After studying Internet user tracking and how to avoid it in my Thesis, I decided to experiment with Firefox privacy settings. With Firefox one can customize almost any parameters in a user.js file under the user’s profile. There are many projects that aim to provide a template for these customizations for better security and privacy. This way everyone doesn’t have to maintain all settings by themselves when Firefox updates or new privacy and security threats emerge.
The starting point for this experiment was to use a community-based user.js provided by the ghacks-user.js project which was originally published in 2015 by Martin Brinkmann and now maintained by Github user Thorin-Oakenpants. The idea was to modify the settings on the go when problems occurred as some webpages are known to break if necessary browser functions are not available. After two years of usage I have now collected some data how these hardening settings have affected my user experience in day-to-day web-browsing.
The setup for myself is currently following:
- Firefox, newest version updated automatically, with following extensions
- Privacy Badger by EFF
- uBlock Origin by Raymond Hill, default settings + few custom blocks (mostly ads and annoyances)
- CanvasBlocker by kkapsner, default settings
- js based on the ghacks-user.js project. The template gets updated irregularly when I notice a major breakage in the pages I use. The template could also be automatically updated by included scripts.
This setup gets replicated to home and workplace desktop and laptop computers running either Windows or Linux. I keep a central copy of my user.js custom settings in a certain SSH server I use. Mostly the setup has been “set and forget”, user.js is modified only when Firefox is installed to a newly installed system, and modifications get slowly synchronized whenever a site breakage occurs. The setup could use automatic synchronization of the file, for example using Nextcloud; however, it currently does only full directory synchronization.
Here are the major issues and observations I have encountered with the setup for now:
Firefox has supported multiple options to resist fingerprinting (RFP) for a while based on the Tor Browser project. My experiences with RFP (privacy.resistFingerprinting) have been mixed as it seems to cause multiple pages to require more captchas. For example, pages using Google reCAPTCHA seem to end up in a loop requiring multiple attempts to get rid of the captcha. Some minor issues also include:
- All timestamps are shown in UTC and locales default to en_us. Some pages such as Microsoft Teams do not allow the selection of custom formats, so this is a breaking issue for me.
- Pages are letterboxed in browser window to prevent fingerprinting the viewport resolution. This I can live with but it sure looks odd sometimes,
For now, I have left RFP off as there is no way to granularly control the settings individually. This, however, removes the ability to resist canvas fingerprinting which is one of the most accurate fingerprinting methods available. I am currently using the CanvasBlocker plugin to restrict canvas access.
This is more of a security issue than a privacy one. TLS renegotiation has been updated in RFC 5746 to mitigate unsafe negotiation and man-in-the-middle type of attacks already in 2010. Session negotiation could also be disabled altogether but as Mozilla documentation states: “Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server).” Thus ghacks-user.js sets the parameter security.ssl.require_safe_negotiation to true, which makes the use of RFC 5746 mandatory.
One could think that a 10-year old flaw would not be relevant anymore, but surprisingly many sites are still using old software. Even high-profile sites such as the Nordea Omaposti does not seem to support the RFC 5746:
This is not a huge issue as the setting can easily be turned off for the session via about:config. Actually, the error message is useful in showing which sites might be vulnerable to MITM attacks, making the user think more about the security when accessing resources such as this.
As both home and work machines are running the same settings, work-related sites seemed to break the most. This is mainly because Microsoft Office 365 services rely heavily on inter-domain cookies and different data storages in the web browser. Some examples:
- Microsoft Teams will just not work with First Party Isolation (firstparty.isolate) as it prevents cross-domain cookies and data storage.
- Also, several different cookies for Microsoft domains need to be added manually.
- Clipboard events are disabled by default which breaks copy&paste (event.clipboardevents.enabled)
Other minor issues
- WebGL is disabled, which makes streaming and web conferences impossible. The downside is that WebGL is highly fingerprintable.
- URL bar search can apparently leak information. Personally, I just couldn’t live without this
- At first hardware acceleration was turned off for fingerprint reasons, which caused scrolling and viewing videos to become unbearable at least on Linux. , this has been fixed in later commits and now ghacks-user.js has acceleration on by default.
These issues are just the most common ones I have noticed when using a hardened profile. Most of these are just minor annoyances but the unbearable number of captchas due to RFP and site-breaking issues such as the Office365 ones mentioned were the ones that required major intervention. Also, many of the webpages have started to use custom glyph fonts for page navigation which of course gets broken when remote fonts are disabled (browser.display.use_document_fonts), making the usage of some web pages guesswork.
Is all this worth it? From a security and privacy standpoint, maybe not. I am not a high-value target for someone to snoop for my data and this might not make me any less visible in the Internet. Most of the settings in uBlock Origin and Privacy Badger would be enough for the average user, and one could customize settings to prevent annoyances such as the Windows 10 native toast notifications, geolocation popups and autoplaying media only.
From research standpoint, this has been very interesting as site breakage usually reveals how pages work, what sites are using old technologies and what functions are absolutely required for the sites to work correctly. I will be continuing to use user.js settings in daily tasks for a while now, not just for privacy and security hardening but also for awareness on how Internet works and evolves. And I do care about my privacy, it is just that using the Internet in modern times is a compromise between comfortability, necessity and privacy.
Infrastructure Service Specialist at JYVSECTEC
Institute of Information Technology at JAMK University of Applied Sciences