Install Firefox under Freebsd and set it up with privacy

In this tutorial, I explain how to install the Firefox browser under FreeBSD and also set it up with privacy.


Mozilla Firefox is a free, open source web browser. It's small, fast, and easy to use, and has many advanced features:

  • Pop-up blockers
  • extensions
  • customizable appearance
  • improved security

We can install the Firefox browser with the following command:

root: pkg install firefox
firefox screen

Too, we install the password manager KeepassXC, which we will need later.

root: pkg install keepassxc

Improve privacy

The Firefox browser is inherently privacy-conscious. But I'll show you how to get even more security and privacy out of Firefox.

about:preferences

First, we enter "about: preferences" in the address line and this brings us to the settings.

Generally

In the general settings, we will deactivate the following options:

  • Recommend extensions while browsing
  • Recommend functions while browsing

Home

Here we will disable the following options:

  • Important pages
  • Recommended by Pocket
  • overview
  • Brief information

We will remove all existing search engines and use Searx as the only standard search engine.

But what is Searx? It is a free metasearch engine that protects users' privacy. To do this, Searx does not share users' IP addresses or search history with the search engines from which it collects results. Here; you can find more information about Searx.

To add Searx as a search engine, we search here, an instance that we want to use and open it.

Then, we click the Page Actions button (3 dots) in the address bar and we select the Add Search Engine option from the menu.

Now, we can set Searx as the default search engine in the search settings.

Another great alternatives are:

  • Qwant is a search engine with no user tracking and no filter bubble
  • Startpage is a search engine that provides Google search results with complete privacy protection

Privacy

Under the item Improved protection against activity tracking, we will select the Custom option and set the following settings.

  • Cookies: all third-party cookies (some websites may no longer work)
  • Activity tracking content: in all windows
  • Secret digital currency calculator (crypto miner)
  • Identifier (fingerprint)

When websites send "Do Not Track" information that their own activities should not be tracked, we always set this option.

Under Cookies and website data, we will activate the following:

  • Delete cookies and website data when you quit Firefox

In the next step, we will deactivate the option to save access data and passwords.

And finally, we will deactivate the following options under Data collection by Firefox and its use:

  • Allow Firefox to send data on technical details and interactions to Mozilla
  • Allow personalized extension recommendations through Firefox
  • Allow Firefox to install and run studies

about:config

Next, we go to the about:config page, then we can set further security-relevant options.

We type "about:config" in the Firefox address bar and press Enter. Then we press the "Accept risk and continue" button.

To change settings here, we copy the following settings (e.g. "webgl.disabled"), paste them into the search bar and set them to the specified value (e.g. "true").

Disable telemetry

With the following changes we will disable the Firefox telemetry:

  • browser.newtabpage.activity-stream.feeds.telemetry = false
  • browser.ping-centre.telemetry = false
  • browser.tabs.crashReporting.sendReport = false
  • devtools.onboarding.telemetry.logged = false
  • toolkit.telemetry.enabled = false
  • Delete the URL for toolkit.telemetry.server, and leave it empty
  • toolkit.telemetry.unified = false

Disable Pocket

If we don't use Pocket, or we don't want Firefox's Pocket integration, make the following changes:

  • browser.newtabpage.activity-stream.section.highlights.includePocket = false
  • extensions.pocket.enabled = false

Disable JavaScript in PDF

While there are legitimate uses for JavaScript in PDF (such as form validation), such uses are not very common. In addition, it could be used for malicious purposes, so it's generally a good idea to disable this feature.

pdfjs.enableScripting = false.

Harden SSL preferences

Making these changes will disable insecure SSL ciphers and force safe negotiation:

  • security.ssl3.rsa_des_ede3_sha = false
  • security.ssl.require_safe_negotiation = true

privacy.trackingprotection.fingerprinting.enabled = true

This option has been available since Firefox version 67 and it blocks fingerprinting.

privacy.trackingprotection.cryptomining.enabled = true

This option has been available since Firefox version 67 and this blocks CryptoMining.

privacy.trackingprotection.enabled = true

This is Mozilla's new built-in tracking protection. One of the benefits is to block tracking (i.e. Google Analytics) on privileged pages that have add-ons that normally do this disabled.

Privileged pages are those web pages that browser developers consider legitimate web pages on which extensions are tasked not to work / whose functionality has been completely stopped.

