A good browser set up should be one of the highest priorities when it comes to privacy. This is our interface with the web, and our web traffic can reveal a lot of information about us. So much so that there are many parties who wish to collect and use this data for their own purposes. Advertisers like Google and Facebook are the most common threat in this space, but a good browser set up can transform this siphon of personal information into a thick shield to protect you.
I recommend the Firefox browser for most users because it is open source and developed by the Mozilla Foundation which is a reputable non-profit organization. If you currently use a different browser, give Firefox a shot to see how you like it.
Maybe you have tried Firefox in the past and decided it wasn’t for you at that time. If this is you, I encourage you to reconsider the browser. There have been many modern updates to Firefox lately, such as HTTPS-Only mode which eliminates the need for the extension HTTPS Everywhere as well as user interface updates.
The catch is that Firefox doesn’t quite get my full stamp of approval as it comes out of the box after downloading. There are some important changes that I recommend you make on a new installation of Firefox. In this post, I’ll walk you through all of those settings from top to bottom and explain why I recommend each of these changes. By the end of this post, you should have a solid Firefox set-up for privacy and security.
Note that I won’t be covering any about:config settings in this article, which if you didn’t know, is an advanced settings page in Firefox that can be explored if you want even more granular control over your browser.
Since the topic of web browsers is such an immense and controversial area, look out for more content coming in the future. There are so many ideas I wish I could have included in this article, but that would have turned it into a small book.
Within the privacy community, web browsers are a hotly debated and constantly evolving topic and many have differing opinions on the perfect browser set up. Many think Firefox is the only browser one should ever use, while others prefer a Chromium-based browser. I still suggest Firefox when someone new to privacy ask what browser to use, but if you have the time and interest to do your own research, feel free to explore the other options and opinions.
- For Windows and Mac users, turn on automatic updates. For Linux users, make sure you keep Firefox updated using your package manager.
- Under the heading “Browser”, turn off recommended extensions and recommended features.
Firefox says that the entire recommendations process takes place locally, in your version of Firefox. So, if you like the idea of getting features and extensions recommended to you, I won’t fight you on it.
I have no reason to believe they are not telling the truth on this. Just in case though, you should probably opt out of data collection later on in the settings. I turn these off because, frankly, I get a bad taste in my mouth every time I hear the words “personalized recommendations” these days.
- Under the heading “Firefox Home Content”, uncheck “Shortcuts” and “Recent activity”
This setting is admittedly an opinion of privacy versus convenience. Let me make the case for turning off the recommendations based on browsing history when you open a new tab in Firefox.
The reason I turn off these suggestions is because I may not be the only person that sees these recommendations. Sometimes, intentionally or by accident, someone else around me sees my screen. This especially applies if you take your computer outside of your home, like to a coffee shop or to school. Increasingly, we have to be aware of cameras in our presence that may have a view of our screens as well.
Would you be okay with a stranger knowing which bank you use or which social media accounts you have, just because they’re listed as some of your top sites? This could also potentially reveal a medical condition or embarrassing hobby that you’d rather your friends, family members, or employer didn’t find out about.
- Uncheck “Recommended by Pocket”.
Recommendations by Pocket are news stories selected by Pocket editors. If you like this feature and you want to use it, just make sure to opt out of data collection by Firefox. If you don’t, Pocket collects data on how many times you load the recommended stories (so-called “impressions”) and how many times you click on them.
Personally, I don’t want to have to trust yet another company with the capability of tracking my interests based on the recommended articles that I choose to click on, so I turn off this feature.
- Change the default search engine to DuckDuckGo.
We strongly recommend switching your default search engine away from Google. If you need convincing, check out my post here where I cover all the reasons why you should care about Google tracking. The only other general search engine available as the default is Bing, which isn’t much better since it’s owned by Microsoft.
If your not quite sure that DuckDuckGo will work for you, still make it your default. Try searching your queries in DuckDuckGo initially, and then if the results aren’t to your liking fall back to Google. Some people have reported getting better at finding what they’re looking for on DuckDuckGo over time. I find that I get better results when I search less using a semantic query such as a full question like “why is duckduckgo popular” and focus more on inputting the relevant keywords like “duckduckgo popularity”.
If you’d rather use a different search engine than what’s available in the list of supported default search engines, I recommend that you change your home page to automatically go to your preferred search tool when you open a new tab or page.
Privacy and Security Tab
- Under “Enhanced Tracking Protection,” choose “Custom.”
- In the drop-down next to “Cookies,” select “Cookies from unvisited websites.”
- In the drop-down next to “Tracking content,” select “In all windows.”
