Firefox addons redundant? #121
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#121
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi guys,
I've been removing several Firefox addons in the past weeks because they were redundant with each other. We should not recommend several Firefox addons that are doing the same job. I'm not sure about these four addons at the moment: uBlock, Decentraleyes, uMatrix and NoScript.
Please help me out. Should we remove some more?
Thanks
All of those addons have their own roles to play, and don't replace any other completely on their own. Perhaps it'd be more useful to suggest combinations of them, and give notes on what is gained and lost from different suggestions. As it seems to always be the case, it's going to really be down to the user and how active a role they want to play.
To start:
NoScript has some features other addons don't. It protects against HTTPS cookie hijacking, it has a more robust XSS filter, ABE, CSRF, and ClearClick which protects against Clickjacking / UI-redressing attacks independently from JavaScript and plugins blocking.
Decentraleyes does a job that after allowing the trusted resources, other addons will not do. That is, it emulates Content Delivery Networks (CDNs) locally by intercepting requests, finding the required resource and injecting it into the environment. This helps with privacy by ultimately reducing your browsing footprint.
My suggestion would be:
Must haves which also require little user input:
Additional security that requires active user input (not all at simultaneously):
Replace Disconnect with Privacy Badger. uBlock does what Disconnect does, but not what Privacy Badger does. Both uBlock and Disconnect use a shared list, whereas Privacy Badger learns what are trackers from your browsing.
@Shifterovich
I've removed Disconnect and Privacy Badger a while ago: https://www.privacytools.io/#addons
So uBlock + Privacy Badger is a good combo?
@privacytoolsIO Please recommend Privacy Badger for Firefox and Firefox for Android.
https://addons.mozilla.org/en-US/android/addon/privacy-badger17/
"Works with Firefox for Android 48.0 - *, Firefox 50.0 and later"
Here's a combo that I think balances security and ease-of-use fairly well:
CanvasBlocker
-- Block mode:
fake readout API-- Show notifications:
uncheckedDecentraleyes
HTTPS Everywhere
-- Submit and check certificaties signed by non-standard root CAs:
checkedNoScript
-- Enable Automatic Secure Cookies Management:
checked-- Forbit META redirections inside
@Marc05 Also, Random Agent Spoofer.
#99 I'll write something about CanvasBlocker vs Canvas Defender.
Using CanvasBlocker to generate a new hash on every API call is best in any situation as far as I can tell. The tracker essentially has two options: Assume it's random, hence useless; or derive a new identity with the hash. Both of which are better than providing a legitimate hash, since best case is there's an extremely common hash, which would provide a higher amount of identifying bits of information.
Some people prefer Canvas Defender. I agree that Canvas Blocker is better than Canvas Defender, but we should mention Canvas Defender too, as neither is a perfect solution.
The only time I can think of someone needing that is to allow sites to track for a certain period of time, then resetting when done. In that situation, one could just whitelist the website, and remove it after.
Would reveal one's native fingerprint. Disabling Canvas Blocker, enabling Canvas Defender, and generating a new hash for such session is optimal.
True... though I'd only go as far as an asterisk.
minimally and without much breakage:
NoScript
General
set to Temporarily Allow Top Level sites by default, base 2nd level names
reload current tab only
Notifications (Personal Preference)
uncheck both show messages about blocked scripts and ABE to avoid annoying bar and to just use the icon to trust/untrust stuff
Privacy Settings - set to Privacy (compatible) and Security
https://addons.mozilla.org/en-US/android/addon/privacy-settings/
under advanced settings some of it is personal preferences, other things cause a little breakage with single-signon sometimes
No Resource URI Leak
https://addons.mozilla.org/en-US/android/addon/no-resource-uri-leak/
UBlock and Privacy Badger are both ok but for privacy essentially redundant to NoScript except cosmetic filters can clean up pages but you're blocking the essentials with Noscript and Privacy Settings changes.
The only thing I left out is referrer control, some of the fingerprinting stuff, and random user agent stuff because they act a little goofy. There's a bunch of back and forth whether over-blocking fingerprinting in itself makes you unique. Random user agent junk makes webpages look wonky sometimes and I'd rather not fool with it.
As for Self-Destructing Cookies, simply going into Firefox and unchecking allowing 3rd party cookies does most of the job already.
Regardless, I still can't Disqus to log in without turning off like half the privacy controls out there.
@Marc05 Some Firefox addons listed are redundant, as NoScript and uBlock.
