/ Privacy

Firefox Extensions for Privacy

I use Mozilla Firefox instead of Google Chrome, mostly because some extensions are simply not available in Chrome (namely, Multi-Account Containers and Temporary Containers). Almost all of the extensions I use are centered around privacy. If you don't mind being tracked while browsing the Internet, then most of these extensions will actually be a nuisance, as they tend to break the intended behavior of websites until you adjust the settings accordingly.

Using the Tor Browser will afford you more privacy than you can get from Firefox, but I find that Tor is slower, sometimes significantly so, and results in many more captchas that refuse to accept your answers even though they are correct.

User-Agent Switcher

This switches my browser from identifying itself as Firefox on Linux to whatever browser type I want. By default I set it to Google Chrome on Windows to reduce my browser fingerprint.

Browser Fingerprints

Years ago, websites would use cookies to track people as they browsed the web. However, you can easily delete cookies from your browser if you desire. Hence, sites came up with a new way to track people: fingerprints. They ask your browser a bunch of questions, such as the user-agent, the fonts you have installed, and your screen resolution, among others. If they ask enough questions then it lowers the chances that anybody else has the exact same set of answers. If the chances are low enough, then it's basically good enough to be able to identify you out of the millions of users on the Internet.

There is no real way to "block" fingerprints. The only way to avoid being identified is to blend in with the crowd–to have the most common browser configuration.

The most common browser is by far Google Chrome, and the most common desktop operating system[1] is Windows. Hence, I have my browser identify itself as Google Chrome on Windows.

This does break certain sites unfortunately. Google Docs, for example, simply doesn't work if I set the user agent to Google Chrome (I suspect its trying to run some Google Chrome specific code). Vanguard's website has issues because for some reason they do not support Yubikeys when using Firefox. I registered a Yubikey with my Vanguard account, but if I have Firefox identify itself as Google Chrome, it attempts to use the Yubikey, and fails. I then have to go through the extra step of switching my two factor authentication method to SMS.
Fortunately, User-Agent Switcher lets you set domain specific exceptions. I set the user agent to Firefox on Windows for these sites.

Firefox Multi-Account Containers

This and Temporary Containers (found below) are my favorite extensions.

With Multi-Account Containers, you can create separate container tabs for different purposes. These container tabs isolate cookies, localStorage, indexedDB, HTTP data cache, image cache, and any other areas supported by originAttributes into separate containers.[2]

This lets you log into multiple accounts on the same site by using different container tabs for each account. Without container tabs, you'd either need different browsers[3] or use private browsing/incognito mode (but any cookies generated during that session would get deleted upon closing the window, so it could never remember you, and you couldn't do this for more than two accounts).

If used correctly, this also prevents sites like Facebook or Google from tracking you via cookies (though they can still track you if you have a unique enough browser fingerprint, as discussed earlier). You can assign websites to only ever be opened in a particular container tab.
Facebook-Container-Tab
(note how Always open in Facebook is checked)
So even if you've opened up a "Work" container tab, if you attempt to visit www.facebook.com, it will open a new tab using the Facebook container. Hence, so long as you don't visit any other sites using the Facebook container, no website other than Facebook can view the Facebook cookies left on your computer.

Temporary Containers

This is an incredibly powerful extension, but can also break the behavior of some sites until you adjust its settings. It extends the idea of multi account containers by forcing every single tab to be in its own temporary container[4] (you must have multi-account containers installed for this extension to work). After 15 minutes (user configurable) of closing a temporary container tab, all of the cookies, localStorage, etc. in that container tab is deleted. It is like having "incognito mode" or "private browsing mode" for all of your tabs.

Additionally, you can set it so if you load a website in a temporary container tab and either the domain or the subdomain of a link you click doesn't match that of the website you're currently viewing, the link is opened in a new container tab. This will isolate sites from each other.

I allow temporary container tabs to use the same container for different subdomains, but not different domains. So if I had google.com[5] open in a container tab, and clicked on a search result, that would open in a brand new container tab. On the other hand, if I went to Gmail, which is at mail.google.com, it wouldn't open a new container tab.

By default this extension does not affect the behavior of permanent container tabs (which you create through the standard multi-account extension). So for example I have Facebook.com always open in the Facebook container tab. By default, if I click on a link to a non Facebook site from this Facebook container tab, it will open in a Facebook container tab, not a temporary container tab. You can change this behavior by enabling Multi-Account Containers isolation in the isolation settings.

It is this setting that can break the behavior of websites. I always create permanent container tabs for sites that can remember my login by leaving a cookie (because if I use temporary container tabs, these cookies always get deleted after closing the tab). For example, suppose some bank uses the url https://bank.com. You set up a permanent container tab called MyBank and have bank.com always open in the MyBank container. However, when you attempt to log in, it actually logs you in at https://auth.bank.com, not https://bank.com. When your browser visits https://auth.bank.com, it creates a new container tab called tmp1 (because you didn't setup https://auth.bank.com to always open in the MyBank container). Once you log in, it leaves a cookie in the tmp1 container, not the MyBank container. However, after you've logged in, it redirects you back to https://bank.com, which gets opened in a MyBank container. The site checks for the cookie saying that you've been authenticated, and doesn't find it because that cookie is in the tmp1 container!

