“Out of the box,” Mozilla’s Firefox browser is widely regarded as the most privacy-friendly mainstream browser available.
However, there are still some Firefox security and privacy concerns to be had, even if you are using a VPN service!
In this guide, I'll show you how you can make Firefox more secure with a few simple steps.
Firefox's privacy-friendly status comes down to the fact that Firefox is a fully audited open source software and that, unlike proprietary browsers such Google Chrome, Microsoft Edge, Internet Explorer, and Apple Safari, it does not track what you get up to on the internet.
Another reason for its popularity among privacy-heads is the large number of add-ons available that can greatly improve the privacy and security of your browsing. In addition to this, it is possible to access Firefox’s deep configuration settings in order to tweak its privacy and security parameters.
In recent months Firefox has transitioned away from its old add-ons framework to WebExtensions. As of Firefox 57 "Quantum," it is only possible to use WebExtensions add-ons. Most of the add-ons listed below have been transitioned to WebExtensions, or are expected to in the near future. Please see Are we WebExtensions yet? for the latest news about which add-ons have been updated to the new platform.
The way in which your browser is configured (especially the browser plugins used), together with details of your Operating System, allows you to be uniquely identified and tracked with a worryingly high degree of accuracy.
A particularly insidious (and ironic) aspect of this is that the more measures you take to avoid tracking (for example by using the plugins listed below), the more unique your browser fingerprint becomes.
The best defense against browser fingerprinting is to use as common and plain vanilla an OS and browser as possible. The hardened Tor browser with Tor disabled is the usual recommendation here.
Unfortunately, this leaves you open to other forms of attack. It also reduces the day-to-day functionality of your computer to such an extent that most of us will find the idea impractical.
For more information see my browsers and fingerprinting guide.
Things to Do When you First Install Firefox
By default, Firefox collects some telemetry information about you. This is mainly harmless, and is primarily to improve performance. Given that data collected in this way has privacy implications, however, it is a shame that Mozilla has decided to make it opt-out, rather than opt-in.
To disable telemetry in Firefox Desktop, go to Open Menu (the three bars to the top right of the browser) -> Options -> Privacy & Security -> Firefox Data Collection and Use and uncheck both boxes.
To disable telemetry in Firefox for Android, go to Menu -> Settings -> Privacy -> Data Choices and uncheck all three boxes.
Telemetry can also be disabled using about.config, as discussed below.
Change Search Engine
Firefox Quantum switched from using Bing to Google as its default search engine. There are no doubt sound financial reasons for this move, but neither of these are good choices for privacy.
Fortunately, it is very easy to change the default search engine. Just go to Menu -> Options -> Privacy & Security -> Default Search Engine and pick an engine from the drop-down dialog box. A quick guide to adding StartPage is also available here.
From here you can also change the “One-click” search engine options and add new search engines. Note that from Firefox 57+, each browser update will switch the default search engine back to Google. To prevent this, go to Menu -> Options -> General -> Allow Firefox to -> and uncheck Automatically update search engines.
So which search engine should you change to? Please check out our Privacy Search Engines Group Review for a rundown of the best options available.
Enable Tracking Protection Globally
Tracking protection has been available for Firefox since 2015, but the option to enable it was hidden away in about:config (see below). Firefox 57+ brings tracking protection to the main interface, but by default it is only enabled in Private Browsing mode.
To enable tracking protection for all browsing, go to Open -> Options -> Privacy & Security -> Tracking Protection and click the Always button.
In Firefox for Android go to Menu -> Settings -> Privacy -> Tracking Protection -> Enabled.
Noe that in addition to its privacy benefits, “Tracking Protection also enjoys performance benefits of a 44% median reduction in page load time and 39% reduction in data usage in the Alexa top 200 news sites.”
Turn on Do Not Track
As with most browsers, Firefox offers a “Do not Track” (DNT) option. If enabled, Firefox will request websites you visit not to track you. Please note that compliance from websites is entirely voluntary, and it is sad fact that DNT requests are routinely ignored.
There is, however, zero harm in enabling this option, and it may work sometimes. Go to Open Menu -> Options -> Privacy & Security -> Tracking Protection and set the “Do Not Track” radio button to Always.
In Firefox for Android go to Menu -> Settings -> Privacy -> Do not track.
Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.
