How to make Firefox more secure i.e. hardening Firefox for privacy & security

If you are not already spied by the secret service or the police, if you just want to protect your privacy from evil corporations and other spies (for example facebook marketing), this “How To” can help you. To make this article shorter, this time it is about Firefox, not about the security of the whole Operating System (Windows, Linux, etc).

Don’t forget, most Internet Service Providers (ISP like Verizon, AT&T), that supply you with the Internet, are infiltrated by the secret service and they log all of your activity on the web, including websites you visited, engagement on websites you visited, downloads, and uploads, etc. Therefore, you should also use tools like the Tor or VPN, you can make your own Tor/VPN server if you don’t trust to the third party VPN or Tor nodes/servers. Anti-Virus companies are the same case as the ISP, Sophos can record all your web activities and Sophos is exploited by the CIA, while you scan for virus, it collects information for the CIA, it is the same case with portable versions of Firefox, VLC, Chrome, WinSCP and some others (the CIA changes DLL file in this software). If you use Tor with the portable Firefox, better use Tor and Firefox that are not portable. You can always reinstall Windows and delete all your activities and files, their forensics is functional only when you didn’t overwrite the system, but for additional security for “paranoid people”, you can use Linux USB to overwrite 4 times your HDD before you reinstall Windows. But if I continue to write about the security in general, it will be very long article.

Shortly: install your own Tor or VPN server and use it to connect to the Internet, avoid portable software, overwrite your HDD and reinstall Windows from time to time, avoid anti-virus-malware software, you can use DeepFreeze (you must buy it, I think $35) or similar instead of an anti-virus, you just restart your PC, if there was any virus, it is gone. It is freezing your installation of Windows and if you want to install additional software and keep it, you must unfreeze it, in other case, it will be deleted after restarting PC. And use some Linux instead of Windows. You can use Veracrypt to encrypt HDD on Linux and Windows and LUKS on Linux too.

And famous Open Source is not a proof that software is not hacked by the FBI/NSA, so, don’t believe in a open source bullshit story, it is just the way for the NSA/CIA to get free contributions from many developers. The NSA keep found bugs for themselves.

If you use Windows, you should not use IE, Microsoft Internet Explorer has had major security issues throughout the years, including nearly every version or release. Wikipedia has a full section dedicated to this.

If you use Chrome, you give all information to Google that collaborates with the NSA.

The Mozilla Corporation is infiltrated by the NSA,
they can help to the FBI to misuse some bugs before they update Firefox, to catch criminals, but you must chose one web browser and use it, here is “How To” for Firefox. Tor Browser Bundle also includes portable Firefox, you can use this article to make TBB more secure.

When you are done with changing settings as described below, you can check your browser at:

You can install another Search Engine instead of Google, go to Tools->Options->Search and Add More Search Engines, I chose: StartPage SSL. Although the father of creator of StartPage is in American politics and it is question how much his son is not a spy, but until now, all experts say that StartPage is a private version of Google. I can say: children are sometimes contrary to their parents. If you want to keep Google, but you travel to another country and you get local version of Google, set your home page to be always Google in English or your wanted language, here it is us-en i.e. English:

But lets’ start, in Linux, Firefox is called Iceweasel, in both cases, in the web address bar type: about:config

Confirm you will be careful if the warning message is displayed…

Find the next settings in the search bar and change it (double click on this setting and set it from “true” to “false”):

If you want to disable javascript, set javascript.enabled to false (just double click), I will write like this:
javascript.enabled=false (if you want to disable javascript)

services.sync.prefs.sync.javascript.enabled=false (if you want to disable javascript, if you are not using Sync, this setting is not important to you) SSL (if you added Startpage to your search engines)

media.peerconnection.enabled=false (disable automatic peer-to-peer access to your computer while you’re surfing the web, for example some website/hacker can try to activate your webcam)

browser.safebrowsing.enabled=false (stop compare visited URLs against a Google blacklist, this disables Google Safe Browsing and phishing protection. Security risk, but privacy improvement), I decided to delete all strings with Google, some people can get idea to use Yandex from Russia instead of Google, type browser.safebrowsing and you will see Google URLs, you can find Yandex URLs here:

