Mozilla Firefox Privacy — The Comprehensive Guide

Mozilla Firefox is the best web browser when it comes to privacy and security — It is fast, secure, open source, and is backed by the Mozilla Foundation, an organization that works to ensure that the internet remains a public resource that is open and …

Mozilla Firefox is the best web browser when it comes to privacy and security — It is fast, secure, open source, and is backed by the Mozilla Foundation, an organization that works to ensure that the internet remains a public resource that is open and accessible to us all.

Firefox runs on the Gecko browser engine, unlike the Google’s Blink browser engine that powers Google Chrome, Brave, Microsoft Edge and most of the other web browser.

Which means by using the Firefox browser, you will be supporting the open internet from Google’s monopoly. Mozilla also updates the browser frequently, has built-in lots of robust features baked in for developers.

I recommend and use Mozilla Firefox. It is the best alternative to Chromium-based browsers like Microsoft Edge, Google Chrome and even Apple’s Safari browser, which use the WebKit browser engine.

Firefox is almost perfect right out of the box, and comes with most of the settings tweaked to protect your privacy. But where it shines is its customizability — the Tor Browser is actually a highly modified version of Firefox designed to run on Tor network.

This article will cover pretty much all the tweaks you can make to enhance your privacy and security while using the Firefox browser.

But first, let’s discuss a few things that you should keep in mind.

Browser Fingerprinting

Before you go ahead and make changes to your settings or install an add-on, you should consider your Browser’s Fingerprint or Device’s Fingerprint.

Every time you visit a web page, your web browser voluntarily sends information about its configuration like OS, browser type, available fonts, screen resolution, add-ons, and a lot more.

You can go visit DeviceInfo.me & BrowserLeaks.com to see what data your browser is sending.

This is done partly because the website or the web app needs to know things like the resolution of your screen, time zones, etc. to adapt accordingly.

The problem is that if the combination of this information is unique, it will facilitate identification and tracking of users online, without the use of any traditional tracking tools like cookies.

The ironic aspect of this is that the more measures you take to avoid tracking, the easier it would be to track you online, as your browser gets more unique with each add-on and change in the settings from the defaults.

This is why it’s recommended that you do not install or modify anything on your Tor Browser, hence making every single Tor browser instance indistinguishable from the other.

More is not always better. You don’t need to use every add-on and tweak I am recommending here.

You can check how unique your browser’s fingerprint is using Cover Your Tracks (formerly Panopticlick) by Electronic Frontier Foundation.

Don’t stress much about the numbers, I have also covered Fingerprinting and its prevention in details.

Browser Compartmentalization

Compartmentalization is the key to taking back control of your online identity — it’s all about making sure that two different swaths of personal data cannot be linked together.

One of accomplishing just that is using different browsers for different scenarios.

Like using different separate browsers for banking, social media, work, and casual browsing.

You can use the Firefox Multi-Account Container add-on that helps you create separate containers for cookies, allowing you to use the web with multiple identities or accounts simultaneously in just one Firefox browser.

I couldn’t find any similar add-on for Chromium-based web browsers, you could try using different profiles for different scenarios.

I have explained more about the art of compartmentalization in details.

With these two things out of the way, let’s get into the basic Firefox privacy settings you can make.

Firefox Privacy Settings

These are basic, easy-to-configure tweaks, which when combined with the recommended add-ons explained in later sections will dramatically improve your privacy on the Firefox browser.

To configure these settings, just open the Settings / Options / Preferences page from the menu. Or, go to this URL:

about:preferences

Change Your Default Search Engine

Firefox by default uses Google Search, you should switch to a more privacy-respecting search engine.

Just go to Menu > Settings > Search > Default Search Engine

Switch to DuckDuckGo or pick from any of these privacy-respecting search engines.

You can add more search engines to Firefox by opening the search engine’s homepage that offers an OpenSearch search engine, and you’ll get the option to add it from the address bar context menu.

Firefox also has a tutorial on adding and removing search engines.