A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.
Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.
Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address when using a VPN is to disable WebRTC in your browser completely. But there you go.
Type about:config into the URL bar to enter Firefox’s advanced settings, and change the media.peerconnection.enabled value to false. See below for more about about:config. This works for both Firefox Desktop and Firefox for Android.
Remove DRM (optional)
In order to watch videos on sites such as Netflix, Amazon Prime and Hulu, you must use Digital Rights Management (DRM). This encrypts the content and protects copyright by limiting what you can do with it.
Back in 2015 Mozilla made the controversial decision to include DRM in Firefox. In many ways this was an understandable decision. Being able to play Netflix etc. content can be seen as necessary if Firefox is to stay cooperative with its rivals.
The decision infuriated many, however, because it requires bundling closed source code into the open source Firefox. This code is probably doing nothing other than exactly what it says it is doing, but since it is closed source there no way to know this for sure.
In order to mitigate this problem, Firefox runs DRM in a separate sandboxed container. In theory, this should prevent the DRM from doing any harm, even if it wanted to.
Open source purists and privacy-heads, however, may prefer to remove DRM from Firefox altogether. Do note that doing so will reduce functionality, as Firefox will no longer be able to play DRM-protected content.
1. In Firefox Desktop go to Menu -> Settings -> General -> Digital Rights Management (DRM) Content and uncheck Play Digital Rights Management (DRM) Content.
This will completely remove all HTML5 DRM code from your hard drive.
2.Go to Menu -> Add-ons -> Plugins and ensure Shockwave Flash is set to Never Activate.
3a. Type about:supportinto the URL bar and hit enter. Scroll down to Application Basics -> Profile Folder and hit the Open Folder button.
b. In the now open Profile Folder, find and delete the gmp-eme-adobe and gmp-widevinecdmsubfolders. Restart Firefox.
It is not possible to remove all DRM from Firefox for Android, but it is possible to install Fennec F-Droid from the F-Droidrepository. This is a fork based on the latest Firefox release, but which strips out all closed source code from Firefox for Android – including DRM.
Recommended Firefox Privacy and Security add-ons
All Firefox add-ons are free and open source software (FOSS).
uBlock Origin is a lightweight but powerful ad-blocker that pulls double duty as an anti-tracking add-on. It uses a number of blocking lists to filter unwanted content from appearing in your browser. The lists it comes with are pretty good, but I recommend also adding those compiled by EasyList and Fanboy.
Blocking ads and tracking scripts can break some web pages, making uBlock Origin’s on-the-fly whitelisting feature very handy. You can also toggle which types of elements are blocked (pop-ups, large media elements, cosmetic elements and remote fonts), or use the Element picker and Element Zapper modes to customize what is permitted to run on a web page.
uBlock Origin works very well in tandem with Privacy Badger, and I recommend using both together. It is also worth noting to avoid confusion, that uBlock Origin is recommended over the very similar uBlock add-on.
Developed by the Electronic Frontier Foundation (EFF), this is an excellent anti-tracking add-on that does double-duty as an ad-blocker. Although there is some overlap in function, Privacy Badger and uBlock Origin complement each other and are best run together.
Rather than using blocklists, Privacy Badger keeps track of scripts that are embedded in web pages. If it detects that a source is tracking you, it “springs into action, telling your browser not to load any more content from that source.”
Privacy Badger allows you see which tracking scripts are present on a web page and which ones are actually tracking you. You can then decide how to deal with them (block, block cookies, or allow), or let Privacy Badger decide.
An essential tool. HTTPS Everywhere was developed by the Electronic Frontier Foundation and tries to ensure that you always connect to websites using a secure HTTPS connection - if one is available.
It works because many websites can accept HTTPS connections, but use regular insecure HTTP ones by default. Just be aware that if no HTTPS connection is possible, HTTPS Everywhere will default to an insecure HTTP connection (although this can be changed in its settings).
It is, therefore, a good idea to keep an eye on the padlock icon in the URL that shows whether you are using an HTTPS connection.
NoScript is a potent tool that gives you unparalleled control over what scripts are run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to.
It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web-savvy power-users, NoScript is challenging to beat.
Note that if you use NoScript, you do not also need to use uBlock Origin + privacy Badger or uMatrix.