Noscript + Adblock Plus was an unrivalled combo, until uBlock Origin made its appearance, substituting both and dropping the acceptable ads. With various Filter Lists available it works great, while uMatrix has no lists at all and is light on resources.
https://www.eff.org/privacybadger
Privacy Badger has a cookie blocking functionality. I don't know about NoScript. However, I know about uMatrix and I think the cookie functionality of PB is redundant with the one of uMatrix.
Apart from this functionality, the only appeal of PB is the list-less feature, which is pretty dubious anyway (no need for discover the wheel again, people have been maintaining great blocking lists for more than 10 years).
Regarding HTTPS Everywhere, I prefer to use Smart HTTPS:
https://addons.mozilla.org/en-US/firefox/addon/smart-https/
Reasons are:
I prefer to rely on a list-less extension such as Smart HTTPS since the list misses https websites and the EFF extension does not even try to connect to them with a secure connection.
The only caveat is not to forget to check "Enable in Incognito Mode".
@Marc05
When you wrote "3rd-party: Blocked globally" for uBlock origin, I think you referred to an old version because I don't see this option in my setup, but I see it mentioned at Decentraleyes with uBlock and uMatrix
@Marc05
I was curious so I compared your recommended settings for Privacy Settings vs the settings
Privacy (Compatible) & Security. I am dumping the differences here in case someone wants to copy your settings faster: basically, one has to choose the settingsPrivacy (Compatible) & Securityand then toggle these accordingly.The Browser change
dom.event.clipboardevents.enabledimproves privacy.The other Browser changes are up to the user's preferences to trade security vs privacy.
The Media changes decrease both security and privacy.
The Devices change decreases privacy.
The Encryption changes break a website such as the Humble Store: https://www.humblebundle.com/store/
@woctezuma
Thanks for doing that. I was curious about it before, but never did it.
Disabling clipboard events, e.g.
dom.event.clipboardevents.enabled OFF, breaks Google Docs copy/paste functionality. Personally, turn it on temporarily whenever required.The
media.settings would prevent some DRM content from playing on websites if disabled; and webgl functionality can be kept safely if using the setting of uBlock Origin.Disabling the face detection feature seems to be pointless, given that camera permission would have to be given in the first place, and recognizing a face mid-stream wouldn't really add anything without the specifics of the picture. And if you have the picture, local face recognition doesn't really matter.
As for ssl negotiation, I should have kept that as OFF, given that many major sites are still using outdated versions.
Just a quick note, when you set
dom.enable_user_timingtooffthe Gosthery's info screen/panel isn't working anymore. (just blank, no info anymore)So you need to leave it to "on" if you use Gosthery.
Not sure if this list is updated any more but I found some addons that seam to improve security a bit.
Nano Defender: https://jspenguin2017.github.io/uBlockProtector/
an Anti-Ad Block Defuser which means you don't have to turn off uBlock on certain site anymore. Designed for Nano Adblocker, which is based on uBlock, so it requires some workarounds for vanilla uBlock compatibility.
Pure URL: https://addons.mozilla.org/en-US/firefox/addon/pure-url/
removes url garbage, such a google analytics and such.
Unshorten.link: https://addons.mozilla.org/en-US/firefox/addon/unshorten-link/
unshortens shortened url link (yes those annoying things). This one is made by a for profit organization, unfortunately, but I've yet to find a better alternative.
P.S. are Canvas Blocker and Defender relevant at all for security? I saw them mentioned above in this thread.
I tried Pure URL and I was not too convinced. There were URL which were not stripped, and others which were stripped too much. I'm more satisfied with Neat URL: https://addons.mozilla.org/firefox/addon/neat-url/
As for Canvas, it is just for tracking. No relevance for security.
Hi, I use very similar recommendations on my tutos, do you think there will be redundancy between the new FF 63 anti tracking tool and decentraleyes or privacy badger ?
@kewde @beardog108
The FF internal anti tracking is a joke compared to uBlock Origin. Also you don't need Privacy Badger
Decentraleyes isn't the same like a ad- or tracking blocker. It replace librarys, you should read again what exactly it is.
Disconnect uses the same lists as uBlock. Privacy Badger blocks what it thinks are unnecessary tracking requests. Decentraleyes replaces CDN libraries with local cache, I think.
So uBlock + Privacy Badger + Decentraleyes is a good combination.
If you have uMatrix, you do not need NoScript. However by default uMatrix does not block all first party scripts.
Currently I am using:
I posted about this on Reddit
Using both at the same time is a complete waste of time. There's nothing that can be done with NoScript that cannot be done with uMatrix. I looked at this in the past.