browser.safebrowsing.downloads.enabled=false (stop google server to get information)
browser.safebrowsing.malware.enabled=false (stop google server to get information)
browser.privatebrowsing.autostart=true (if you want always to autostart Firefox in a private browsing)
browser.safebrowsing.malware.enabled=false (stop Google, to get information about your web activities)
browser.safebrowsing.allowOverride=false (you can prevent override of your settings)
datareporting.healthreport.uploadEnabled=false (stop Mozilla to get information)
dom.event.clipboardevents.enabled=false (stop websites to track what you selected from their content) (you can stop DOM, used by Internet firms to track your activities, histories and browsing habits)
geo.enabled=false (browser will not send geo-location data relating the Wi-Fi network you are using)
geo.wifi.uri= (you can stop geo-location)
browser.cache.disk.enable=false (disables caching on hardrive)
browser.cache.disk_cache_ssl=false (disables caching on hardrive when you use SSL)
browser.formfill.enable=false (this disables saving of form data)
network.cookie.cookieBehavior=1 (only allow cookies to be stored from the destination server you are connecting to, no other party cookies)
network.cookie.lifetimePolicy=2 (store a cookie only for the duration of the connection with the server)
network.http.sendRefererHeader = 0 (stop sending the header information)
network.http.sendSecureXSiteReferrer=false (stop sending Referrer header when you are navigating from one secure site to another)
network.dns.disablePrefetch=false (prevent Firefox to resolves links and domain names to IP addresses before a user clicks on them)
network.prefetch-next=false (prevent download websites information ahead of time)
privacy.donottrackheader.enabled=true (This makes Firefox include a DNT (“do not track”) header in its request)
toolkit.telemetry.enabled=false (prevent companies and developers to get information, they get more than they really need, you can stop them)
network.proxy.socks_remote_dns = true
network.http.spdy.enabled=false (all spdy should be false. if you don’t want protocols running that form persistent connections across sessions) = false
layout.css.visited_links_enabled = false
browser.display.use_document_fonts = 0
browser.send_pings=false (stop websites from tracking visitors’ clicks)
browser.send_pings.require_same_host=false (disable sending pings to 3rd party content hosts)
experiments.enabled=false (if you don’t want any Mozilla ‘enhancements’ that sacrifice security for convenience)
media.peerconnection.turn.disable=true (makes sure WebRTC is really disabled)
media.peerconnection.use_document_iceservers=false (makes sure WebRTC is really disabled) (makes sure WebRTC is really disabled)
media.peerconnection.identity.timeout=1 (makes sure WebRTC is really disabled)
security.ssl3.dhe_rsa_aes_128_sha=false (cipher is susceptible to the logjam attack and should be disabled)
security.ssl3.dhe_rsa_aes_256_sha=false (the same as above)
webgl.disabled=true (WebGL involves running code directly on the video card, and exposing APIs that provide direct access to video card APIs)
network.http.speculative-parallel-limit=0 (stop Firefox connect with arbitrary links on a page by the simple act of hovering over them, without your explicit permission)

In the case Firefox turn this settings back after an update, you can also stop automatic updates, set all “update” settings to FALSE, just type update in the search bar and find all true options and change it to false.

That’s about security, here are Tweaks, modifying Firefox:

extensions.blocklist.enabled=false (if you want to disable warnings, for example if you visit a movie website that ask you to allow Flash Plugin)
browser.urlbar.maxRichResults=5 (Adjust the Smart Location Bar’s Number of Suggestions, by default it is 10, put any number you want)
browser.urlbar.autocomplete.enabled=false (if you want to disable autocomplete when you type website URL in the address bar) (or any other country you want) (the same as above)
browser.urlbar.clickSelectsAll=false (avoid to select the whole URL with a click on it, rather place the cursor there where you wanted, you don’t need to click more time to delete wrong letter when you typed URL)
dom.disable_open_during_load=false (enables Firefox built in popup blocker)
dom.event.contextmenu.enabled=false (disables website control over rightclick context menu, in this way you can copy text from websites that stop you to do it)

That’s all about it, in some next article, I will write about hardening Chrome or something similar.