The Arkenfox user.js project configures desktop Firefox to use more of the security and privacy features already built into the browser1.
arkenfox user.js … aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen)1.
In my experience, modern and well-maintained websites work without issue. Applying the base
user.js will suit most use cases.
If a site doesn’t function correctly, disabling Enhanced Tracking Protection can help. Be aware that doing this means no tracker blocking or first party isolation2.
user.js can be modified with a
You can make your own by reading the Wiki, referencing the
user.js, and adding recipes to enable features such as DRM and Session Restore4.
As an example, my
user-overrides.js file toggles the following preferences5:
|Google Safe Browsing||Address bar||Increase window size|
|DNS-over-HTTPS||Limit font visibility|
|Media (video and audio) autoplay||Save downloads to another directory|
|Colour visited links|
|Ask to save passwords|
|Undo closed tabs|
|“Open with” download prompt|
These changes are made to reduce privacy exposure, decrease caching, remove annoyances, and add quality of life.
But what is my rationale for not wanting to use some of this functionality?
Google Safe Browsing
Foremost, Safe Browsing is disabled to reduce exposure to Google, and diminish dependence on their services.
Next, as an objection to badness enumeration. A cybersecurity faux pas, whereby ‘all the bad things that we know about’ are itemised6.
Finally – from a privacy perspective – the design of Safe Browsing is flawed. Purported to work from a local list7, the remote database is sometimes queried to avoid hash collision. Rescorla postulates that hashes for more popular websites – and hashes for different pages on the same website – could be used to infer which websites the user is visiting8.
DNS-over-HTTPS (DoH) bypasses enterprise policies and controls – namely filtering and monitoring – which should concern organisations9:
- Command and control (C&C or C2) malware can use DoH10 to ‘communicate … unimpeded by local network monitoring solutions’
- DNS-based firewalls and blocklists are sidestepped when using DoH
As a consequence of performing DNS at the application layer, services at the network layer – chiefly the DNS root servers and ISP DNS servers – are ignored, undoing the traditional trust model11 12.
DoH does little to prevent tracking or circumvent censorship9 13.
It is instrumental to see DoH as a ‘very partial VPN’ that only encrypts DNS packets, but leaves all other packets unmodified …9
DoH should only be used to overcome DNS redirects and ‘basic’ blocking – when there are no consequences to doing so – making it unsuitable for most threat models13.
For citizens of Mainland China, TLS 1.3 and ESNI traffic are blocked outright14 – including DoH15 – making it a non-starter.
This posed a problem for China, prompting them to make a change… to their Great Firewall to block all TLS 1.3 and ESNI traffic, effectively stopping people in China from using DoH to hide their DNS lookups15.
If your goal is to defeat surveillance and censorship, use the Tor Browser Bundle16 13.
Doesn’t LibreWolf already do this?
LibreWolf has endemic flaws which undermine security:
- No automatic updates, and inconsistent packaging17
- New versions are released multiple days after upstream Firefox18 19 (hello, zero days 👋)
Applying the LibreWolf configuration
The improvements seen in LibreWolf20 are applicable to upstream versions of Firefox:
Apply the Arkenfox
user.jsto the profile directory, seen in
- Update to new releases using
- After updating, close Firefox and reset unneeded preferences with
Install uBlock Origin
Note that most extensions which claim to improve privacy and security are not worth using, including NoScript, Ghostery, Privacy Badger, ClearURLs, Decentraleyes and Cookie AutoDelete22.
Use a privacy respecting search engine, such as DuckDuckGo or StartPage23
Firefox is reaching parity with Chromium’s security, while providing privacy features that Chromium does not include.
|(Dynamic) First Party Isolation||✅26 27||❌|
80% of desktop browsers are based on Chromium28 (including Edge29 and Opera30). We’re in danger of losing the only modern alternative to Google’s browser monoculture.
It’s time to switch to Firefox.