If you want it that way, or you can How to block 1st party scripts everywhere by default.
Not if you How to create rules which apply everywhere, on all web sites.
Others have mentioned uMatrix has better documentation and UI. uMatrix also has some unique features such as Ruleset recipes and umatrix hosts files (they show up as dark red for bad hosts).
The uMatrix logger is really handy to determine what is happening.
NoScript is also terrible at handling subdomains. When you enable List full addresses in the permissions popup (https://www.noscript.net), you get a mess. An example of that with NoScript. Which is a lot easier in uMatrix. I only needed JavaScript on
cdn-au.piano.ionotbuy-au.piano.ioorexperience-au.piano.io. Additionally NoScript gave me no way to control XHR content onexperience-au.piano.iowhich I needed for the text in the article to load.It is clearly something that was an afterthought. uMatrix's UI handles subdomains and whitelisting parts of domains a LOT more efficiently.
Also, uMatrix is available for Chrome, where as NoScript never got ported (you'd have to use an alternative like ScriptSafe). Raymond Hill (gorhill) has done an excellent job.
I did use NoScript for many years, but I think uMatrix is better, particularly after you realize it's power.
Edit:
For the moment.
Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently
I like this How many ad blocks could an ad slinger block if an ad slinger could block blocks?
@tya99 instead of blocking cookies better use container
I have done a bit of research and I think you might be right. I was having a look at https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Extensions looking to see how I could improve things. I do think that page might be outdated.
It would appear currently I wasn't protecting against cache related tracking with HTTP ETags. Using this website https://lucb1e.com/rp/cookielesscookies/ I was able to test it. That recommended extensions page mentions ETag Stoppa however it does say:
Additionally it seems there's some types of cookies that cannot be deleted through the WebExtension API:
It appears for many of those APIs they do exist now. As it says in that link on the Cookie-AutoDelete FAQ "(API available, but none to clean by host)" so this must mean it was added at some point.
So I am thinking Temporary Containers might be the way to go instead of Cookie AutoDelete in the global container.
I was also thinking of installing ClearURLs. I think it might be better than NeatURLs, more maintained and mature. I really hate those tracking parameters.
I noticed they recommend Violentmonkey. I was surprised about that after reading Discussion: Greasemonkey, Tampermonkey, Violentmonkey, which one is best for a privacy conscious person?.
I have been using Greasemonkey without any issues. I use it with
I also noticed CSS Exfil Protection. I'm not sure if anything I've got currently can satisfy this but I don't think so. According to the developer's test site my browser was vulnerable.
In the past I had been using
privacy.resistFingerprinting = truefor canvas protection. I'm not sure this is the greatest idea. When setting that to true the test site says my uniqueness is "× False (Tor Browser signature)". I can't imagine there'd be many people with that signature that are not coming from a Tor exit node.Perhaps I should install something like CanvasBlocker. When using that with the Block mode "fake" it said Uniqueness 100% (0 of 358283 user agents have the same signature).
Come to think of it the only non-privacy related addon I use is Tree Style Tab and Markdown Here. The internet is such a cesspool of tracking and advertising these days.
Resist fingerprinting is fine and recommend in gHacks user.js
Also better solution then canvas blocker add-on and don't forget that this simple setting don't just change canvas. It change a lot!
I might just do that then. I like to avoid addons if I can help it. On mobile Android it seems Temporary Container isn't supported because of tabs.create API on Android does not support cookieStoreId.
I guess there I will go with ETag Stoppa instead. I find
browser.cache.offline.enable = falsea little inconvenient.I'm not currently using https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js I am however just using most of the tweaks from https://www.privacytools.io/#about_config
@beerisgood
There's a nice writeup about that here https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
@stoically points out that in that post that:
Also ghacks-user points out:
What I am missing in all lists are the performance implications of add-ons. Privacy badger, for example, adds, at least on my machine, a significant amount of time to page loads (think ~1s). This is in combination with uBlock Origin.
I'll try to see if I can get some dependable performance metrics sometime soon.
@abuisman try without privacy badger ;)
@beerisgood that is what I did, how else do you think I found out about the difference? ;)
For now, I am using firefox’s built in ad blocking and new protections against crypto mining and I block all third party cookies. That last thing is what I used privacy badger most for anyway
Remember that the internal feature (disconnect list) only block few ads. You should use uBlock Origin instead.
Even the gHacks.js team recommend that way
Also the internal disconnect list has whitelists (connections that will be always allowed).
@beerisgood and @atavic I meant instead of privacy badger. I also have ublock origin running with blocks for all third-party requests by default. I then allow them 1-by-1 to make websites work
Unlock origin and Firefox tweaks are good enough.