Enable Enhanced Tracking Protection

Mozilla Firefox comes with a built-in tracking content blocking feature that helps you block all kinds of tackers and malicious scripts without breaking the site’s functionality:

  • Social media trackers
  • Cross-site cookies in all windows (includes tracking cookies)
  • Tracking content in all windows
  • Cryptominers
  • Fingerprinters

This Enhanced Tracking Protection uses a list of known trackers provided by Disconnect, and comes enabled by default, but is set to Standard.

Cloak it up to Strict by going to Menu > Settings > Privacy & Security > Browser Privacy > Enhanced Tracking Protection and selecting the Strict option.

Firefox warns that Strict mode can “cause some websites to break”.

However, most of the websites work just fine, you can always just switch back to the default Standard option or disable it on certain sites if you are experiencing issues.

Disable Content Blocking on Sites

You can disable the content blocking feature on certain sites if you want or if they are not working properly.

To disable content blocking, click on the shield icon to the left of the address bar and flip the switch next to Enhanced Tracking Protection.

Disabling Enhanced Tracking will allow trackers and cookies that undermine your privacy on that site, so you will have to consider that’s something you are willing to compromise on, on a site-by-site basis.

Enable DNS over HTTPS

DNS or the Domain Name System is how your browser converts domain names like techcorpus.com to IP addresses like 127.0.0.1

This is done because computers don’t really understand URL’s like techcorpus.com, instead they can only make connections to IP addresses.

By default, your computer, and the web browser, uses your ISP or Internet Service Provider’s DNS Resolver to find the IP address of the websites you type in the URL section.

The problem is, most of these default DNS Resolvers provided by your ISP make unencrypted connections, which facilitates logging up and censorship of the websites you visit.

Using a privacy-respecting encrypted DNS resolver can help resolve this issue.

To enable DNS over HTTPS, go to Menu > Settings > General > Network Settings. There’ll be an option in the bottom, Enable DNS over HTTPS.

You can choose Cloudflare or any of these privacy respecting encrypted DNS resolvers.

Update: Firefox now by default enables DNS over HTTPS via Cloudflare for the users in the US, and will most probably roll out to other countries in the future.

Nevertheless, you can switch to a different DNS resolver in the Network Settings panel.

Using DNS over HTTPS does add some privacy protection from your ISP, but you’re basically shifting that Trust from your ISP to the DNS over HTTPS (DoH) resolver provider.

Another thing that must be noted is that even when you’re using an encrypted DoH resolver, your ISP can still see what domains you are connecting to, by looking at SNI fields and OCSP connections, which are usually not encrypted.

Until, there is industry-wide support for Encrypted SNI (ESNI), OCSP Stapling, and DNSSEC, where there has been a lot of progress recently, DoH won’t provide you with perfect privacy.

But, using an encrypted DoH resolver that respects your privacy is better than nothing and even using DNS over TLS or DoT.

In this article, I have explained the privacy & security aspects as well as the whole DNS process.

Disable Telemetry & Data Collection

Firefox, by default, is configured to send “technical and interaction data” as well as “backlogged crash reports” to Mozilla, and can also install and run studies on your Firefox browser.

While Mozilla is one of the most privacy-respecting organizations, you should always allow software programs to send as little data as possible.

I recommend disabling all of these settings, you can always choose to send crash reports manually.

To disable Telemetry & Data Collection, go to Menu > Settings > Privacy & Security > Firefox Data Collection and Use and untick all of them.

Disable Save to Pocket feature

Firefox Pocket, previously known as Read It Later, is an app as well as a built-in Firefox functionality, which allows you to save blogs, web pages, videos at one place, and access it across all your devices for offline reading.

It’s a pretty nifty feature if you like using it, however, the server side code is not open source, though there are plans of releasing the source code in the future.

You can remove the Pocket button from the Firefox toolbar by right-clicking on the pocket button and selecting “Remove from Toolbar”

I have explained disabling it completely from Firefox in the later section, Pocket also has a guide on disabling pocket from Firefox.

Enable Clearing Cookies & Site Data

This setting is not for everyone, as clearing cookies will log you out of most of the websites.

However, it’s a pretty nifty feature that helps you delete all the tracking cookies and other site data, allowing you to have a fresh start every time you reopen the browser.

To enable, go to Menu > Settings > Privacy & Security> Cookies and Site Data and select the Delete cookies and site data when Firefox is closed option.

