Hardening Firefox for anonymity networks?

Submitted by retiredaccount in Privacy

Does anyone know of a guide for securing Firefox for use with anonymity networks? I remember seeing one floating around /r/linux years ago but I have no idea where I would find it now. I'm primarily wondering about i2p, but I imagine similar configurations would work with Tor or whatever else. There are a couple things I already do, but I'm sure I'm missing plenty.

browser.privatebrowsing.autostart -> true
media.peerconnection.enabled -> false
javascript.enabled -> false # or NoScript/uMatrix


You must log in or register to comment.

quandyalaterreux wrote

For Tor never use it with anything besides the Tor Browser.

For something else, you can include privacy.resistFingerprinting -> true privacy.firstparty.isolate -> true and some others (but not all, ask if you're unsure): https://www.privacytools.io/#about_config Also there's another one for anti-font fingerprinting but I can't recall its name.

Don't forget to test on https://browserprint.info


invertedparrot wrote

I find using Tor Browser on I2P is viable. You just need to swap out the network proxy in the settings page from tor proxy port to i2p proxy port after every launch, and it works (not sure how to launch Tor Browser without having tor run in background as well, but it doesn't matter). There are so many privacy/anti-fingerprinting mods added to Tor Browser all the time that it is too laborious to keep up with including them all manually.

If you do want to wrangle with vanilla firefox, just make sure to create a separate i2p-only profile, so it's at least somewhat isolated from the main browsing profile, in case you miss something. There are sporadic guides online about various privacy-related about:config settings. Try finding which settings Tor Browser has changed away from default and emulate those. Do check out "privacy.resistFingerprinting" setting, which has been backported from Tor Browser into mainline firefox.

The problem I've had was tracking down all the ways that vanilla firefox tries to "phone home". This is less important for an i2p-only profile, since firefox would not be able to reach mozilla servers (unless you configure an i2p-clearnet proxy), but I feel "radio silence" it is still a good aim for a browser config. It's like playing wack-a-mole, Mozilla is pushing out new trackers faster than I can shut them down. At least Mozilla still leaves us the option through about:config to turn them off, which is more than other browsers do... Here are some of them:

app.shield.optoutstudies.enabled -> false
beacon.enabled -> false
browser.cache.disk.enable -> false # do not store temporary internet files on hard drive
browser.newtabpage.enabled -> false # do not send frequently-visited URLs to mozilla
browser.newtabpage.enhanced -> false
browser.onboarding.shieldstudy.enabled -> false
browser.safebrowsing.blockedURIs.enabled -> false # sends some URLs of visited websites to google
browser.safebrowsing.enabled -> false
browser.safebrowsing.downloads.enabled -> false
browser.safebrowsing.downloads.remote.enabled -> false # sends filenames/hashes of all downloads to google
browser.safebrowsing.downloads.remote.url -> ""
browser.safebrowsing.malware.enabled -> false
browser.safebrowsing.phishing.enabled -> false
browser.search.geoip.url -> "" # phones home
browser.search.suggest.enabled -> false # do not search-as-you-type
browser.selfsupport.url -> "" # do not send heartbeat to mozilla
datareporting.healthreport.uploadEnabled -> false
datareporting.healthreport.service.enabled -> false
dom.indexedDB.enabled -> false # supercookies used to be not cleared by "delete history"
extensions.getAddons.cache.enabled -> false
extensions.update.enabled -> false # update your addons manually, don't send out a personally-identifiable list of addon versions every hour
extensions.shield-recipe-client.enabled -> false # do not allow mozilla to stealthily push arbitrary addons/settings to your browser
extensions.shield-recipe-client.api_url -> ""
keyword.enabled -> false # do not search from address bar
media.eme.enabled -> false
media.peerconnection.enabled -> false # leaks local network configuration/IP
network.http.sendRefererHeader -> 0 # do not send referrer
network.IDN_show_punycode -> true
privacy.donottrackheader.enabled -> true # might as well...
privacy.trackingprotection.pbmode.enabled -> false
privacy.trackingprotection.enabled -> false # sends some URLs of visited websites to mozilla
services.settings.server -> "" # phones home
services.sync.enabled -> false

Also set all "getHashURL"/"reportURL"/"updateURL" and all other "URL" about:config settings that look like a google/mozilla server API address to an empty string, since firefox periodically contacts some of these servers even if the controlling service is set to disabled.