If you like you can use more filter lists in ublock for example:
https://github.com/notracking/hosts-blocklists
https://github.com/yourduskquibbles/webannoyances
https://gitlab.com/ZeroDot1/CoinBlockerLists
https://github.com/CHEF-KOCH/BarbBlock-filter-list
https://github.com/CHEF-KOCH/Audio-fingerprint-pages
https://v.firebog.net/hosts/static/w3kbl.txt
(Although webannoyance is not security list and is an annoyance filterlist and may you don't like them but it was great for me)
Also I think Firefox blocker is redundant with unlock and will lower speed of browser but its fingerprinting and cryptominer blocklists are good.
Also there are great lists in firebog.net and filterlists.com
Also these prefs are really good:
require safe negotiation (it breaks some websites that uses bad ssl config)
also you can go to https://www.ssllabs.com/ssltest/viewMyClient.html and https://browserleaks.com/ssl and go to about:config and disable any vulnerable ciphers for ex. 3DES, All SHA1 hashs, All CBCs and All those that don't have forward Secrecy
Also a good pref for security (in this case may be not privacy very much) is enabling trr.mode to 2 (you also should set bootstrap address to 1.1.1.1)
this will set your browser to use cloudflare's DNS over HTTPS when it is faster and is good because your ISP can't fool your browser to fake website IP.
Although the treat model in everyone differs for example I prefer some privacy downgrades for better protection against my ISP.
I hightly not recommend that lists. They're outdated and just stealed work from other guys, without any notice about.
If you need lists, (you post it already) use Firebog.net
Also stay with https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
Thanks
Agree, Thanks :)
Thanks, I downloaded it but was busy and coudn't look at it till now :D
What is your opinion about other outdated blocklists if they don't affect browsing?
Better than nothing or not worth?
Worth mentioning that Also what I noticed is that using lists with low amount of eyes in them can have potential to whitelist some trackers/... by their own.
I just want to give an update, there's a fork of ublock made by the same guy who made nano defender called nano adblocker. Apparently he called it so because he cleaned up the code making it lighter and faster, or so claimed. It does have the advantage though of requiring less configuration when used with nano defender, but mainly that's because it was designed to work with it. Also Raymond Hill (the guy who made ublock) has his own accessory addon for ublock/nano called ubo-scope and it measures your 3rd party exposure.
Also, I just want to say I tried to configure all these with waterfox and it didn't go so well as it's extension api is still based on firefox 57. I tried it due to some people voicing concerns of mozilla's recent choices with respect to privacy.
Lastly, privacytools.io has added canvasblocker to it's recommended list as of late, but there seem to be several alternatives to the https forcing, canvas fingerprinting protection, cookie purging/isolating and url decluttering/cleaning extensions available, such as smart https. Curious to know what you guys think would be the best combination of the four. Also the guy who made smart https also has fingerprint protection extensions for webgl and certain types of audio content; didn't even know those could be fingerprinted.
If your browser is based on a previous version of Firefox, you can get a previous version of the addon that still works with FF 57.
That doesn't seam like a very good idea for security addons, like the ones discussed here. Older version could have security flaws, in addition some, like nano adblocker and defender as well as redirect amp to html, don't have compatible older versions period.
I think we should adjust to Mozilla choices, they started to make Firefox more efficient so I think we should just wait for them to rise up more.
I believe that may be their choices be sometimes disappointing for paranoid users but some of them are really necessary.
For ex. people concern about telemetry but telemetry is exactly what made chrome this much fast.
The software vendors can't blindly develope their products, they should know problems. especially very low amount of people report bugs frequently.
or about old addons, I agree that some of them was great but Mozilla with this decision will waste lower time to compatibility fix and spend more resources for developing the core browser.
I think the first party isolation, prevent fingerprinting and clear data on exit options in Firefox is sufficient for that because every action you do for prevention, make your fingerprint more unique, so we should just use them to get lost in our crowd.
especially it has convas prevention built in, cookie, web storage and ... separation built in (first party isolation) plus many more.
I'm closing this issue because I believe our extensions list is fairly comprehensive with no significant overlap of tasks.
It is getting rather long! But ... reading through, I see there is variation over time, as add-ons are improved, abandoned or new ones added. Is there a need for PT to do a regular review of such add-ons, say quarterly, or more realistically, annually?
And should this be raised as a separate issue?
I think you may be looking for https://github.com/privacytoolsIO/privacytools.io/issues/1328 or something listed there.