- Make sure the boxes next to “Crytominers” and “Fingerprinters” are checked.
Occasionally these settings will break websites, and more often on websites that track users heavily. If a website is broken, you have the option to toggle on or off all tracking protections to a site by clicking on the shield icon next to the URL.
Firefox’s tracking protection settings don’t give me the granular control that extensions like uBlockOrigin do. Therefore, my philosophy is to set my Firefox browser to block everything that won’t usually break websites, and use my extensions for extra tracking protection. This is the happy medium I’ve come to, but if you find that this setting breaks too many websites that you visit, you can consider easing up on the cookie rules.
- Check “Always” send websites a “Do Not Track” signal
Setting your browser to send websites a “Do Not Track” signal is optional since it doesn’t actually do anything other than send a polite request. Websites don’t have to grant this request, and many don’t. Some argue that it’s not worth even turning on, because it makes your browser more unique, and thus easier to fingerprint. My stance on this has always been that I will turn it on just in case a website does respect my choice to not be tracked. Also, it shows website owners that many people care about their privacy, and do not accept the pervasive tracking that is all too common today. Maybe it makes a difference, maybe I’m too optimistic. You can make your own decision on the “Do Not Track” request.
- Under “Cookies and Site Data,” select “Clear Data.”
- Select “Delete cookies and site data when Firefox is closed.”
Most people have probably heard about cookies but many do not know what they are. Cookies are text files that are generated when you browse the web. They store personal information mostly for the purposes of advertisement tracking and processing data input into forms.
I recommend setting Firefox to automatically clear your cookies every time you close the browser. This has a small tradeoff with convenience as it means websites will no longer be able to automatically log you in, since they won’t be able to read the cookie file with information about your previous session. I believe this trade off is worth it, however, as advertisers won’t be able to read this information either.
Automatically clearing cookies is especially important for shared computers. Most people have probably had the experience of using a shared computer and being automatically logged in to someone else’s account because they forgot to logout. Setting the browser to automatically clear cookies when closed will alleviate this problem.
The effectiveness of this practice will depend however on how frequently you close your browser session. This is why I recommend that you should close any programs and fully shut down your computer when it’s not in use. This is even more important whenever you will be physically away from your computer and it will be out of sight.
- Uncheck “Ask to save login passwords”
I strongly recommend keeping your password manager separate from your browser. The biggest reason for doing this is for compartmentalization, one of the primary privacy strategies I discuss in my article on threat modeling.
To summarize what I mean, your browser and password manager both store critically important information to your privacy and security, so by keeping them separate, you limit the information that each has individually and puts you in a better position to protect that information.
Additionally, dedicated password managers have more features than password managers built into browsers typically do, such as random password generators and the ability to protect your database behind a master-password. I recommend the fully-featured password managers Bitwarden and KeePassXC for most people, rather than the browser-based solutions.
- Under “History,” select “Use custom settings for history” from the drop down menu.
- Select “Clear history when Firefox closes”
Saving history is another tradeoff of privacy vs. convenience. While it may be convenient to be able to quickly return to a site you have previously visited, the practice of saving browser history brings up some privacy concerns, since now there is a list of every website you visit stored on your computer.
The good news is that, in Firefox, this information is stored locally in what’s known as your Firefox profile. (The exception to this is if you turn on Firefox Sync, of course.) Thus, the biggest concern I have with saving browser history is if someone else views your screen or accesses your computer, in which case they will be able to see the websites you visit.
Again, this is a bigger concern with shared computers. If you have a shared computer, or someone else occasionally uses your computer, I recommend clearing your browser history when Firefox closes. Otherwise, as long as you don’t turn on Firefox’s syncing function, I don’t see this as too big of a deal if you really like having browser history. Just maybe make a habit of clearing it manually every so often just in case.
- Under “Address Bar,” uncheck everything except for “Search engines” from address bar suggestions.
For the same reason I don’t recommend having your top sites suggested on the Firefox home page, I also don’t recommend having them suggested while you type in the address bar. To reiterate, you may not be the only one seeing these suggestions if you use your computer in a public place, with family members or friends around, and especially if you let other people use your computer on occasion.
- Under “Permissions,” review the list of websites that you have granted special permissions.
It’s always a good idea to double check your permissions settings every so often on your devices, and your browser is no exception. Make sure that websites that have been granted special permissions are all ones that you recognize, that have a valid need for that permission, and that you still have a need to use. Pay extra attention to location, camera, and microphone permissions.
- Select “Block pop-up windows” and “Warn you when websites try to install add-ons.”
