Install Firefox under FreeBSD and set it up with privacy
🕐 13 minutes
Mozilla Firefox is a free, open-source web browser. It’s small, fast, and easy to use, and has many advanced features:
- Pop-up blockers
- customizable appearance
- improved security
We can installthe Firefox browser with the following command:
$: doas pkg install firefox
Too, we install the password manager KeepassXC, which we will need later.
$: doas pkg install keepassxc
The Firefox browser is inherently privacy-conscious. But I’ll show you how to get even more security and privacy out of Firefox.
First, we enter “about: preferences” in the address line, and this brings us to the settings.
In the general settings, we will deactivate the following options:
- Recommend extensions while browsing
- Recommend functions while browsing
Here, we will disable the following options:
- Important pages
- Recommended by Pocket
- Brief information
We will remove all existing search engines and use Searx as the only standard search engine.
But what is Searx? It is a free metasearch engine that protects users’ privacy. To complete this, Searx does not share users’ IP addresses or search history with the search engines from which it collects results. Here; you can find more information about Searx.
To add Searx as a search engine, we search here, an instance that we want to use and open it.
Then, we click the Page Actions button (3 dots) in the address bar, and we select the Add Search Engine option from the menu.
Now, we can set Searx as the default search engine in the search settings.
Another great alternative are:
- Qwant is a search engine with no user tracking and no filter bubble
- Startpage is a search engine that provides Google search results with complete privacy protection
Under the item improved protection against activity tracking, we will select the Custom option and set the following settings.
- Cookies: all third-party cookies (some websites may no longer work)
- Activity tracking content: in all windows
- Secret digital currency calculator (crypto miner)
- Identifier (fingerprint)
When websites send “Do Not Track” information that their activities should not be tracked, we always set this option.
Under Cookies and website data, we will activate the following:
- Delete cookies and website data when you quit Firefox
In the next step, we will deactivate the option to save access data and passwords.
And finally, we will deactivate the following options under Data collection by Firefox and its use:
- Allow Firefox to send data on technical details and interactions to Mozilla
- Allow personalized extension recommendations through Firefox
- Allow Firefox to install and run studies
Next, we go to the about:config page, then we can set further security-relevant options.
We type “about:config” in the Firefox address bar and press Enter. Then we press the “Accept risk and continue” button.
To change settings here, we copy the following settings (e.g., “webgl.disabled”), paste them into the search bar and set them to the specified value (e.g., “true”).
With the following changes, we will disable the Firefox telemetry:
- browser.newtabpage.activity-stream.feeds.telemetry = false
- browser.ping-centre.telemetry = false
- browser.tabs.crashReporting.sendReport = false
- devtools.onboarding.telemetry.logged = false
- toolkit.telemetry.enabled = false
- Delete the URL for toolkit.telemetry.server, and leave it empty
- toolkit.telemetry.unified = false
If we don’t use Pocket, or we don’t want Firefox’s Pocket integration, make the following changes:
- browser.newtabpage.activity-stream.section.highlights.includePocket = false
- extensions.pocket.enabled = false
pdfjs.enableScripting = false.
Harden SSL preferences
Making these changes will disable insecure SSL ciphers and force safe negotiation:
- security.ssl3.rsa_des_ede3_sha = false
- security.ssl.require_safe_negotiation = true
privacy.trackingprotection.fingerprinting.enabled = true
This option has been available since Firefox version 67, and it blocks fingerprinting.
privacy.trackingprotection.cryptomining.enabled = true
This option has been available since Firefox version 67 and this blocks CryptoMining.
privacy.trackingprotection.enabled = true
This is Mozilla’s new built-in tracking protection. One of the benefits is to block tracking (i.e., Google Analytics) on privileged pages that have add-ons that normally do this disabled.
Privileged pages are those web pages that browser developers consider legitimate web pages, on which extensions tasked not to work / whose functionality has been completely stopped.