In Firefox, for example:

  • accounts-static.cdn.mozilla.net
  • accounts.firefox.com
  • addons.cdn.mozilla.net
  • addons.mozilla.org
  • api.accounts.firefox.com
  • content.cdn.mozilla.net
  • content.cdn.mozilla.net
  • discovery.addons.mozilla.org
  • input.mozilla.org
  • install.mozilla.org
  • oauth.accounts.firefox.com
  • profile.accounts.firefox.com
  • support.mozilla.org
  • sync.services.mozilla.com
  • testpilot.firefox.com

browser.send_pings = false

The attribute is useful for websites to keep track of visitor clicks.

browser.urlbar.speculativeConnect.enabled = false

By doing this, we disable the preloading of autocomplete URLs. Firefox preloads URLs that are autocomplete when a user types in the address bar. This is a problem when suggesting URLs that we don't want to connect to.

dom.event.clipboardevents.enabled = false

We disable that websites can receive notifications when we copy, paste or cut something from a website. This will tell you which part of the page has been selected.

media.eme.enabled = false

Disables playback of DRM-controlled HTML5 content. When this option is enabled, the Widevine Content Decryption Module provided by Google Inc. will be downloaded automatically.

media.gmp-widevinecdm.enabled = false

Disables the Widevine Content Decryption Module provided by Google Inc., which is used for rendering DRM-controlled HTML5 content.

media.navigator.enabled = false

Websites can track the microphone and camera status of our device.

network.cookie.cookieBehavior = 1

Disable cookies

  • 0 = Accept all cookies by default
  • 1 = only accept from the original website (block third-party cookies)
  • 2 = Block all cookies by default

network.http.referer.XOriginPolicy = 2

We only send the referer header if the full host names match. (Note: if we notice a significant fraction, we can try 1 in combination with a XOriginTrimmingPolicy optimization below.)

  • 0 = send referrer in all cases
  • 1 = send referrer to the same eTLD sites
  • 2 = only send referrer if full host names match

network.http.referer.XOriginTrimmingPolicy = 2

When we send the referrer across origins, we only send the schema, host, and port in the referer header of cross origins requests.

  • 0 = send complete URL in the referrer
  • 1 = send URL without query string in referrer
  • 2 = Send only the scheme, host, and port in the referrer

webgl.disabled = true

WebGL is a potential security risk.

browser.sessionstore.privacy_level = 2

This setting controls when to save additional information about a session: form, content, scrollbar positions, cookies, and POST data.

  • 0 = save additional session data for any site. (Standard from Firefox 4.)
  • 1 = save additional session data only for unencrypted (not HTTPS) sites. (Default before Firefox 4.)
  • 2 = never save additional session data.

beacon.enabled = false

Disabled sending additional analysis to web servers.

browser.safebrowsing.downloads.remote.enabled = false

Prevents Firefox from sending information about downloaded executables to Google Safe Browsing to see if they should be blocked for security reasons.

We're turning off the Firefox prefetch pages, which we expect to visit next:

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

  • network.dns.disablePrefetch = true
  • network.dns.disablePrefetchFromHTTPS = true
  • network.predictor.enabled = false
  • network.predictor.enable-prefetch = false
  • network.prefetch-next = false

network.IDN_show_punycode = true

Unless we render IDNs as punycode equivalent, we are open to phishing attacks, which are very difficult to detect.

extensions.pocket.enabled = false

This deactivates the Pocket Service.

identity.fxaccounts.enabled = false

We will disable the Firefox Sync Service. I will introduce you to better alternatives. We could also use a self-hosted sync server—the code is available on Github. But the service is currently still using outdated Python 2.7 code and the service has been ported to Rust in the meantime. And the other problem is that the self-hosted service does not currently work with mobile Firefox.

identity.fxaccounts.toolbar.enabled = false

We're removing the Firefox Accounts icon from the toolbar.

disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it

We can change the following value to be sure that every WebRTC-related are really disabled.

  • media.peerconnection.turn.disable = true
  • media.peerconnection.use_document_iceservers = false
  • media.peerconnection.video.enabled = false
  • media.peerconnection.identity.timeout = 1

Hint: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.

Linking Firefox with KeepassXC

Since we have deactivated the Firefox Sync Service, but we still want to save our passwords securely, I would like to introduce you to the KeepassXC program.

What is KeepassXC

KeePassXC is a community branch of KeePassXC—a native cross-platform port of KeePass Password Safe with the aim of adding new features and improving it and bug fixes for a feature-rich, cross-platform and modern feature

Open source password manager.

