can be used to break out of VPN tunnels, proxies and unmask local users.

media.peerconnection.enabled=false
loop.enabled=false

DRM

This is a significant breach of your personal freedom and security.

media.eme.enabled=false
media.gmp-eme-adobe.enabled=false

GeoLocation / Beacon

These can be used for tracking and fingerprinting services and are harmful to your privacy

browser.beacen.enabled=false
geo.enabled=false
geo.wifi.logging.enabled=false
geo.wifi.uri=""

Safe browsing

This requires Firefox to communicate with a third party, Google by default, and also sends them metadata about your downloads.

browser.safebrowsing.enabled=false
browser.safebrowsing.downloads.enabled=false
browser.safebrowsing.malware.enabled=false

Social media integration

This anti-feature lets social media platforms integrate directly into your browser

social.directories=""
social.whitelist=""
social.manifest.facebook=""
social.remote-install.enabled=false
social.toast-notifications.enabled=false

Device tracking/statistics

These can be used to fingerprint your system and track you.

device.sensors.enabled=false
camera.control.face_detection.enabled=false
camera.control.autofocus_moving_callback.enabled=false

Tracking protection

This makes Firefox block known tracking domains by default.

privacy.trackingprotection.enabled=true

DNT Header

This makes Firefox include a DNT (“do not track”) header in its request. Theoretically, this would opt-out of tracking services for some services, but unfortunately it makes your fingerprint much more trackable, as this header is not too common. Enable if it you want, but it's probably best to leave it off to prevent tracking.

privacy.donottrackheader.enabled=true

Stat tracking / telemetry

These are used by Mozilla to spy on you, and are as such a significant risk to privacy.

datareporting.healthreport.service.enabled=false
datareporting.healthreport.uploadEnabled=false
toolkit.telemetry.enabled=false

Link pre-fetching

These will make Firefox connect with arbitrary links on a page by the simple act of hovering over them, without your explicit permission.

network.http.speculative-parallel-limit=0

Cryptography hardening

This disables algorithms that are known to be weak or broken, and prevents most common attack vectors. Be warned that this may break some older websites that are not compatible with modern protocols.

General settings

security.tls.unrestricted_rc4_fallback=false
security.tls.insecure_fallback_hosts.use_static_list=false
security.tls.version.min=1
security.ssl.require_safe_negotiation=true
security.ssl.treat_unsafe_negotiation_as_broken=true
security.ssl3.rsa_seed_sha=true
security.OCSP.enabled=1
security.OCSP.require=true

Disable unnecessary protocols

This disables older protocols that are known to be weak or entirely broken (3DES, RC4 and MD5).

security.ssl3.rsa_rc4_128_sha=false
security.ssl3.rsa_rc4_128_md5=false
security.ssl3.rsa_des_ede3_sha=false
security.ssl3.ecdhe_ecdsa_rc4_128_sha=false
security.ssl3.ecdhe_rsa_rc4_128_sha=false

Perfect forward secrecy

If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break lots of stuff.

security.ssl3.rsa_aes_256_sha=false

Force TLS 1.2

This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. (Note that TLS technically contains a mechanism for preventing protocol degradation attacks, but it requires participation from both the client and the server - which is not a guarantee in practice)

security.tls.version.min=3

Recommended addons (bonus)

In addition to the above settings, I personally recommend the usage of at least the following addons:

• HTTPS Everywhere: Prefer HTTPS over HTTP even for sites that do not force HSTS.
• μBlock₀: Block access to all known ads, malware domains, badware, and other malicious scripts and domains.
• uMatrix or NoScript+RequestPolicy: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy.

@haasn @sergeevabc indeed, please fix the typo. (Feel free to delete my comment after an edit.)

security.tls.version.min=1 -- this can be removed, it's already defaulted to 1.

@Najoj Ghacks does have a great user.js script, like you said.. It's at:

https://www.ghacks.net/2016/07/03/comprehensive-firefox-user-js/

"The most comprehensive Firefox user.js has been updated July 3, 2016" & there are, in fact, several URLs through which it's accessible.

^^ Similar to what @nodiscc had posted, a (custom) user.js

@calestyo it might help to mention what's missing like @MrYar has done: "Thank you for your work. Here's some suggestions for updates".
:)

I wanted to add (another) two links, just what I'd run into -recently- configuring Android 6.0 Firefox (Beta); trying to get the uBlock Origins WebExtension:

https://www.techworm.net/2016/02/12-coolest-firefox-aboutconfig-tips-and-tricks-to-protect-your-privacy.html
&
https://privacytoolsio.github.io/privacytools.io/#about_config

The last link is really (!) cool, it lists some very nice open-source apps!

@Najoj Ghacks does have a great user.js script, like you said.. It's at:

https://www.ghacks.net/2016/07/03/comprehensive-firefox-user-js/ [DO NOT USE]

https://github.com/ghacksuserjs/ghacks-user.js .. it has been at github for 6 months now. And instead of a one-man band and 6 monthly updates at ghacks, its now so much better "crowd-sourced" and massively superior to before, and always right up to date (stable) even with one character switches to flip on ESR 52.x preferences and loads more. That ghacks article should be removed

After a very quick casual glance, the above md contains quite some factual errors, such as safe browsing connecting to google, and quite a few deprecated preferences, although I fully understand it's an old unmaintained copy

Great stuff you have! Some additional suggestions from my side...