You can add exceptions to certain websites by clicking on Manage Exceptions and adding in the websites whose data you want to be retained.

The “Do Not Track” Request

Firefox provides an option to request websites to not track you via the infamous “Do Not Track” request.

However, Its usefulness has come into question as most of the websites will just ignore these requests, and it can also facilitate fingerprinting of your browser as it is not something that’s enabled by default.

I recommend against turning on “Do Not Track” request feature, which can be found in Browser Privacy section of the settings menu.

Firefox about:config Settings

Apart from the general menu settings that you have tweaked above, there are a number of “under the hood” settings that can help you gain even better privacy and security.

If you have made changes to your settings as explained above, you may notice some of these are already updated in about:config page or the configuration editor page too.

To access the configuration editor page on your Firefox, go to this URL:

about:config

You will be prompted with a warning screen, “Proceed with Caution” prompt, just click Accept the Risk and Continue button.

After that, you will have a blank screen with a search bar on the top with a Show All button below it.

Click on the Show All button to view all the options, or just search the ones you want to change via the search bar.

Do note that preference names are case-sensitive, but search terms are not.

Modifying Preferences in about:config

You can modify preferences by just double-clicking the preference name. There are two ways to change preference: Boolean (True-False) and String (Text).

For Boolean: Just Click the Toggle button or Double-Click the Preference Name.

For String: Just Click on Edit button or Double-Click the Preference Name and enter a New Value.

Click on the Checkmark to save the changes.

To reset a Preference to its Default Value, Click on the Reset Button.

To remove an Added Preference, Click on Delete Button.

You can also add own preferences.

Alright, here are the recommended changes, sorted according to their sections:

Privacy & Security

media.peerconnection.enabled = false

WebRTC or Web Real-Time Communication is a free, open source project that enables web browsers with real-time communication.

However, there is a flaw in this communication protocol which makes browsers that support WebRTC, expose your actual IP Address even when you are using a VPN.

Software like NoScript Security Suite and uBlock Origin can help prevent this leak.

However, it’s recommended that you block WebRTC unless you use browser-based call functionality, used in web apps like Google Meet, Jitsi, Microsoft Teams, etc.

If you want to disable all WebRTC Settings:

  • media.peerconnection.enabled = false
  • media.peerconnection.turn.disable = true
  • media.peerconnection.use_document_iceservers = false
  • media.peerconnection.video.enabled = false
  • media.peerconnection.identity.timeout = 1

Note: Disabling WebRTC will stop call functionality in audio-video chat apps, like Google Meet, Microsoft Teams, Jitsi, Discord, etc. on your Firefox Browser.

privacy.firstparty.isolate = true

First-Party Isolation is a result of the Tor Uplift Project, it isolates all browser identifier sources like cookies to the first party domain, with the goal of preventing tracking across different domains.

It also helps isolate cache, HTTP Authentication, DOM Storage, auto-form fill, favicons, and much more.

privacy.resistFingerprinting = true

Another feature that is a part of Tor Uplift Project, that makes Firefox more resistant to browser fingerprinting.

privacy.trackingprotection.fingerprinting.enabled = true

Blocks fingerprinting in Firefox 67+

privacy.trackingprotection.cryptomining.enabled = true

Blocks cryptomining in Firefox 67+

privacy.trackingprotection.enabled = true

Mozilla’s new built-in tracking protection that blocks tracking from things like Google Analytics on privileged pages where add-ons that usually can block are disabled.

beacon.enabled = false

Blocks sending of data to servers when leaving pages.

geo.enabled = false

Disables geolocation feature that uses Google Location Services to get your location from your IP address.

webgl.disabled = true

Disables WebGL (or Web-based Graphics Library) — a JavaScript API used by websites to access your video card to render interactive 2D and 3D-graphics within the browser without any plugins.

Browser

browser.send_pings = false

Disables click tracking on websites.

browser.cache.offline.enable = false

Disables offline cache, It may lead to less performance but better privacy.

browser.urlbar.speculativeConnect.enabled = false

Disables preloading of autocomplete URLs in the address bar, which is a concern if the suggested URLs are of websites that you don’t want to connect to.

browser.safebrowsing.downloads.remote.enabled = false

Disables sending of information about downloaded executable files to Google Safe Browsing.

browser.sessionstore.privacy_level = 2

Allows you to control when to store extra information about a session like contents of forms, cookies, POST data, etc.