The way to fix this is to temporarily either disable Temporary Containers or change the Multi-Account Containers Isolation setting to false, visit https://auth.bank.com in the MyBank container, and set https://auth.bank.com to always open in the MyBank container.

In some extreme cases, this can get difficult. Sometimes sites will redirect you to several different subdomains while logging you in. You need to assign all these subdomains to the permanent container tab to avoid a temporary container tab being created, but sometimes it's difficult to observe the urls as you get redirected very quickly between several subdomains. In these cases I open up the developer tools (with the F12 keyboard shortcut) and use the network tool to get a log of which urls I'm getting redirected to as I'm trying to log in.

Additionally, the only way to assign a url to a permanent container tab while using a graphical interface is to open the permanent container tab, visit the url, and then click "Always open in ~permanent container tab~" in the container tab settings (as seen in the last picture). However, some of intermediate redirect urls during the login process are not readily accessible and will direct you elsewhere. So for example, during the login process to somesite.com, you might get redirected to a.somesite.com, b.somesite.com and then finally back to somesite.com. But if you try to visit a.somesite.com, it automatically redirects you to b.somesite.com, preventing you from clicking the "Always open in ~permanent container tab~" option while a.somesite.com is loaded.
The only way that I know of to fix this problem is to shut down Firefox and edit the storage.js file found at <Firefox Profile folder>/browser-extension-data/@testpilot-containers/storage.js. I highly recommend making a backup copy of this file before editing it.

Cookie AutoDelete

This is probably redundant if you have Temporary Containers, but I use it regardless.

Once a tab closes, this deletes any localStorage and cookies that are not being used and not previously whitelisted. This again helps prevent you from getting tracked across the Internet via cookies.

If you don't build a whitelist, it will seem like it breaks websites because the "remember me on this computer" option on most websites won't appear to work (because they remember you via a cookie).

This extension is compatible with Multi-Account Containers---it will build a different whitelist per container tab.

Neat URL

This removes the garbage from URLs. So for example, http://www.phoronix.com/scan.php?page=news_item&px=Ioquake3-Auto-Updater&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Phoronix+ becomes just http://www.phoronix.com/scan.php?page=news_item&px=Ioquake3-Auto-Updater. And if you monitor the network traffic using the developer tools, it truly does remove the garbage before making the request to the server.

You can set up rules to remove these parameters globally, or only for specific domains.

These parameters after URLs are often used to track referral sources, among other things. I don't want to be tracked as to where I was referred from, so I use this extension.

This can also break certain sites if they use a parameter that is in the garbage list. You can blacklist such domains and they won't be altered by Neat URL.

Smart Referrer

URL parameters are not the only way that sites track referrals from other sites. There can also be referers in HTTP headers. You can disable sending these referers globally in Firefox via a setting, but this can actually break a lot of sites.

Instead, I use the Smart Referrer extension to only send referers on the same domain.

Because of the smart nature of this extension, it shouldn't break too many sites. I do have mine set to strict mode, which considers subdomains different hosts, which does break some sites. But you can add specific domains as exceptions.

uBlock Origin

An adblocker. Many ads track you across the Internet to target you for your actual interests. I don't want to be tracked, and hence use an adblocker.

I prefer uBlock Origin over AdblockPlus and Ghostery because they have been known to take payments to remove certain ads from their blocklists[6].

uMatrix

NoScript is the often recommended extension for blocking Javascripts. Unfortunately, I find it to be too blunt a tool. Sometimes a website might need, for example, scripts from Google.com in order for the site to function properly. However, with NoScript, you can only ever set rules on a global basis: I could either block all Google scripts or none of them. You cannot allow Google scripts on just certain sites.

Instead, I use uMatrix. It comes with some of the same filters that uBlock Origin has. However, it lets you block cookies, css, images, media, scripts, and iframes from third party sites per first party site. It makes more sense when you look at its interface. This is an example for cnn.com.
uMatrix

By default it allows for all content from cnn.com and its subdomains, and blocks all non css and image content from any other domain. But, if I want to enable content from other sites, I can pick which ones to enable via the matrix.

This matrix is available per site, allowing me to block, for example, Google scripts on some sites but not others, unlike NoScript.

A Note about Mobile

Firefox for Android, unlike Chrome for Android, actually supports extensions. Not all Firefox extensions are supported on Firefox for Android, but some are. I install all the ones available (though unfortunately Multi-Account Containers and Temporary Containers aren't available).


  1. I say desktop because if I switch the user agent to a mobile platform like iOS or Android then I keep getting served mobile versions of websites ↩︎

  2. Mozilla Wiki ↩︎

  3. With Firefox you can create different Firefox profiles and run separate Firefox instances that load different profiles. However this is still more work than creating container tabs ↩︎

  4. This occurs when you have "automatic mode" enabled which I'm fairly certain is the default. If you disable this option, there really isn't much of a point in using this extension at all ↩︎

  5. I actually use Duck Duck Go and not Google, but it's easier to explain with Google ↩︎

  6. WIRED ↩︎

Firefox Extensions for Privacy
Share this

Subscribe to Seonwoo's Musings