See here for some tips on getting the best out of NoScript. The last one is particularly worth paying attention to. It is worth keeping NoScript installed even if you “Allow Scripts Globally,” as this still protects against nasty things such as cross-site scripting and clickjacking
Developed by the team behind uBlock Origin, uMatrix is something of a half-way house between that and NoScript. It provides a great deal of customizable protection but requires a fair bit of work and know-how to set up correctly.
uMatrix is not as hard to configure as NoScript and does not break as many sites. But neither is it as comprehensive.
Note that if you use uMatrix, then it is not necessary to also use uBlock Origin + Privacy Badger or NoScript.
A drop-in replacement for the popular but now defunct Self-Destructing Cookies, Cookie AutoDelete automatically deletes HTTP (regular) cookies when you close the browser tab that set them. This provides a high level of protection from tracking via cookies without “breaking” websites.
Cookie AutoDelete also provides some protection against Flash/zombie cookies and ETags, and cleans DOM storage (although it can't clean local storage yet).
Note that Cookie AutoDelete and BetterPrivacy complement each other, and I recommend running them both together.
This add-on controls Flash cookies. It should be configured to remove these automatically on a regular basis.
There is an argument that BetterPrivacy is now redundant as Flash is used much less by websites than it used to be. Personally, I think it is still worth running. It is recommended to run this add-on and Self-Destructing Cookies together.
Note that at time of writing BetterPrivacy has been removed by its author from official Firefox Add-on website. The WebExtensions version is in beta, however, so we should hopefully see it reappear soon.
Random Agent Spoofer
A web browser user agent tells website what type of computer, what OS, and what browser you are using. Many sites use this information to optimize their pages to improve user experience, but this information can be used for browser fingerprinting.
Random Agent Spoofer randomly changes what user agent information is given to a website. For example, it can tell a website that you are accessing it on an iPhone using Safari, rather than on a PC using Firefox.
Note that there is some debate on how effective Random Agent Spoofer and similar add-ons are at preventing Browser Fingerprinting. It is true that using an unmodified generic browser such as the Tor Browser is almost certainly better in this regard. But if you are using other add-ons which make your browser more unique, changing your user agent is probably useful.
Canvas fingerprinting is the most common form of browser fingerprinting. It uses a script that asks your browser to draw a hidden image, and uses tiny variations in how the image is drawn to generate a unique ID code which can then be used to track you. Canvas Defender helps prevent this by creating a unique and persistent noise that hides your real canvas fingerprint.
Note that at the time of writing, Mozilla has promised upcoming versions of Firefox will feature built-in canvas fingerprinting protection. If and when this becomes available, Canvas Defender should become redundant, Until then, however, I strongly recommend its use.
This add- aims to improve your privacy while browsing by hosting CND resources locally. When your browser requests one of these CDN resources, the application is blocked, and you are served up a local version instead.
If the above just sounds like techno-babble to you, please check out my Decentraleyes Review for a full explanation.
Bloody Vikings is an easy-peasy way to create temporary email addresses.
Just right-click in an email registration field, select ‘Bloody Vikings’ (or expand to see a choice of services), and a newly generated email address will be inserted into the field while a new browser tab opens to the temporary mailbox.
PGP is by far the most secure way to send private emails. But it is a pain in the butt to use. Such a significant pain, in fact, that few people bother. Mailvelope is a browser add-on that allows end-to-end PGP encryption within Firefox.
It works with popular browser-based webmail services such as Gmail, Hotmail, Yahoo!, and GMX. It makes using PGP about as painless as it gets. However, it is not as secure as using PGP with a dedicated email client. Check out my detailed look at Mailvelope here.
KeePassis a fantastic open source password manager. keepasshttp-connector is a Firefox add-on that brings full browser integration to KeePass.
Please check out my KeePass Review for further details.
Firefox allows quite fine-grained control of its privacy settings, but to do this requires accessing its advanced configuration settings using about:config. I describe how to do this, plus provide an extensive list of privacy-related settings below.
Privacy Settings, however, allows you easy ‘one-click’ control of many of these settings using a simple GUI interface. Because it merely flips configuration settings, you can install the add-on, disable whichever settings you prefer, and then uninstall Privacy Settings to save browser resources.
How to make Firefox More Secure Using about:config
Built into Firefox are a number of “under the hood” settings. These can be changed to improve your privacy and security when browsing.