Main features:

  • Secure storage with AES, Twofish or ChaCha20 encryption
  • File format compatibility with KeePass2, KeePassX, MacPass, KeeWeb and many others (KDBX 3.1 and 4.0)
  • SSH agent integration
  • Sync passwords with KeeShare
  • Auto-Type to automatically fill out registration forms
  • Support for key files and YubiKey-Challenge-Response for additional security
  • TOTP generation (including Steam Guard)
  • CSV import from other password managers (e.g. LastPass)
  • Command line interface
  • Custom icons for database entries and downloading website favorites
  • Functionality to merge databases
  • Automatic reload of the database has been changed externally
  • Browser integration with KeePassXC browser for Google Chrome, Chromium, Vivaldi and Mozilla Firefox.

How do I use KeepassXC

I will briefly show you how to set up KeepassXC and how to use it. When we start KeepassXc for the first time, we see the main screen.

Then we will create a new database. A new screen opens and we can assign a database name here and optionally assign a description.

In the next screen, we can make encryption settings. Here we can, for example, set the encryption time and select the database format.

We can also make advanced settings. For example, we can make the following settings here:

  • encryption algorithm
  • Key derivation function
  • Encryption passes
  • memory usage

In the next step, we can now assign a password with which the password database is encrypted. What I can recommend is to also create a key file which is then saved on an external USB stick or in an encrypted cloud service. This means that the database is backed up twice.

We have now created an encrypted database so that we can use KeepassXC; with Firefox, we must first activate the browser integration in the KeepassXC settings. We then select Firefox and can then set additional settings. I leave that to you, which you want to set.

For the actual integration, we use the KeeepassXC-Browser extension.

Bitwarden Password Manager

As an alternative to KeepassXC, we can also use the Bitwarden Cloud Service.

What is Bitwarden

Bitwarden is a free, open source password manager. The goal is to solve password management problems for individuals, teams, and business organizations. Bitwarden is one of the simplest and most secure solutions to save all your logins and passwords and conveniently synchronize them between all of our devices. If we don't want to use the Bitwarden cloud, we can easily host our own Bitwarden server.

Bitwarden Firefox Add-on

Data protection-oriented add-ons

In this section, I would like to introduce you to a few useful add-ons for Firefox.

uBlock Origin

An efficient blocker: low memory footprint and low CPU load, yet thousands more filters are applied than other popular blockers.

xBrowserSync

xBrowserSync synchronizes bookmarks between devices and browsers with end-to-end encryption. Data is encrypted and decrypted on the device—nobody but us can read it. No registration is required. We just enter a randomly generated ID or QR code on all of our devices. There are different servers available, which can also be self-hosted.

CanvasBlocker

This add-on enables us to prevent websites from identifying us via Javascript APIs. We can choose whether the APIs are completely blocked on certain or all pages (this will impair the functionality of some pages) or to fake wrong values ​​for the identification-friendly readout functions.

Chameleon

With this add-on, we falsify our browser profile. It includes some privacy enhancement options.

ClearURLs

This add-on removes the tracking fields from all URLs visited by our browser.

With this add-on, we control our cookies. When a tab is closed, unused cookies are automatically deleted.

LocalCDN

This add-on emulates external frameworks (e.g. jQuery, Bootstrap, AngularJS) and makes them available as a local resource. It prevents unnecessary third-party requests like Google, StackPath, MaxCDN, and more. It contains prepared rules for uBlock Origin / uMatrix.

HTTPS Everywhere

HTTPS-Everywhere protects our communication by automatically changing the connection to supported sites to HTTPS encryption, even if the URL or a visited link omits the https: // prefix.

Redirect AMP to HTML

Automatically redirects all AMP (Accelerated Mobile Page) pages to their regular HTML equivalent.

When we see an AMP page, we are likely seeing a page served directly by Bing or Google that can pull up information about what we're doing on that page. We keep the web decentralized and we say, "No!" To search engines that want to take control of the web.

AMP pages are designed for devices with a small screen and often do not translate well to larger screens. The extension can be especially useful when we receive links from people who are on their mobile devices while we are on our desktop computer.

I don't care about cookies

EU regulations dictate that any website that uses tracking cookies must obtain user consent before installing. These warnings will appear on most websites until the visitor agrees to the website's terms of use.

This add-on removes these cookie warnings from almost all websites!

AdBlocker for YouTube

This add-on removes all annoying ads from YouTube.

Important functions:

  • Removes video and display ads from YouTube
  • Loads the YouTube website and videos faster
  • Supports both Firefox desktop and mobile (Android)

YouTube NonStop

Tired of seeing the “Video paused. Continue watching?” Confirmation dialog? This extension will automatically click it so you can listen to your favorite music without interruption.

The add-on works with YouTube and YouTube Music!