Hardening Firefox on Arch

🔑 Key Terms

• Browser hardening focuses on reducing attack surface and blocking tracking by disabling or restricting features like JavaScript, cookies, telemetry, and third-party scripts.

• Fingerprint protection, on the other hand, aims to make your browser indistinguishable from others. Instead of just blocking data collection, it ensures that your browser’s configuration; screen size, fonts, user agent, etc. matches a large group of users, so you blend in.

• Browser compartmentalization is a technique where different browsers are dedicated to distinct online activities to isolate cookies, trackers, and browsing data. For example, Mullvad Browser can be used solely for activities where fingerprinting resistance is critical, such as anonymous browsing or visiting privacy-sensitive sites. Meanwhile, a hardened LibreWolf or Firefox can be used for general browsing, email, or banking where you want solid security and feature flexibility but aren’t as concerned about fingerprint uniqueness.

• Web APIs: are sets of rules and protocols that allow browsers or servers to communicate and share data or functions over the internet. It lets developers access features or data of a web service or application without exposing the underlying system details, enabling different software to interact smoothly and securely.

• Anonymity: Maximizing anonymity often means restricting or masking features (setting a generic fingerprint, disabling browser APIs, blocking trackers) so the browser blends in with many others. This reduces uniqueness but can break website functionality, cause CAPTCHAs, and limit usability.

• Usability: Keeping your browser features enabled improves compatibility and user experience but increase uniqueness and thus make you easier to track.

• Entropy: in this context, is a measure of how much unique information a specific browser feature contributes to your fingerprint. It’s often quantified in bits of entropy, where higher bits mean more uniqueness (i.e., easier to identify you).

  • A “bit” is a basic unit of information for computers. Entropy measuring sites results are measured in “bits of identifying information”.

• Origin: Web content’s origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. Two objects have the same origin only when the scheme, hostname, and port all match.

• Same-origin policy: is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

• Firefox Site-Isolation. Firefox does provide site-isolation as well.

• Protection from side-channel attacks

• MDN Insecure passwords

  • Risks of reused passwords

Tor Browser is not the most secure browser, anonymity, and security can often be at odds with each other. Having the exact same browser as many other people isn’t the best security practice, but it is great for anonymity. Tor is also based on Firefox Esr, which only receives patches for vulnerabilities considered Critical or High which can be taken advantage of.

Fingerprinting Explained

Modern Web APIs enable highly customized user experiences but also expose detailed device information that attackers can exploit to create browser fingerprints, unique identifiers used for covert tracking, even when cookies are blocked.

Entropy, a measure of randomness or uniqueness in data, is a critical metric for assessing the risk of browser fingerprinting.

Browser fingerprinting is a tracking technique, often done by third-party companies that specialize in it. They provide code (usually JavaScript) that a website owner can embed on their site. When you visit the site, the script runs in the background, silently collecting data about your device and browser.

There are two main approaches to obfuscating your fingerprint:

• Standardization: Make browsers standardized and therefore have the same fingerprint to blend into a crowd. This is what Tor and Mullvad Browser do. Best for anonymity; increases the crowd you blend into, but may decrease usability (site breakage, CAPTCHAs); adversaries may still find subtle differences.

• Randomization: Randomize fingerprint metrics so it’s not directly linkable to you. Brave has this feature, if you run coveryourtracks with Brave you will get a result of “your browser has a randomized fingerprint”. This is good for privacy but may be detectable by advanced scripts.

Test your browsers fingerprint:

• CoverYourTracks

• AmIUnique

Test how well your browser implements security standards and features:

• BrowserAudit

Test the sites you visit for trackers:

• Blacklight

Don’t put too much weight into the results as people often check their fingerprint, change one metric and check it again over and over skewing the results. It is helpful for knowing the fingerprint values that trackers track.

• Browser Fingerprinting Tor Forum

• Madaidans Hot Take on Browser Tracking

You can use something like NoScript to block JavaScript, preventing the scripts from running that do most of the fingerprinting. Extensions can make you more unique but it’s a give and take.

The following website lists the tracking protection mechanisms implemented by the major browsers and browser engines:

• Cookie Status

Metasearch Engines

• Wikipedia Metasearch engine

SearXNG

SearXNG an open-source, privacy-respecting metasearch engine that aggregates results from various search services, such as Google, DuckDuckGo, etc without tracking you or profiling your searches. You can add SearXNG to firefox by going to about:preferences#search and at the bottom click Add, URL will be https://searx.be/search?q=%s.