To access Firefox’s advanced configuration settings, type about:config into the search bar, and hit enter.
While it might be possible to do some damage, this warning seems a bit strong to us! Click “I accept the risk!” if you are feeling brave enough.
You will now see the configuration screen, with Preference Name’s listed in alphabetical order (by default).
To change a boolean entry (i.e. it has a true/false value), simply double-click anywhere on the entry line. To change an integer (i.e. numeric value), double-click the entry and enter a numeric value.
To change a string value, double-click the entry and enter the required text.
When you see an option in bold in the about:config pane, it has been changed from its default value.
Where an entry is marked with an asterisk*, I strongly suggest that you follow my advice.
Warning: Some websites rely on features we discuss disabling for security reasons below. Disabling these features will therefore "break" some websites (causing problems when using them, or even causing them to refuse to load altogether).
The good news is that simply re-enabling the relevant features will un-break the affected websites, so you may require some trial-and-error to find the right balance between maximum security and accessing the services you use.
The Private Browsing mode was introduced to stop you leaving any embarrassing trails of what you have been up to for other users of your browser to find. Most importantly it stops (most) cookies and does not record any History of websites you have visited or forms you have filled in.
The critical thing to remember is that Private Browsing is excellent for protecting your privacy from others using the same computer, but does little to protect someone from the outside seeing what you get up to (e.g. your ISP).
Even if you are the sole user of a computer, it is still a good idea to always surf the internet in Private Browsing mode, thanks to its cookie blocking features in particular.
By setting this Preference to true you will automatically start Firefox in Private Browsing mode, so you will never forget to turn it on.
Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you.
If you have installed our recommended Firefox extensions (see above) then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. I therefore strongly recommend that you turn it off by setting the value to false.
Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licensed to Mozilla (but which still reports to Google). I, therefore, recommend that you set it to false, for the same reasons as above. Click here for the Mozilla help entry.
Note that there are a lot of browser.safebrowsing.xxx settings, and it may be worth going through them all and disabling them/deleting their string values.
By default, Firefox will start on the Mozilla Firefox Start Page, displaying a Google search box. Google (along with most major commercial search engines such as Bing! and Yahoo!) stores a great deal of information about you, including a record of the searches you make.
To start on a different page, simply enter the website address of your preferred choice. I use StartPage, but please check out our Privacy Search Engines Group Review for a rundown of the best options available. Click here for the Mozilla help entry.
If you prefer to start Firefox on a blank page, change this setting to ‘0
You can see details about your Firefox browser’s performance and stability any time by reviewing the Firefox Health Report (Firefox tab -> Help -> Firefox Health Report). By default, this report is periodically sent to Mozilla (in anonymous aggregate form) to help it understand problems and plan future developments.
For maximum security, you should prevent this by setting this entry to false (you will still be able to see your report, it just won’t be sent to Mozilla).
If you cut, copy or paste something from a website, then the website owners can get notified of exactly which part of a webpage you have cut, copied or pasted. If they wish, they can then record or modify the text, or prevent you from copying (etc.). They can also prevent you from pasting text into online forms.
By setting this entry to false you prevent websites knowing where you pasted their text, and as a side benefit will be able to bypass restrictions on cutting and pasting). Click here for the Mozilla help entry.
I discuss the dangers of DOM storage (also known as web storage) in “More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing”. Basically, this way of storing information within web browsers is one of the most pernicious methods used by commercial internet companies to track you across the web and is growing in popularity as netizens become more aware of the danger of ‘regular’ cookies.
Fortunately, DOM storage is easy to turn off by setting this entry to false.
Update: Thanks to feedback from readers, it is clear that setting dom.storage.enabled to false can “break” some website. Changing this setting should, therefore, be done with caution.
When you visit a "location-aware" website you will be asked if you want to share your location. If you answer yes then Firefox will send information about nearby wireless access points and your computer’s IP address to Google Location Service, and then pass that information on to the website (a random client identifier is also assigned by Google, which expires every 2 weeks).
Although you should be asked every time this happens, and need to give your explicit consent, you can prevent giving consent accidentally or through carelessness by turning this feature off (set the value to false). Click here for the Mozilla help entry.