Dear all!

Great stuff you have! Some additional suggestions from my side...

Please, have a look at https://github.com/gunnersson and, to be more precise, at https://github.com/gunnersson/my_Mozilla_settings !

That's my repo and project. There's no intention of bad rivalry, but just good competition by me. In fact, there are many users and repos at GitHub of similar idea and content.

But it would be my intention to bring them all a bit together for sharing and collecting.

Maybe, in this way Mozilla Firefox and Mozilla Thunderbird could be a real joy for many people...

Thank you and kind regards,

Gunner

if you want any preferences to sync across devices using Firefox Sync account, create additional config preferences with the prefix "services.sync.prefs.sync." and then set it to true.

ex:
create a new boolean for device.sensors.enabled
it would be
services.sync.prefs.sync.device.sensors.enabled
and set it to true.
then it'll sync across your devices. I don't think it will sync with mobile Firefox, though, but at least desktops. I've been doing this for a few years.

network.IDN_show_punycode = true

stops IDN phishing

I'd recommend CanvasBlocker

https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/

Waterfox is perhaps a better starting point for a secure and private Firefox.

Hi, this sounds great. I can't use the latest Firefox (Quanutm) because of the annoying WHITE SCREEN FLASH and also, it breaks several plugins. Any recommendations for this?

Source code for the pocket extension was open-sourced recently: https://github.com/Pocket

Isn't the answer to the implied question to use the Tor browser?

Funny that the stated goal of improving user privacy is undermined by the suggestions in this gist: by using non-standard configurations you are easier to track...

Also, I would advise against messing with your cryptography settings unless you know what you are doing (and, in case it wasn't clear, "I read it on a random gist" doesn't even come close to clear this bar).

People please do not disable Websockets OMG

Thanks for the info!

"required to turn Firefox into a functional brower" should be "required to turn Firefox into a functional browser" ("browser", not "brower").

:-)

I maintain a fork with most of the important changes here, along with a PKGBUILD for Arch Linux users. I manage to get changes out within 24 hours, usually. https://github.com/afontenot/firefox-clean

@quantumproducer Hi, this sounds great. I can't use the latest Firefox (Quanutm) because of the annoying WHITE SCREEN FLASH and also, it breaks several plugins. Any recommendations for this?

You have to disable the background for tab render areas - it gets shown while the tab is in the process of rendering. Reddit thread about it here: https://www.reddit.com/r/firefox/comments/6hv7rk/how_do_you_disable_the_white_flash_on_opening_a/

Hey, webgl and websockets aren't exactly bullshit. Perhaps more explanation about each option is needed, given some people can blindly copy these settings thinking they're just improving security without side effects.

It'd be really cool to a shell script that can do all these things idempotently. It sucks switching computers.

It might be worth considering Brave browser. I recently switched over Firefox because it focuses on privacy. They are planning on integrating a TOR private browsing tab. Really good stuff and it's by the guy who made JavaScript.

@CAFxX If you have a problem with any specific setting then say so, give your reasoning instead of dismissing settings vaguely and out of hand because it's a "random" gist, which has to be one of the worst reasons I could think of for ignoring information.

@casecoded .... "the guy who made JavaScript" is the man that was forcibly shamed into resigning as the CEO of Mozilla. A co-founder. Built it up and then they ejected him because at some stage in his life he legally donated his own private cash to a political party that others didn't agree with.

Isn't mob outrage and targetted smear campaigns just grand?

https://en.wikipedia.org/wiki/Brendan_Eich

also to haasn that owns this gist, you were told 2 years ago about a spelling mistake clear as day in the beacon setting and not a single thing has been done about it other than posting your links on social media platforms to spread the word on how great it is. Read your comments, think about what the person is writing and fix your shit up I guess. People are gonna come here blindly copy paste into about:config find that half the settings are missing and the other half dont show up because of blatant spelling mistakes and just look elsewhere for assistance

Setting security.OCSP.require to true breaks a lot of functionality, particularly around anything related to Google, in case anyone was having trouble after applying some of these settings

@yb66 if you re-read my comment you will find the reasoning for not using non-standard configurations is right there: because you are easier to track (and that defeats the implicit goal of most tweaks in this gist, see all the author's remarks about "avoiding fingerprinting" and "user privacy"). See e.g. https://panopticlick.eff.org/.

About my point about the random gist about cryptographic "suggestions": I'm sorry if I wasn't clear enough. Let me rephrase: you should never trust opinions about how to do or not do cryptography from sources that the cryptographic community does not consider to be respectable. I have nothing against the author of this gist but, as I stated, it does not come even close to clearing that bar. (note that a simple way for the author to clear that bar would be to provide references to respectable sources as to why he's changing cryptographic settings - something that is conspicuously missing from the gist)

I hope my comment is clearer now.

Webshitters are the modern-day Java corporate drones from the 00s.

Also Brendan Eich is a cunt.

Palemoon is the closest fork of Firefox with still some sanity in it.

Palemoon developers thinks he's in a position to dictate what extensions users can or cannot install, which makes his browser automatically unfit for purpose.

It is a shame this was taken down by the author. It lives on in the "revisions" tab regardless for those that wish to still use it.
I suggest people wanting to block telemetry and data collection use my fork. I pared it down so hopefully it is a good compromise between keeping browsing usable and privacy, and I hope to keep it maintained.

👍 @MrYar