AliceWyman, Chris Ilias, Michele Rodaro, Mozinet, Joni, Marcelo Ghelman, Lamont Gardenhire, et al. ‘Enhanced Tracking Protection in Firefox for Desktop’. Mozilla Support, 2022. https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop. ↩︎
Thorin-Oakenpants. ‘3.1 Overrides · Arkenfox/User.Js Wiki’, 19 March 2022. https://github.com/arkenfox/user.js/wiki/3.1-Overrides. ↩︎
Thorin-Oakenpants. ‘Sticky: Override Recipes · Issue #1080 · Arkenfox/User.Js’. GitHub, 3 June 2022. https://github.com/arkenfox/user.js/issues/1080. ↩︎
Ranum, Marcus J. ‘The Six Dumbest Ideas in Computer Security’. Marcus J. Ranum, 1 September 2005. https://www.ranum.com/security/computer_security/editorials/dumb/. ↩︎
Marier, François. ‘How Safe Browsing Works in Firefox’. Feeding the Cloud, 8 November 2022. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/. ↩︎
Rescorla, Eric. ‘Can We Make Safe Browsing Safer?’ Educated Guesswork, 16 August 2022. https://educatedguesswork.org/posts/safe-browsing-privacy/. ↩︎
Cimpanu, Catalin. ‘DNS-over-HTTPS Causes More Problems than It Solves, Experts Say’. ZDNET, 6 October 2019. https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/. ↩︎ ↩︎ ↩︎
Garmiza, Masha. ‘DNS over HTTPS as a Covert Command and Control Channel’. Inside Out Security, 30 June 2022. https://www.varonis.com/blog/dns-over-https-as-a-covert-command-and-control-channel. ↩︎
Hoffmann, Stacie. ‘Understanding DNS Over HTTPS - DoH’. Internet Governance & Cyber Security, 19 August 2019. https://oxil.uk/blog/understanding-dns-over-https-doh/. ↩︎
EfficientIP. ‘Why Using DoH Is Questionable’, 2 February 2021. https://www.efficientip.com/why-using-doh-is-questionable/. ↩︎
jonaharagon and d4rklynk. ‘Introduction to DNS - Privacy Guides’. Privacy Guides, 7 August 2022. https://www.privacyguides.org/basics/dns-overview/. ↩︎ ↩︎ ↩︎
Cimpanu, Catalin. ‘China Is Now Blocking All Encrypted HTTPS Traffic That Uses TLS 1.3 and ESNI’. ZDNET, 8 August 2020. https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/. ↩︎
Leyden, John. ‘Cat and Mouse: Privacy Advocates Fight Back after China Tightens Surveillance Controls’. The Daily Swig | Cybersecurity news and views, 1 July 2021. https://portswigger.net/daily-swig/cat-and-mouse-privacy-advocates-fight-back-after-china-tightens-surveillance-controls. ↩︎ ↩︎
Tor vs VPN | Which One Should You Use for Privacy, Anonymity and Security, 2020. https://www.youtube.com/watch?v=6ohvf03NiIA. ↩︎
tommytran732, SkewedZeppelin, ph00lt0, Thorin-Oakenpants, savolla, fxbrit, TheFrenchGhosty, et al. ‘Add Librewolf · Discussion #423 · Privacyguides/Privacyguides.Org’. GitHub, 31 July 2022. https://github.com/privacyguides/privacyguides.org/discussions/423. ↩︎
Mozilla. ‘Firefox 104.0, See All New Features, Updates and Fixes’, 23 August 2022. https://www.mozilla.org/en-US/firefox/104.0/releasenotes/. ↩︎
stanzabird. ‘Release V104.0 · LibreWolf / Browser / Windows · GitLab’. GitLab, 27 August 2022. https://gitlab.com/librewolf-community/browser/windows/-/releases/v104.0-1. ↩︎
LibreWolf. ‘LibreWolf Browser’, 6 July 2022. https://librewolf.net/. ↩︎
Thorin-Oakenpants. ‘3.4 Apply & Update & Maintain · Arkenfox/User.Js Wiki’. GitHub, 29 August 2022. https://github.com/arkenfox/user.js. ↩︎
]: Thorin-Oakenpants. ‘4.1 Extensions · Arkenfox/User.Js Wiki’. GitHub, 18 August 2022. https://github.com/arkenfox/user.js. ↩︎
jonaharagon, d4rklynk, mmistakes, tommytran732, mfwmyfacewhen, elitejake, and RoseTheFlower. ‘Search Engines - Privacy Guides’. Privacy Guides, 7 August 2022. https://www.privacyguides.org/search-engines/. ↩︎
Gakhokidze, Anny. ‘Introducing Firefox’s New Site Isolation Security Architecture – Mozilla Hacks - the Web Developer Blog’. Mozilla Hacks – the Web developer blog, 18 May 2021. https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture. ↩︎
The Chromium Projects. ‘Site Isolation’, 2021. https://www.chromium.org/Home/chromium-security/site-isolation/. ↩︎
Huang, Tim, Johann Hofmann, and Arthur Edelstein. ‘Firefox 86 Introduces Total Cookie Protection’. Mozilla Security Blog, 23 February 2021. https://blog.mozilla.org/security/2021/02/23/total-cookie-protection. ↩︎
Mozilla. ‘Firefox Rolls Out Total Cookie Protection By Default To All Users | The Mozilla Blog’. The Mozilla Blog, 14 June 2022. https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/. ↩︎
StatCounter Global Stats. ‘Desktop Browser Market Share Worldwide’, July 2022. https://gs.statcounter.com/browser-market-share/desktop/worldwide. ↩︎ ↩︎
Microsoft Support. ‘Microsoft Edge (Chromium)’, 14 June 2022. https://support.microsoft.com/en-us/topic/microsoft-edge-chromium-1ce9507c-f09d-4de6-a706-eb52f46be90c. ↩︎
WebProNews. ‘The Chromium-Powered Opera Is Finally Here’, 28 May 2013. https://www.webpronews.com/the-chromium-powered-opera-is-finally-here/. ↩︎