Thankfully, pop-up windows are largely a thing of the past, and younger readers may not even remember how much of an annoyance they were. Pop-up windows nowadays are mostly used for malicious purposes. For security reasons, I recommend that you block them altogether. If there is a case where a trusted website needs to serve a pop-up window, you can allow it on an individual basis.
In a similar vein, some malicious websites have been known to automatically install add-ons to your browser, which then are given special permissions and access. Therefore, I recommend that you employ this extra layer of protection, making Firefox give you a warning whenever an add-on is about to be installed which gives you the option to either allow or block the installation.
- Under “Firefox Data Collection and Use,” uncheck everything.
Some of you may not agree with my stance on opting-out of Firefox data collection. A common argument for opting-in is that Firefox may use that data to inform decisions on how to improve the software. It’s understandable that a company would want to collect information on how its users are using its product, however until Firefox allows users more granular control over exactly what is shared I will choose not to share anything.
Furthermore, as much as Mozilla (the maker of Firefox) is seen as a trustworthy organization within the privacy community, I don’t think it’s fair to say that we as users should be expected to need to trust our browser’s parent company, given that our browsers are such a crucial piece of software in our online lives. Ideally, we should eliminate the need to trust a single entity, and practices such as open-sourcing of code and independent audits and verification are great tools to that end.
- Under “HTTPS-Only Mode,” select “Enable HTTPS-Only Mode in all windows.”
You’ve probably heard before that HTTPS is more secure than HTTP. These are both communication protocols standing for Hypertext Transfer Protocol + Secure. They are the first characters in a URL, for example https://www.modernprivatelife.com versus https://modernprivatelife.com.
The difference is a bit technical, since you’ll have to understand what encryption is. The biggest difference between HTTPS and HTTP is that HTTPS is encrypted, which helps prevent man-in-the-middle and eavesdropping attacks. Think of the classic hacker at a coffee shop example, where users on the same WiFi network are vulnerable to his eavesdropping if they are not using HTTPS.
Luckily, most of the web now supports HTTPS and it comes free with most hosting providers these days (this is the SSL certificate.) For security, it is strongly recommend that you connect through HTTPS at all times. Firefox is ahead of the curve in the browser arena for adding this built-in HTTPS-Only feature.
Unfortunately, I find that occasionally this feature breaks for me and the website will not load. The solution is to simply open up a new tab and try to access the website again. Hopefully this bug will get patched in an upcoming update.
- Do NOT sign in to sync
You may have seen the sign-in to sync feature implemented in several popular browsers over the last few years. This feature may be convenient, but the tradeoffs for privacy are not worth it in my opinion.
The biggest tradeoff is that it essentially takes all your browser traffic on every device that you own and directly ties it to one account that is likely directly (or indirectly) tied to your real-world identity. Every website you’ve visited can be recorded, which is information that has high potential for abuse. (If you’re struggling to see the value of this information, think about if your insurance provider could see all the medical webpages that you view.)
While it’s possible that your browser developer may not intend to abuse this data, it’s still possible that it may be abused in a data breach or by a rogue employee. This kind of data is being regularly exploited and sold between data brokers in today’s age. Sign-in browser syncing features greatly increase the number of linked data points, thus allowing this information to be more accurate and enabling misuse.
I mentioned earlier that the topic of web browser best practices is constantly evolving, and one of the fastest changing aspects of those practices is the question of what browser extensions to use. Previously, I might have suggested extensions like NoScript, Privacy Badger, HTTPS Everywhere, among others. However, as this area has developed, some extensions have become redundant and thus unnecessary.
Additionally, browser fingerprinting has become a bigger and bigger issue, where advertisers and others can sneakily track you online for potentially months or more. I’ll expand on browser fingerprinting soon, but for now you should know that what browser extensions you have installed is a major part of your unique “fingerprint” on the web. Thus, the ideal case is that users should aim to limit their extensions or use only extensions that have a large enough user base so that their fingerprint is not so unique. This is why I recommend only the following extensions (in order of importance).
1. uBlock Origin
2. Multi-Account Containers
The next extension I recommend is an extension developed by Mozilla called Firefox Multi-Account Containers. This will prevent different tabs you have open in the same browser window from talking to each other. You can have different “profiles” to open certain tabs in, such as a profile for work, social media, travel etc. This is another nice way to compartmentalize your online life.
3. Your Password Manager
Lastly, if you like to use a password manager with a browser extension, you may wish to add that extension. It will make your fingerprint more unique, but if that’s the only way you can get yourself to use a password manager I think the payoff is definitely worth it as using one is so important.