Firefox hardening is one of the most private and secure ways to browse the internet. But how do you properly do it in 2022? Today, we will walk through how to harden Firefox to keep you as safe as possible on the internet.
First, what is hardening? In layman’s terms, hardening is improving the privacy and security of something beyond factory settings. You can look at hardening Firefox as modding in your car. This 2022 guide to hardening Firefox is probably pretty different from the advice you’ve seen in the last few years. And that’s because the scene has changed and continues to a lot. Many extensions are no longer even needed. You don’t have to do everything we recommend, and we will do our best to summarize the main stuff for you to target for the best bang for your buck.
This blog is loosely structured by easy, moderate, and advanced. There is no single perfect way to harden your system. This is an individual process that depends on your needs and your threat model.
The easy stuff.
- Enable automatic updates to receive the newest patches.
- Disabled recommended extensions as you browse and disabled recommended features as you browse.
- For most users, make sure DNS over HTTPS is enabled in network connection settings, and we recommend changing from Cloudflare to a more private provider, like quad9. Privacyguides breaks down DNS options incredibly well.
- Make sure snippets are disabled and consider limiting the recent activity that’s shown on the homepage if the browser is shared with other users in your home.
- Change your search engine to a privacy-oriented search engine and be aware that such suggestions submit queries to that search engine. So, disabling, this is good for those with higher threat models, but it isn’t a huge concern if you trust your such engine.
- Set Firefox’s privacy protections to strict.
- Mark Firefox to delete cookies and site data when Firefox is closed, and utilize exceptions if you want to stay logged into any specific accounts. Consider not storing history, make sure pop-ups and the add-on warnings are enabled.
- Disable all Firefox data collection and make sure all security settings at the bottom are enabled.
- Firefox 83, introduced HTTPS only mode. So, enable it in all windows. This negates the need for HTTPS everywhere which is likely not going to stay around much longer anyway.
- Finally, avoid untrusted extensions at all costs. This is a rampant issue in the browser space. So, make sure to only install what you need and that it’s trusted.
Everything you just did puts you ahead of more than 99% of people in the world. And it was just basic settings toggles. The most important things to focus on here are automatic updates, changing your search engine, setting Firefox protections to strict, clearing site data when Firefox is closed, enabling all security settings offered, and avoiding untrusted extensions. Everything else so far is supplementary, but should still very much be considered depending on who you are.
The moderate stuff.
Disclaimer, we won’t be diving super far into technical explanations in this blog, but we’ll link resources when needed for you to dig into these concepts yourself if you’re curious about what these changes do, which you should be doing.
- JavaScript storage APIs can be used for cross-site tracking. All users who previously toggled that strict privacy protections in the browser received dynamics state partitioning protection to prevent this. So, make sure privacy protections are set to strict, like we already covered.
- Website isolation with Fission is a fairly new and important security feature that is not currently enabled by default in production Firefox. To enable it open, Firefox, and navigate to about config and set vision. Auto start to true, then restart your browser. This is important, and you may likely find it on by default in the coming months, as Mozilla is rolling this out to more and more people.
Now to the extensions. No longer do we live in the dark ages of using 12 extensions in Firefox. Let’s cover what to install, it’s not much.
- Ublock origin for ad tracking and script protection.
- Firefox containers can be used for better compartmentalization within your browser for different use cases.
- Smart refer
- Skip redirect.
- Canvas blocker, though, is questionable considering Firefox has its canvas protection nowadays, which will only improve with time. All of these are semi questionable, except for Ublock origin.
For those wondering about like other extensions, you probably know about you, uMatrix is no longer maintained and shouldn’t be used, not to mention uBlock Origin covers its main functionalities. Ghostery ,disconnect, privacy Badger, DuckDuckGo e.t.c. Any tracker or blockers aren’t needed with everything we’ve already done.
Neat URLs and Clear URLs can be replaced with uBlock Origin’s, remove param and added lists. HTTPS everywhere like we covered is scheduled for deprecation and is replaced with Firefox settings. Local CDN, and Decentralized, have their issues that may make things worse off for you.
In short, not much as needed nowadays. If you’re chasing the best bang for your buck with extensions, just install uBlock Origin and be done with it. The other extensions are supplementary and may not even work in your favour if you don’t know how they work, and if they’re benefiting you specifically.
Advanced hardening tips.
We truly live in a golden age for Firefox hardening. Arkenfox is a project that handles almost all the advanced targeting techniques conveniently. So that is the main suggestion we have. Installing the file is very simple.
- Open Firefox, go to help in the drop-down menu, more troubleshooting information.
- Click open directory next to profile directory and drag that user JS artefacts file into the folder.
- Their wiki can also help you get started as well as how to override things to avoid site breakage, which will happen by default.
This is not just a drag and drop step, like installing an extension. It’s much more involving than that. So don’t do this unless you’re ready for the entire browser to stop functioning, and you need to override things yourself. Keep in mind if you use Arkenfox and enabled RFP, which is something that’s explained in their wiki. Smart refer and Canvas blocker from the moderate section is almost certainly unneeded if you were even considering them in the first place.
Finally, there’s a bonus super tip for just getting to the end of the article. Install the Tor browser alongside your hardened Firefox. Neither a factory fresh Firefox, nor a hardened Firefox, is as good at protecting you from fingerprinting as the Tor browser. Fingerprinting uses the uniqueness of your system to identify you across websites. The Tor browser is the best browser we know of today to address this problem. That’s kind of a misconception with hardening Firefox. Any browser, even Chrome out of the box, not touching any settings is still very finger printable. And this is backed by research. So don’t take our word for it.
When you put together the advice, you end up with a very strong browser that is fully tailored to your individual needs. There’s no perfect hardening technique for everyone, but whatever you chose, should take you pretty far for your own needs.
We want to thank Privacyguides and, Arkenfox for their fantastic work and compiling the latest recommendations for Firefox hardening, much of this guide was directly influenced by their work. This blog also proves that the browser space is heading in a very exciting direction. It wasn’t long ago that we had to install 12 extensions and adjust twenty toggles and the about conflict menu to achieve probably a lower level of privacy as you can achieve today with a lot less work.
Nowadays, changing a few settings in the Firefox menu and installing Ublock origin will take you almost all the way there, and this is only getting better. Arkenfox themselves wants their project to eventually be unneeded. And it’s looking like a very possible reality with how many things Firefox is integrating out of the box down the road. Making hardening less and less needed with time, which we’re very excited about it; everyone should be, as it makes having better privacy easier.
It is also good to note that this blog will be outdated someday. I can promise you that this stuff changes all the time. So, make sure you’re subscribed to catch the newest blogs, covering any updates we have on this. And that’s all we have for you. Thanks so much for reading, and go have some fun with your new browser.