In Firefox, for example:
browser.send_pings = false
The attribute is useful for websites to keep track of visitor clicks.
browser.urlbar.speculativeConnect.enabled = false
By doing this, we disable the preloading of autocomplete URLs. Firefox preloads URLs that are autocomplete when a user types in the address bar. This is a problem when suggesting URLs that we don’t want to connect to.
dom.event.clipboardevents.enabled = false
We disable that websites can receive notifications when we copy, paste or cut something from a website. This will tell you which part of the page has selected.
media.eme.enabled = false
Disables playback of DRM-controlled HTML5 content. When this option enabled, the Widevine Content Decryption Module provided by Google Inc. will be downloaded automatically.
media.gmp-widevinecdm.enabled = false
Disables the Widevine Content Decryption Module provided by Google Inc., which is used for rendering DRM-controlled HTML5 content.
media.navigator.enabled = false
Websites can track the microphone and camera status of our device.
network.cookie.cookieBehavior = 1
- 0 = Accept all cookies by default
- 1 = only accept from the original website (block third-party cookies)
- 2 = Block all cookies by default
network.http.referer.XOriginPolicy = 2
We only send the referer header if the full host names match. (Note: if we notice a significant fraction, we can try 1 with a XOriginTrimmingPolicy optimization below.)
- 0 = send referrer in all cases
- 1 = send referrer to the same eTLD sites
- 2 = only send referrer if full host names match
network.http.referer.XOriginTrimmingPolicy = 2
When we send the referrer across origins, we only send the schema, host, and port in the referer header of cross origins requests.
- 0 = send complete URL in the referrer
- 1 = send URL without query string in referrer
- 2 = Send only the scheme, host, and port in the referrer
webgl.disabled = true
WebGL is a potential security risk.
browser.sessionstore.privacy_level = 2
This setting controls when to save additional information about a session: form, content, scrollbar positions, cookies, and POST data.
- 0 = save additional session data for any site. (Standard from Firefox 4.)
- 1 = save additional session data only for unencrypted (not HTTPS) sites. (Default before Firefox 4.)
- 2 = never save additional session data.
beacon.enabled = false
Disabled sending additional analysis to web servers.
browser.safebrowsing.downloads.remote.enabled = false
Prevents Firefox from sending information about downloaded executables to Google Safe Browsing to see if they should be blocked for security reasons.
We’re turning off the Firefox prefetch pages, which we expect to visit next:
Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:
- network.dns.disablePrefetch = true
- network.dns.disablePrefetchFromHTTPS = true
- network.predictor.enabled = false
- network.predictor.enable-prefetch = false
- network.prefetch-next = false
network.IDN_show_punycode = true
Unless we render IDNs as punycode equivalent, we are open to phishing attacks, which are very difficult to detect.
extensions.pocket.enabled = false
This deactivates the Pocket Service.
identity.fxaccounts.enabled = false
We will disable the Firefox Sync Service. I will introduce you to better alternatives. We could also use a self-hosted sync server—the code is available on GitHub. But the service is currently still using outdated Python 2.7 code, and the service has ported to Rust meanwhile. And the other problem is that the self-hosted service does not currently work with mobile Firefox.
identity.fxaccounts.toolbar.enabled = false
We’re removing the Firefox Accounts icon from the toolbar.
WebRTC can potentially expose your real IP address, changing the following disables it
We can change the following value to be sure that every WebRTC-related are really disabled.
- media.peerconnection.turn.disable = true
- media.peerconnection.use_document_iceservers = false
- media.peerconnection.video.enabled = false
- media.peerconnection.identity.timeout = 1
Hint: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.
Linking Firefox with KeepassXC
Since we have deactivated the Firefox Sync Service, but we still want to save our passwords securely, I would like to introduce you to the KeepassXC program.
What is KeepassXC
KeePassXC is a community branch of KeePassXC—a native cross-platform port of KeePass Password Safe with the aim of adding new features and improving it and bug fixes for a feature-rich, cross-platform and modern feature
Open-source password manager.