This setting determines the geolocation service used (Google Location Service by default). If you set geo.enabled (above) to false, then this setting shouldn’t matter. If it makes you feel better, however, then you can change it to 127.0.0.1 (also known as localhost or the ‘loopback address’).
In theory, this setting could point to an alternative service, but none such really exist at the moment. Click here for the Mozilla help entry.
Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.
A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on or configure any new settings.
Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN. Some modern VPN clients will block WebRCT leaks, but it is safest to disable in your browser entirely. To do so, change this value to false.
If you use a good cookie manager such as Cookie AutoDelete (recommended), then you will not need to touch this preference. If not, then it is probably a good idea to set it to ‘1’ (only cookies from the originating server are allowed).
Again, using the Cookie AutoDelete add-on is probably the best policy, but if you prefer not to, then you can control when cookies expire by setting this setting to ‘2’ (the cookie expires at the end of the session (when the browser closes)).
Firefox improves page load times by resolving domain names ‘proactively and in parallel’ (i.e. it pre-fetches the information). In their paper ‘DNS Prefetching and Its Privacy Implications: When Good Things Go Bad’, Srinivas Krishnan and Fabian Monrose argue that this practice can lead to “privacy threats that are ripe for abuse. More specifically… where it is possible to infer the likely search terms issued by clients using a given DNS resolver.”
DNS prefetching can be turned off by setting this value to true. If you can’t find this setting then you will have to add it manually by right-clicking on the about:config screen, selecting ‘New’ -> ‘Boolean’ and entering ‘network.dns.disablePrefetch’ into the dialog box.
When you click on a hyperlink, the page you go to can request information about the page you clicked the link from. This information is contained in the ‘referer header’, and can be used to track you across a website.
More or less the same as the entry above, except that it allows you to be tracked across websites. You can disable this setting by changing the value to false.
Firefox speeds up the browsing process by scanning links on a webpage, and pre-downloading linked-to webpages when idle. Although disabling this preference will slow down browsing somewhat, from a privacy perspective you really should set it to false. .
Most modern browsers now support a “Do not track’ feature, which asks websites not to track you, and Firefox is no exception. While this should most certainly be turned on (set to true), you should be aware that compliance from websites is entirely voluntary. So the protection it affords can be considered fairly minimal.
While the privacy.donottrackheader.enabled (above) setting determines whether a ‘Do not track’ instruction is sent to a website, this setting determines what that instruction actually says.
You should, therefore, set it to 1 to request that websites do not track you (a header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True).
This enables a blocklist based on Disconnect’s blocklist, to help prevent cross-site tracking. Once Tracking Protection is activated, you will see a shield in your address bar whenever Firefox is blocking either tracking domains or mixed content.
As a side-benefit, this setting also causes pages to load 44 percent quicker on average, data usage drops by 29 percent when connecting to the top 200 Alexa websites, and the number of HTTP cookies stored by the browser falls by 67.5%.
Telemetry covers all sorts of statistical data related to your browser’s performance, usage, and responsiveness. Firefox can send anonymous reports with this data to Mozilla, which is of great assistance to developers, and for this reason, you may consider turning it on, but for maximum privacy, you should check that it is false. Click here for the Mozilla help entry.
Private Browsing (aka incognito mode)
Like most modern browsers, Firefox offers a Private Browsing mode. Unfortunately, this feature is often poorly understood. This can be very dangerous.
When you open a Private Window, pages you visit are not added to the browser’s History, text you enter into forms and search bars is not saved, passwords, downloads, cookies, and temporary internet files are also not saved.
This makes Private Browsing great at hiding what you get up to on the internet from family members and others who have access to your computer. There is a reason private browsing is often referred to as porn mode!
Firefox 57+ enables Tracking Protection in Private Browsing by default, but in general, Private Browsing does not hide what you get up to on the internet from your ISP. Nor does it hide your real IP address from websites you visit.
Private Browsing is therefore great for hiding what you get up to online from your family, but will not hide what you get up to online from anyone else. To hide what you get up to online from the rest of the world, you need to use a VPN or Tor.
Firefox Privacy Conclusion
Firefox is an excellent browser for privacy and security, but there are lots of things you can do make it even more so! The elephant in the room is that modifying your Firefox browser in many ways makes you more unique, and therefore more susceptible to browser fingerprinting techniques. Unfortunately there is currently no way to square this circle.