❗️ NOTE: The above searx is the default and doesn’t give many relevant results. To get relevant results find a public instance with a good rating from your area and add the search?q=%s to the end of it. For example, I’m using https://priv.au/search?q=%s. This gives much better results than DDG in my opinion.

SearXNG is a bit different, you can choose which search engine you want for your current search with !ddg search term to use duckduckgo for example.

• searxng repo

  • Install guide

  • Configuration guide

Startpage is another metasearch engine that I’ve heard good things about.

• Startpage Privacy Please!

• Startpage Privacy Protection

Defenses

Encrypted DNS

DNS (Domain Name System) resolution is the process of translating a website’s domain name into its corresponding IP address. By default, this traffic isn’t encrypted, which means anyone on the network, from your ISP to potential hackers, can see the websites you’re trying to visit. Encrypted DNS uses protocols to scramble this information, protecting your queries and responses from being intercepted and viewed by others.

❗ NOTE: There are many other ways for someone monitoring your traffic to see what domain you looked up via DNS that it’s effectiveness is questionable without also using Tor or a VPN. Encrypted DNS will not help you hide any of your browsing activity.

There are 3 main types of DNS protection:

• DNS over HTTPS (DoH): Uses the HTTPS protocol to encrypt data between the client and the resolver.

• DNS over TLS (DoT): Similar to (DoH), differs in the methods used for encryption and delivery using a separate port from HTTPS.

• DNSCrypt: Uses end-to-end encryption with the added benefit of being able to prevent DNS spoofing attacks.

Useful resources:

I recommend either setting up dnscrypt-proxy:

• dnscrypt-proxy on Arch

Or set Firefox’s DNS over HTTPS to Max protection with a custom resolver:

In about:preferences#privacy scroll down to DNS over HTTPS, Select Max Protection -> Custom -> https://dns.quad9.net/dns-query

Enhanced Tracking Protection (ETP)

Browsers that have a form of tracking protection typically use lists of known trackers and match each outgoing request against these lists.

Enhanced Tracking Protection is how you deal with cookies and more on Firefox.

• Enhanced Tracking Protection (ETP) blocks known “third-party requests” to companies that participate in fingerprinting, according to the Disconnect List

  • In about:preferences#privacy, setting Enhanced Tracking Protection to either Strict or Custom enables FPP as well, explained further down.

  • Total Cookie Protection is enabled by default in Standard mode.

  • When you set ETP to Strict, it includes Enhanced Cookie Clearing, which improves on the removal of third-party cookies, as well as Bounce Tracking Protection that prevents redirect trackers.

• First-Party Isolation From the Tor Uplift Project.

Resist Fingerprinting

• Fingerprinting

• RFP (Resist Fingerprinting) set in about:config with privacy.resistFingerprinting. Resist Fingerprinting alters the following:

  • The timezone is reported as UTC or Icelandic

  • Locale is reported as en-US

  • Several properties of the navigator object are fixed, including the hardware concurrency value, application version and build ID. The User Agent version is reported to be the major version (for example, 119.0 instead of 119.1)

    • And much more…

  • You can set privacy.resistFingerprinting.pbMode (private-browsing) without privacy.resistFingerprinting and still get certain Resist Fingerprinting behaviors on normal windows, because it’s impossible to separate these behaviors per-window.

• FPP (Fingerprinting Protection) is enabled in normal browsing when Enhanced Tracking Protection is set to Strict. Both Known Fingerprinters and Suspected Fingerprinters Protection are enabled in Private Browsing and when ETP is set to strict. On the Custom level of ETP you can toggle on/off different features.

Disable JavaScript

Most trackers run on JavaScript, thus blocking JavaScript prevents them from gathering much of the info needed to form a browser fingerprint.

• NoScript lets you selectively block scripts on websites. Its core function is to block all scripts by default on websites, allowing you to manually enable scripts on trusted sites.

  NoScript PrivacyGuides should

• uBlock Origin also lets you block JavaScript, just be aware that many sites may break so you’ll have to whitelist selectively.