Set Session Privacy on Firefox using about:config by using one of these values:

  • 0 = Stores extra session data for any site.
  • 1 = Stores extra session data only for unencrypted (non-HTTPS) sites.
  • 2 = Never store extra session data.

extensions.pocket.enabled = false

Disables the Save to Pocket functionality in Firefox

extensions.pocket.onSaveRecs = false

Disables similar story recommendations that appear when I save to Pocket

DOM

dom.battery.enabled = false

Disables the ability to track the battery status of your device.

dom.event.clipboardevents.enabled = false

Disables the ability to track if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

Media

media.navigator.enabled = false

Disables tracking of microphone and camera status of your device.

media.eme.enabled = false

Opts you out of CDM playback, uninstalls CDMs and stops all CDM downloads.

media.gmp-widevinecdm.enabled = false

Disables Widevine Content Decryption Module provided by Google that is used for playback on DRM-Controlled HTML5 content.

CDM (or Content Decryption Module) is a mechanism used by DRM (or Digital Rights Management) which enables online video and audio services to enforce that the content they provide is in accordance with their requirements.

Note: You may not be able to play content on some sites that require DRM enabled, if you choose to disable widevine.

Network

network.cookie.cookieBehavior = 1

Disables cookies. You can choose from 0, 1 or 2:

  • 0 = Accepts all cookies by default
  • 1 = Accepts Only from the originating site (Blocks 3rd-party cookies)
  • 2 = Blocks all cookies by default

network.cookie.lifetimePolicy = 2

Deletes cookies at the end of the session, you can choose from 0, 1, 2 or 3. You don’t need to change it here if you have already done in options/preferences.

  • 0 = Accepts cookies normally
  • 1 = Prompts for each cookie
  • 2 = Accepts for current session only
  • 3 = Accepts for N days

network.http.referer.trimmingPolicy = 2

Allows you to send only the scheme, host, and port in the Referer header. You can choose from 0, 1 or 2.

  • 0 = Sends the full URL in the referer header
  • 1 = Sends the URL without its query string in the referer header
  • 2 = Sends only the scheme, host, and port in the referer header

network.http.referer.XOriginPolicy = 2

Allows you to send only Referer header when the full hostnames match. You can choose from 0, 1 or 2.

  • 0 = Sends Referer in all cases
  • 1 = Sends Referer to same eTLD sites
  • 2 = Sends Referer only when the full hostnames match

network.http.referer.XOriginTrimmingPolicy = 2

Allow you to send only the scheme, host, and port in the referer header of cross-origin request when sending referer across origins. You can choose from 0, 1 or 2.

  • 0 = Sends full URL in referer
  • 1 = Sends URL without query string in referer
  • 2 = Sends only send scheme, host, and port in referer

network.IDN_show_punycode = true

Disables rendering of IDNs (or Internationalized Domain Names) as their Punycode equivalent which prevents phishing attacks that can be very difficult to notice.

network.security.esni.enabled = true

Enables Encrypted SNI (or Server Name Indication) to make sites that support eSNI a bit more difficult to track.

Disable Firefox Prefetching

Firefox prefetches pages it thinks you will visit next which cause cookies from the prefetched site to be loaded.

  • network.dns.disablePrefetch = true
  • network.dns.disablePrefetchFromHTTPS = true
  • network.predictor.enabled = false
  • network.predictor.enable-prefetch = false
  • network.prefetch-next = false

Firefox “Safe Browsing”

Safe Browsing provides phishing protection and malware checks. However, It requires sending data like URL, File Hashes to Google, but that was the case before in older versions of Firefox.

Newer Firefox browsers take a lot of measures to protect your privacy when providing Safe Browsing as explained by François Marier, a security engineer for Mozilla.

I recommend you keep Safe Browsing enabled on Firefox as it’s a pretty nifty tool and disabling it does not provide tangible privacy benefits.

