Firefox bullshit removal
Due to the incessant swarm of complete and utter nonsense that has been forcing its way into Firefox over time, I've decided to start collecting my personal list of “must-have” about:config tweaks required to turn Firefox into a functional brower.
NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.
These can be used for nefarious purposes and to bypass access restrictions.
These can be used for fingerprinting or data collection about the host system.
dom.event.clipboardevents.enabled=false dom.battery.enabled=false browser.send_pings=false webgl.disabled=true
This is a proprietary tie-in service that is a risk to your privacy.
- Drag the “pocket” icon off your toolbar. This step is important.
This is an inter-browser communication standard that is a very significant risk to your privacy and can be used to break out of VPN tunnels, proxies and unmask local users.
This is a significant breach of your personal freedom and security.
GeoLocation / Beacon
These can be used for tracking and fingerprinting services and are harmful to your privacy
browser.beacen.enabled=false geo.enabled=false geo.wifi.logging.enabled=false geo.wifi.uri=""
This requires Firefox to communicate with a third party, Google by default, and also sends them metadata about your downloads.
browser.safebrowsing.enabled=false browser.safebrowsing.downloads.enabled=false browser.safebrowsing.malware.enabled=false
Social media integration
This anti-feature lets social media platforms integrate directly into your browser
social.directories="" social.whitelist="" social.manifest.facebook="" social.remote-install.enabled=false social.toast-notifications.enabled=false
These can be used to fingerprint your system and track you.
device.sensors.enabled=false camera.control.face_detection.enabled=false camera.control.autofocus_moving_callback.enabled=false
This makes Firefox block known tracking domains by default.
This makes Firefox include a DNT (“do not track”) header in its request. Theoretically, this would opt-out of tracking services for some services, but unfortunately it makes your fingerprint much more trackable, as this header is not too common. Enable if it you want, but it's probably best to leave it off to prevent tracking.
Stat tracking / telemetry
These are used by Mozilla to spy on you, and are as such a significant risk to privacy.
datareporting.healthreport.service.enabled=false datareporting.healthreport.uploadEnabled=false toolkit.telemetry.enabled=false
These will make Firefox connect with arbitrary links on a page by the simple act of hovering over them, without your explicit permission.
This disables algorithms that are known to be weak or broken, and prevents most common attack vectors. Be warned that this may break some older websites that are not compatible with modern protocols.
security.tls.unrestricted_rc4_fallback=false security.tls.insecure_fallback_hosts.use_static_list=false security.tls.version.min=1 security.ssl.require_safe_negotiation=true security.ssl.treat_unsafe_negotiation_as_broken=true security.ssl3.rsa_seed_sha=true security.OCSP.enabled=1 security.OCSP.require=true
Disable unnecessary protocols
This disables older protocols that are known to be weak or entirely broken (3DES, RC4 and MD5).
security.ssl3.rsa_rc4_128_sha=false security.ssl3.rsa_rc4_128_md5=false security.ssl3.rsa_des_ede3_sha=false security.ssl3.ecdhe_ecdsa_rc4_128_sha=false security.ssl3.ecdhe_rsa_rc4_128_sha=false
Perfect forward secrecy
If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break lots of stuff.
Force TLS 1.2
This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. (Note that TLS technically contains a mechanism for preventing protocol degradation attacks, but it requires participation from both the client and the server - which is not a guarantee in practice)
Recommended addons (bonus)
In addition to the above settings, I personally recommend the usage of at least the following addons:
- HTTPS Everywhere: Prefer HTTPS over HTTP even for sites that do not force HSTS.
- μBlock₀: Block access to all known ads, malware domains, badware, and other malicious scripts and domains.
- uMatrix or NoScript+RequestPolicy: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy.
@haasn @sergeevabc indeed, please fix the typo. (Feel free to delete my comment after an edit.)