Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

(Some) Browser Privacy Settings

January 27th, 2018

I'm sorry, this is not a blockchain article. I just thought it might be useful to quickly run through some of the privacy- and security-relevant settings I have twiddled with in my browsers. If you have additional recommendations, please let me know via email or on Twitter.


General setup

I have three browsers I use regularly: Firefox for all my private browsing, Chrome primarily for work, and Safari as my "insecure" browser to use when the settings I describe here break a website I need to access. For example, if I want to access my bank's website, or have to endure mandatory company security training, which (sobs) requires pop-ups to be enabled, Flash and Java to run, 'Referer' headers to be sent, etc. etc.

Every now and then, something breaks and won't work in one browser, but will in another. My general chain of trying things is to start in Firefox, then fail over to Chrome, then finally give up and try Safari. I don't have every conceivable security or privacy setting turned on, but just what, over time, has proven to work well enough for me. Here they are:

Firefox

Firefox is set to auto-update. Check in 'Firefox Updates' under about:preferences#general:

Firefox Updates

I use Tor as my proxy. Under about:preferences#general, scroll down to 'Network Proxy', then select 'Settings'. Enter 'localhost' and your Tor proxy port (default: 9150) as a SOCKSv5 proxy:

Firefox Tor Proxy Settings

To ensure DNS lookups go through Tor as well, toggle network.proxy.socks_remote_dns to true in about:config.

I also have set my default search engine to use DuckDuckGo's hidden service onion address. Unfortunately, getting that enabled wasn't as trivial as you might wish. There are some extensions to add "DuckDuckGo Onion" as a search option, but at least with the latest version of Firefox, those do not seem to work. Instead, you can follow the instructions from here or here to get the onion search as an option. Basically, what I did was go to this site and paste this snippet into the box:

<link rel="search"
type="application/opensearchdescription+xml"
title="DuckDuckGo Lite Tor"
href="https://www.netmeister.org/browser-privacy-settings/ddg-tor.xml">

After that, you can find the little green '+' in the search bar and add the resulting search option:

Firefox add DuckDuckGo Tor as a search option

After all this, you can then change your default search engine under about:preferences#search:

Firefox default search option

Next, under about:preferences#privacy ("Privacy & Security"), I disable logins and passwords (I use a password manager for that), and set Firefox to Never remember history. That is, any time I close Firefox, it deletes all cookies, browser history etc., putting my default browsing mode to be the same as 'private mode':

Firefox browser privacy

(Note: if you never retain any history, Firefox will also not remember any HSTS or HPKP settings for any site.)

'Tracking Protection' is enabled 'always', just as Firefox is set to always send the Do Not Track header:

Firefox Tracking Protection

I tell Firefox to block pop-up windows and to warn when websites try to install add-ons. For privacy reasons, I disable Firefox data collection:

Firefox Data Collection

Under 'Security', I do enable block dangerous and deceptive content, although it's important to be aware that this means that Mozilla could, in theory, track a lot of my usage, as it requires the browser to send a fair bit of data to Mozilla to make this determination. (In effect, your browser pings Mozilla every 30 minutes, which could be used to e.g. track your location (unless you use Tor).) Trade-offs.

Under 'Certificates', I enable OCSP querying.

Firefox Add-Ons

I try to keep the list of add-ons small, in part to reduce the uniqueness of my browser, and in part to simplify setting up my browser anew when I e.g. switch laptops or whatever. (Random tangent: I similarly only have minimal customizations in my shell startup scripts.) The add-ons I do have installed are:

Firefox Add-Ons

The 1Password browser extension. This allows me to trivially fill in passwords from my password manager.

DuckDuckGo Privacy Essentials. This is a new extension I just added to try out DuckDuckGo's tracker blocker:

Firefox DuckDuckGo Add-On

Ghostery. (Possibly broken with Firefox 58?) Even though Ghostery has seen some criticism due to its "Ghost Rank" system, it still seems to be one of the most efficient blockers I've used. Of course I opt out of sharing my data:

Ghostery Add-on
Ghostery Add-on

The Google Analytics Opt-out Browser Add-on. Just what it says.

The EFF's HTTPS Everywhere. Also no explanation needed.

The EFF's Privacy Badger. Auto-learning tracker blocking.

Privacy Badger Add-on
Privacy Badger Options

uBlock Origin. The original. I enable most block lists that are available and not marked 'experimental'. You could say... ¬_¬ ... it's my blockchain.

uBlock Origin Add-on

Other Firefox Settings

In addition to all of the above, Firefox's about:config allows a myriad of other settings to be adjusted. This page has a good rundown of many security and privacy related settings; I'll just explicitly call out security.cert_pinning.enforcement_level = 3 (because I fiddle around with HPKP), and the disabling of the 'Referer' header and XSiteReferrer settings:

network.http.sendRefererHeader = 0
Network.http.sendSecureXSiteReferrer = false

Toggle beacon.enabled to false to opt out of misc. analytics data being sent by your browser.

Toggle network.prefetch-next and network.dns.disablePrefetch to false to prevent link-prefetching and DNS leaks.

Toggle network.IDN_show_punycode to true to avoid falling prey to IDN homograph attack.


Chrome

My settings and extensions in Chrome mirror those in Firefox, with the exception that for Chrome, I do not use Tor. Other than that, in chrome://settings, under 'Advanced->Content Settings', I enable 'Keep cookies until quit', 'Block third-party cookies', and 'Block Flash'.

Chrome Settings

To disable sending the 'Referer' header in Chrome, I long ago had fiddled the Preferences file.

Lastly, due to Spectre, I recently enabled site isolation in Chrome via chrome://flags/#enable-site-per-process. Finally, Chrome is the only browser in which I log into a Google account, so I'll quickly add here that in gmail I also disable displaying external images under https://mail.google.com/mail/#settings/general .


And that's about it. Something else I've been meaning to do for a long time is to really trim the list of root certs in my browsers' and OS's trust stores, but I just haven't gotten around to that.

As I said above, if you have any comments or want to make suggestions or tell me that something I'm doing here is particularly stupid, reach out to me via email or on Twitter.

January 27th, 2018


[The Razor's Edge - Cutting Your TLS Baggage] [Index] [(Some) iPhone Privacy Settings]