If you wish to disable Safe Browsing feature, you can do it in about:config section:

  • browser.safebrowsing.phishing.enabled = false
  • browser.safebrowsing.malware.enabled = false

Resolving Issues

If something breaks, and you aren’t able to access websites because of the changes you made in about:config section. You should be able to troubleshoot and fix it.

If all goes wrong, you can always either Delete Firefox Preference Files or Refresh Firefox.

Delete Firefox Preference Files

Deleting the Firefox preference file can help remove the changes you have made to your Firefox using the configuration editor.

Firefox has a tutorial to delete the preference files.

Refresh Firefox

The Refresh feature restores Firefox to its default state while saving your essential information. It will reset preferences and remove other customizations, including added extensions and themes.

Firefox’s user.js Templates

A user.js is a configuration file for Mozilla Firefox that can help you harden Firefox’s settings, and make it more private and secure. Here are some recommended user.js Templates:

You can also create a Firefox profile with the defaults you like using Firefox Profilemaker.

To install the user.js file on your Firefox browser, just copy the user.js file you have downloaded to the current user profile directory, which can be found here:

OSPath
Windows%APPDATA%\Mozilla\Firefox\Profiles\XXX.your_profile\user.js
Linux~/.mozilla/firefox/XXX.your_profile/user.js
macOS~/Library/Application Support/Firefox/Profiles/XXX.your_profile
AndroidInstalling Firefox user.js file for better privacy and security
Installing Firefox user.js file for better privacy and security

Firefox Privacy Add-ons

Firefox has lots of great add-ons that will do wonders to your privacy, security, and speed. Mozilla has also started the Recommended Extensions Program to help its users find the safest, highest quality extensions.

When you are installing add-ons for Firefox, consider whether you are actually going to use them. Do remember the fingerprinting warning from earlier.

Keeping all that in mind, I couldn’t recommend these add-ons more:

uBlock Origin

uBlock Origin is the first add-on I download on any browser after installing it — It is an open source, resource-efficient, and light-weight wide-spectrum blocker which blocks all kinds or ads, trackers and malware sites.

And, unlike other so-called “Ad Blockers” it doesn’t have any Monetization Strategy like “Acceptable Ads Program”.

Decentraleyes

Decentraleyes is an innovative free and open source add-on that works by impersonating a CDN on your device locally.

With Decentraleyes installed, when your browser tries to make connection to a CDN to download a resource that a website need, say jQuery or bootstrap — it will check if you already have it on your device from previous usage, and then serve that resource from its cache.

Decentraleyes also has the added benefit of speeding up your browsing, as you will be making fewer connections and hence saving on your data plan.

ClearURLs

ClearURLs is a free and open source add-on removes tracking elements from URLs to help protect your privacy when browse through the Internet.

Many websites use tracking elements in the URL (e.g., https://example.com?utm_source=newsletter1&utm_medium=email&utm_campaign=sale) to mark your online activity, even though going to https://example.com will work just fine

All that tracking code is not necessary for a website to be displayed or work correctly and can therefore be removed — that is exactly what ClearURLs does.

Firefox Multi-Account Containers

Firefox Multi-Account Containers lets you isolate your work, shopping or personal browsing without having to clear your history, log in and out, or use multiple browsers.

It is free, open source, and is developed by Mozilla, and can help you compartmentalize your online activity easily.

It keeps parts of your online life separated into color-coded tabs that preserve your privacy. Cookie gets separated by container, allowing you to use the web with multiple identities or accounts simultaneously.

Terms of Service; Didn’t Read

Terms of Service: Didn’t Read is a user rights initiative that believes, “I have read and agree to the Terms” is the biggest lie on the web, and aims to fix that.

It is a free and open source project that rates and labels the terms and privacy policies of websites, from very good (class A) to very bad (class E), along with their summaries.

I have compiled a list of all the recommended add-ons.

New Firefox Features

Mozilla has lots of other products and newer features baked in to the Firefox browser that helps you have a more private web experience, like the Enhanced Tracking Protection, explained in the earlier section.

Here are some of those additional newer Firefox privacy features:

DNS over HTTPS

DNS over HTTPS allows you to use an encrypted DNS resolver, I have already about in the earlier basic Firefox privacy settings section.

