Consider fixing the Mitigation guide for Firefox #58
anonymous
baobab
Loading…
Reference in New Issue
There is no content yet.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?
First of all, sorry if this topic sounds harsh.
Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on.
You old guide was by far better than this.
Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it.
After trying dozens of user.js this is the best I found (from a forked arkenfox one)
https://git.nixnet.services/Narsil/desktop_user.js
However, we still have to add firefox.settings.services.mozilla.com to our host file.
This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox?
To sum up I think you would consider even deleting that guide.
Thanks for your time.
I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with.
Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be.
I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks.
I'll leave this up to @anonymous for the final decision.
Sorry for the pesimistic message.
Anyway, if would be nice if you add those specific options.
People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way.
On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour.
BTW, on mobile it appears the same connection.
Greetings.
The guide needs to be updated.
Page doesn't seem to load, even with JS turned on?
And thank you for bringing the issue to our attention.
That Git instance seems to be quite erratic.
Reload the page once or even several times.
Possibly worth investigation or adding into "further reading":
https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/
Also, you are correct in about
Firefox continues to add more bloat and botnet, and switching to a different browser should be done by any user (im currently working on a page for this).
But at least for now we will provide the guide so long as it is doable.
Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).
@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.
@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.
According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
*Login breach information
Firefox Monitor warns you if your online accounts were involved in a known data breach.
For more information, see Firefox Lockwise - Alerts for breached websites.
To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com **
*
This is a madness...
And now, we have to add aus5.mozilla.org to the host file.
Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js.
I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.
Consider deleting Mitigation guide for Firefoxto Consider fixing the Mitigation guide for Firefox@baobab
I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.
Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows).
Also I wrote a thing about browsers:
http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml
Since I have found out about a few other browsers too, so it could always use updates but whatever.
We should consider changing the recommended user.js to Narsil's away from Ghack's.
the user is asked before any geolocation data is sent so there is no immediate need to disable functionality which is useful to some/many people if/when they choose to use it
safebrowsing is for user benefit - if you don't want to use it, fine, disable it (i disable it), but disabling it for all users out of the gate is a potential mistake
this is important: the arkenfox js is a template - it's up to the user to adjust prefs according to their particular needs
the Nasil js is...
avoiding all automatic connections just for the sake of avoiding them is a mistake IMO, one which, as he/she admits, comprimises security
what you might do instead is read through the user.js and the wiki and learn why some connections are allowed ... and then disable the ones you don't need/want
look, i think we'd all agree that Mozilla is, in part, an evil company - a very evil company in some ways (they are anti-free speech and they partner with a pile of highly unethical foundations and corporations, some of which fund domestic terrorism (Ford Foundation, Soros, etc.) for example) - if there were a better browser out there, i'd be using it
similarly, if there were a better user.js out there, i'd be using it, but the arkenfox crew is very dedicated to what they are doing, very knowledgable, and very active
again, their js is a template and it is the most intelligent, comprehensive and up to date one that i personally know of
Hi
First of all, thanks for your constructive criticism.
As for the user, everybody is also free to modify it according to their interests.
On the other hand, geolocation and safebrowsing could be useful but are privacy concerns. First one points to Mozilla and second one to Google.
In fact, Librewolf project disables safebrowsing.
Disabling OCSP is a controversial choice. Due to this, I warn about it.
You are, again, free to revert those changes.
I completely agree with you on this.
Again, I agree with you about arkenfox user.js but it has many flaws for few people that think zero unsolicited requests would be optimal.
On the other hand, and due to a user.js is so inherently strict I'm working in a mozilla.cfg because it's easier to change strings (defaultPref vs lockPref)
Greetings.
I know this comment is going to be very useless, but what is the current solution? or alternatively, is there anything new about this?
I am simply looking to just harden my firefox without the complications with these many userjs'.
As far as automatic connections are concern, there is no a simple solution about this.
The most comfortable alternative would be using Librewolf on Pc and/or Mull on Android.
The uneasy solution means using arkenfox.js as a base with the following changes in about:config:
-Disabling safebrowing
-Disabling push notifications
-Disabling privacytracking lists
-Disabling OCSP and CRLite checks
-Disabling geolocation features
-Disabling updating addons
-Disabling Widevine
-Disabling blocklists
And probably more of them I can’t remember.
On the other hand, if you are also interested in enhancing security you could also enable fission and disable JIT.
Afterwards, you’ll have to avoid automatic updates disabling this behavior with a policies.json.
Finally, editing omni.ja files in order to delete some connections like firefox.settings.services.mozilla.com.
What is worse, this must be done every time the browser updates.
As you can see, it’s quite complicated. Some features may be useful for some people. Thus, they are free to disable or enable them according to their needs.
Greetings.
Seeing that this issue haven't been fixed in 2 years, I'll do it myself (I'd like to send this guide when people ask me about Firefox mitigation). But before writing it and sending a pull request I need to know if you like my solution:
I'll be using @Narsil 's user.js which is a vastly improved fork of arkenfox's:
https://git.nixnet.services/Narsil/desktop_user.js
As Narsil points out, there are still two connections which can not be removed with the the user.js:
You need to either add them to your hosts file or remove them by unpacking and modifying two omni.ja files. Since the hosts file is way faster and doesn't need to be redone after every update, I'll go the hosts file route. Although I could explain both methods.
We could use the hosts file from #86 even if after using Narsil's user.js there are only two connections left, just in case Firefox updates and it starts making another connection.
https://github.com/MrRawes/firefox-hosts
About OCSP, I am a supporter of disabling it. But I would mention the security concern.
Additionally I'd like to add a section about the mozilla.cfg tweaks: https://git.nixnet.services/Narsil/mozilla.cfg which includes some nice security features like enabling fission. I'm not completely sure if this fits Spyware Watchdog's style, so I'd like to receive some confirmation before including this.
Please let me know if you like my solution and I'll start writing it.