Tweaks for protecting your privacy when surfing with the Firefox browser

Spy Patrol

Article from Issue 215/2018
Author(s):

The Firefox browser is not so private under its default settings, but several add-ons and configuration settings will help you keep the spies in the dark.

Product advertising already existed in ancient Greece, but it really got rolling in the 19th century with the rise of newspapers, magazines, and other print media. Now in the Internet age, advertising is spreading with an unprecedented intensity, and corporations are trying to track consumer habits and preferences as accurately as possible to assist with their advertising campaigns.

The Mozilla Foundation has strong roots in the open source movement, but through the years, it has derived a big share of its revenue from its affiliation with search engine companies that depend on tracking and analytics. As a result, the default settings for Mozilla's Firefox browser are not particularly private, but if you want to keep the spies away, Firefox offers add-ons and advanced configuration settings that will help you privatize your browser experience.

Mozilla Under Suspicion

Due to its wide distribution, Firefox has numerous plugins that put a stop to spying. Nevertheless, cautious users will want to check the Firefox browser itself and, if necessary, control it manually, because the Mozilla project has also been under suspicion several times.

In July 2017, it was revealed that Mozilla used Google Analytics [1] to spy on users calling about:addons in Firefox. Since anti-tracking tools such as Ghostery do not scan locally accessed pages, this contact to Google Analytics from Firefox remained unnoticed for a long time. Mozilla admitted the tracking, but explained that no data would be passed on to third parties and that there were contracts between Google and the Mozilla Foundation.

In the heated discussion about this privacy violation, Mozilla refused to remove the tracker. The developers of the Tor browser, which is based on Firefox, were also surprised by this development, and they have now disabled tracking [2].

Just a few months later, in October 2017, the Foundation was again caught out, this time by the Cliqz add-on, which was automatically added to some Firefox systems without the user's knowledge [3]. The software makes suggestions to the user when entering search terms in the address line, and the manufacturer evaluates the data entered on its servers. Cliqz is a startup that belongs to the Hubert Burda Media group, which is closely linked to commercial data collector emetriq GmbH. Cliqz acquired the US anti-tracking service Ghostery in February 2017.

Disabling the Cliqz add-on does not completely remove the software from Firefox: All recent versions of the browser offer various settings that obviously serve the purpose of using Cliqz services when surfing the web. These are settings that affect the Test Pilot add-on, which developers use to test new experimental features in Firefox. Cliqz is presumably involved in the evaluation of the results.

Plugins

Armed with just a couple of extensions, you can easily block many attempts to spy on your privacy. The most important privacy plugin for Firefox is uBlock Origin, which additionally contains an anti-tracking engine that blocks web bugs, annoying advertising banners, and social sharing buttons. The plugin also saves resources and lets users adjust the filter lists (Figure 1).

Figure 1: uBlock Origin helps you eliminate many of the spy technologies used on the Internet.

uBlock Origin maintains extensive and frequently updated lists that reduce the risk of malware entering the system through manipulated advertising. You can also add your own filters with just a few mouse clicks. For example, you can eliminate unwanted ads in forums that do not reference the preset lists.

One strongly recommended uBlock Origin setting is to restrict loading of JavaScript code to ensure that it only comes from the originally visited page. (See the box entitled "JavaScript.") Open the My Rules tab in the plugin's dashboard and enter a line reading * * 3p-script block on the right of the Temporary Rules window. After saving, transfer this new rule to the Permanent Rules window on the left by clicking on the arrow to enable it permanently (Figure 2).

JavaScript

JavaScript has been one of the core technologies on the Internet for many years. The JavaScript language was developed by Netscape in the mid-1990s was originally intended primarily to add flexibility to HTML content.

Over time, JavaScript has become a serious security risk when used on the Internet – and a formidable tool for commercial data collectors. Many website operators integrate external JavaScript code into the HTML of their pages in order to analyze user behavior and optimize their web presence. The high penetration of such services enables providers to track user behavior across different pages based on specific technical attributes.

If pages deliver advertising via externally integrated JavaScript, as offered by Google services such as DoubleClick, there is the risk of manipulated scripts causing malware to reach the system. Attackers can use modified libraries to steal data or reload code from other domains. So far, only the Subresource Integrity standard [4] offers protection against attacks of this kind, but as of now, hardly anyone has implemented it.

In Firefox, targeted espionage can be limited through some manual work using JavaScript and cookies. It does not matter where the companies gunning for your data reside. However, it is not possible to eliminate all trackers in all cases: Some trackers act through a combination of other spying methods, and a complete deactivation of all possible tracking technologies can block essential functions or interfere with how the pages display.

Figure 2: A single new rule helps you prevent retroactive loading of JavaScript from third-party sites.

General blocking of all JavaScript libraries using uBlock Origin can cause problems when displaying some web pages. A small plugin named YesScript2 helps you switch the JavaScript filter on and off as necessary: If you install the YesScript2 plugin, an icon appears in the browser toolbar. When you visit a website for which you would like to disable JavaScript for the first time, click on the icon. The plugin will now blacklist the URL and disable all JavaScript elements associated with it.

Another useful add-on that stops content delivery networks (CDN) from loading content on the system is Decentraleyes. CDNs, which are often used to integrate JavaScript libraries into websites, transmit data such as the IP address, screen resolution, browser type, color depth, and operating system version to the server. Decentraleyes intercepts the queries and intervenes to obfuscate the data.

Decentraleyes integrates numerous libraries from Google, Microsoft, Cloudflare, Yandex, Baidu, and others. After downloading from the Mozilla Add-ons page and installing in Firefox, the plugin is ready to use. If the software is installed correctly, you will find a green icon with an eye symbol in the browser toolbar. Since Decentraleyes performs a similar function to uBlock Origin with an individually activated JavaScript blocker, it is not necessary to use the two tools simultaneously.

Cookies

First Party Isolation is a useful plugin that prevents the random storage and reading of cookies, flash cookies, and HPKP supercookies.

First Party Isolation, which was originally developed by the Tor project and is now available at the Mozilla site, uses a container to isolate all data stored locally by a web page, First Party Isolation thus prevents software from reading cookies with a unique ID across several pages. This makes it difficult to identify and track a user on the Internet. The First Party Isolation plugin complements blockers such as uBlock Origin and is suitable for parallel operation.

However, the plugin only works with Firefox browser 58 and later. In older versions, you can achieve the same effect by setting privacy.firstparty.isolate to true in the configuration (about:configin in the URL line) (Figure 3).

Figure 3: The First Party Isolation add-on helps you isolate cookies from websites in containers, which makes cross-website tracking more difficult.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News