It basically encrypts your DNS requests to protect your privacy, you can find it in the Network Settings panel on the General settings page.

HTTPS-Only Mode

HTTPS provides a secure, encrypted connection between Firefox and the websites you visit. Most websites support HTTPS.

HTTPS-Only Mode will make Firefox upgrade all connections to HTTPS.

You would have needed an add-on called HTTPS Everywhere to enable this functionality, but now it can be enabled easily in the Privacy & Security settings page.

Firefox Monitor

Firefox Monitor warns you if your email address has been exposed in an online data breach. It is launched in partnership with haveibeenpwned.com, a website by web security expert Troy Hunt.

It lets you search for email address in public data breaches going back to 2007, additionally you can sign up for breach monitoring. It’ll also notify you in the Firefox browser if you visit a site that’s been breached.

Firefox Private Network

Firefox Private Network is basically a secure web proxy service that uses a server provided by Cloudflare to route your Firefox internet activity.

It is available as a browser extension, and works by creating an encrypted tunnel aka a proxy between your browser and a network managed by Cloudflare, which collects some data and deletes it permanently after 24 hours.

Firefox Private Network starts from $2.99/month, allows you to connect up to 3 devices, and has no bandwidth restrictions, but it is currently only available for customers in the US.

Mozilla VPN

Mozilla VPN is a full-fledged VPN service, unlike the Firefox Private Network, which is basically a white-labelled version of Mullvad VPN, a highly reputed VPN service provider that uses WireGuard protocol, based in Sweden.

It is available as a standalone app for Windows 10, Mac, Android, iOS, and Linux devices for a flat fee of $4.99/month, for 5 devices, and no bandwidth restrictions, but is currently limited to only a few countries now.

While using Mozilla VPN will help support the Mozilla Foundation, But, I find just using the Mullvad VPN way much better as it is what’s working under the hood, is available for pretty much everyone around the world.

Mullvad VPN doesn’t require any personal data for account sign-up, and has lots of privacy-oriented payment methods.

Firefox Relay

Firefox Relay is the newest product launched by Mozilla that aims to protect the privacy of your email address by generating an email aliases that will forward all your emails to your real inbox.

It is free and uses Amazon SES, which has a pretty good spam and malware filter. You’ll need a Firefox account and the Firefox Relay add-on to generate email aliases.

Multi-Account Containers

Multi-Account Containers is Firefox’s in-house add-on that lets you isolate your work, shopping or personal browsing without having to clear your history, log in and out, or use multiple browsers.

It is free, open source, and is developed by Mozilla, and can help you compartmentalize your online activity easily.

There are other add-ons like Facebook Container that are developed in-house by Mozilla.

Firefox Lockwise

Firefox Lockwise is a simple password manager that lets you access the passwords you’ve saved in Firefox from anywhere — even outside the browser.

It is backed into your Firefox browser under the Passwords section, and it uses 256-bit encryption to protect your passwords while syncing.

You can secure your passwords with Face or Touch ID, and it is available for both Android and iOS.

Firefox Pocket

Firefox Pocket is an app as well as a built-in Firefox functionality, which allows you to save a variety of content (such as blogs, web pages, videos) to one place, and access it across all your devices for offline reading.

There is a free version, with apps for both Android & iOS for on-the-go reading, you’ll need to create a free Firefox account.

Firefox Send [Discontinued]

Firefox Send was a free and open-source end-to-end encrypted file sharing service by Mozilla It had a file size limit of 2.5 GB, and was available on the Web and Android.

Additional Resources

Mozilla’s Privacy Policy — You should consider reading the privacy statements of any organization you deal with. Reading privacy policy can be a time-consuming and tedious task, you could also check out Terms of Service; Didn’t Read to get a summary and an overall idea.

Mozilla Firefox Privacy Conclusion

In my opinion, Mozilla Firefox is the best, all-around, web browser on the market when it comes to privacy and security online when modified as recommended above.

A lot of privacy and security enhancements from the Tor Browser makes it way to the Firefox browser via the Tor Uplift Project, Mozilla has also made a lot of privacy respecting products and services, as discussed above.

That’s all folks!

I will be updating this page frequently with more Firefox tools and information.

Leave a Comment