- Secure storage with AES, Twofish or ChaCha20 encryption
- File format compatibility with KeePass2, KeePassX, MacPass, KeeWeb and many others (KDBX 3.1 and 4.0)
- SSH agent integration
- Sync passwords with KeeShare
- Auto-Type to automatically fill out registration forms
- Support for key files and YubiKey-Challenge-Response for additional security
- TOTP generation (including Steam Guard)
- CSV import from other password managers (e.g., LastPass)
- Command line interface
- Custom icons for database entries and downloading website favorites
- Functionality to merge databases
- Automatic reload of the database has changed externally
- Browser integration with KeePassXC browser for Google Chrome, Chromium, Vivaldi, and Mozilla Firefox.
How do I use KeepassXC
I will briefly show you how to set up KeepassXC and how to use it. When we start KeepassXc for the first time, we see the main screen.
Then we will create a new database. A new screen opens, and we can assign a database name here and optionally assign a description.
In the next screen, we can make encryption settings. Here we can, for example, set the encryption time and select the database format.
We can also make advanced settings. For example, we can make the following settings here:
- encryption algorithm
- Key derivation function
- Encryption passes
- memory usage
In the next step, we can now assign a password, with which the password database encrypted. What I can recommend is to also create a key file which is then saved on an external USB stick or in an encrypted cloud service. This means that the database backed up twice.
We have now created an encrypted database so that we can use KeepassXC; with Firefox, we must first activate the browser integration in the KeepassXC settings. We then select Firefox and can then set additional settings. I leave that to you, which you want to set.
For the actual integration, we use the KeeepassXC-Browser extension.
Bitwarden Password Manager
As an alternative to KeepassXC, we can also use the Bitwarden Cloud Service.
What is Bitwarden
Bitwarden is a free, open-source password manager. The goal is to solve password management problems for individuals, teams, and business organizations. Bitwarden is one of the simplest and most secure solutions to save all your logins and passwords and conveniently synchronize them between all of our devices. If we want to avoid using the Bitwarden cloud, we can easily host our Bitwarden server.
Data protection-oriented add-ons
In this section, I would like to introduce you to a few useful add-ons for Firefox.
An efficient blocker: low memory footprint and low CPU load, yet thousands more filters applied than other popular blockers.
xBrowserSync synchronizes bookmarks between devices and browsers with end-to-end encryption. Data encrypted and decrypted on the device—nobody but us can read it. No registrationrequired. We just enter a randomly generated ID or QR code on all of our devices. There are different servers available, which can also be self-hosted.
With this add-on, we falsify our browser profile. It includes some privacy enhancement options.
This add-on removes the tracking fields from all URLs visited by our browser.
With this add-on, we control our cookies. When a tab closed, unused cookies automatically deleted.
This add-on emulates external frameworks (e.g., jQuery, Bootstrap, AngularJS) and makes them available as a local resource. It prevents unnecessary third-party requests like Google, StackPath, MaxCDN, and more. It contains prepared rules for uBlock Origin / uMatrix.
HTTPS-Everywhere protects our communication by automatically changing the connection to supported sites to HTTPS encryption, even if the URL or a visited link omits the https: // prefix.
Automatically redirects all AMP (Accelerated Mobile Page) pages to their regular HTML equivalent.
When we see an AMP page, we are likely seeing a page served directly by Bing or Google that can pull up information about what we’re doing on that page. We keep the web decentralized, and we say, “No!” to search engines that want to take control of the web.
AMP pages designed for devices with a small screen and often do not translate well to larger screens. The extension can be especially useful when we receive links from people who are on their mobile devices while we are on our desktop computer.
This add-on removes these cookie warnings from almost all websites!
This add-on removes all annoying ads from YouTube.
- Removes video and display ads from YouTube
- Loads the YouTube website and videos faster
- Supports both Firefox desktop and mobile (Android)
Tired of seeing the “Video paused. Continue watching?” Confirmation dialog? This extension will automatically click it, so you can listen to your favorite music without interruption.
The add-on works with YouTube and YouTube Music!