Disable WebRTC

The main reason people disable WebRTC is to prevent an IP address leak. WebRTC is designed for real-time communication like video calls and file sharing. If you don’t use those features, it makes sense to disable it.

Disabling WebRTC eliminates specific data points that trackers use, reducing entropy & the uniqueness of your fingerprint.

In about:preferences#privacy -> Privacy & Security -> Permissions. Click Settings.

• Block new requests asking to access your microphone

• Block new requests asking to access your camera

• You may also want to block Location, but that isn’t involving WebRTC.

You can also use the master switch by going to about:config and setting media.peerconnection.enabled to false

user.js settings related to WebRTC:

/* 2002: force WebRTC inside the proxy [FF70+] ***/
user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
 * When using a system-wide proxy, it uses the proxy interface
 * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.ice.obfuscate_host_address", true);
/* 2004: force exclusion of private IPs from ICE candidates [FF51+]
 * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios after you
 * grant device access, but often results in breakage on video-conferencing platforms ***/
user_pref("media.peerconnection.ice.no_host", true);

Disable Canvas Fingerprinting

Canvas Fingerprinting uses the HTML5 <canvas> element to generate a fingerprint. It gets your device to render an image or text on a canvas and then reads the pixel data. Since devices render things differently, those differences are identifiable.

When the pref privacy.resistFingerprinting is set to true, restricts APIs commonly used for fingerprinting, including the HTML5 Canvas API. When enabled, it returns a randomized or generic canvas output to prevent unique identification.

Disable WebGL

Similar to canvas fingerprinting, this technique uses the WebGL API to render 2D and 3D graphics. The way your system renders these graphics provides information about your GPU and graphics drivers, which contributes to your unique fingerprint.

❗️ NOTE: It’s unnecessary to disable webgl if you’re already using RFP and will likely make you stand out more because most people don’t disable it.

It can be disabled in about:config by setting webgl.disabled to true.

Install Firefox/LibreWolf & ArkenFox

⚠️ Firefox offers excellent privacy and customization but falls behind Chromium-based browsers in isolation and patch timing. Compartmentalization can help balance strong privacy with optimal security by using Brave or Chromium for high-risk browsing alongside Firefox for general and privacy-focused tasks.

Download Firefox from the Mozilla FTP site if you are worried about the download token, the FTP site lets you download the version you want without a token.

For example, for the latest firefox as of 09-30-25 for the US:

https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US

LibreWolf is an open-source fork of Firefox with a strong focus on privacy, security, and user freedom. LibreWolf enables always HTTPS, includes uBlockOrigin, and more providing strong defaults.

paru -S librewolf-bin

<!-- user_pref( -->
  <!-- "general.useragent.override", -->
  <!-- "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", -->
<!-- ); -->
// Disable Activity Stream on new windows and tab pages
user_pref("browser.newtab.preload", false);
// Enhanced Tracking Protection (ETP)
user_pref("privacy.bounceTrackingProtection.mode", 1); // [FF131+] [ETP FF133+]
user_pref("privacy.trackingprotection.enabled", true);
// Resist Fingerprinting (RFP)
user_pref("privacy.resistFingerprinting", true); // [FF41+]
user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
// WebRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.ice.default_address_only", true);
// WebGL
user_pref("webgl.disabled", true);
// Geolocation
user_pref("geo.enabled", false);
user_pref("full-screen-api.enabled", false);
user_pref(
  "geo.provider.network.url",
  "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%",
);
// Disable studies
user_pref("app.sheild.optoutstudies.enabled", false);
// Master Switches, Be Careful
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.updateURL", "");
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
user_pref("signon.rememberSignons", false);
user_pref("browser.xul.error_pages.expert_bad_cert", true);
//* [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.sendRefererHeader", 1);
// 0 is most strict:
user_pref("network.http.referer.trimmingPolicy", 0);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);

~/.mozilla/firefox/v5kwl3c0.default-release> ./updater.sh

                ############################################################################
                ####                                                                    ####
                ####                          arkenfox user.js                          ####
                ####       Hardening the Privacy and Security Settings of Firefox       ####
                ####           Maintained by @Thorin-Oakenpants and @earthlng           ####
                ####            Updater for macOS and Linux by @overdodactyl            ####
                ####                                                                    ####
                ############################################################################


Documentation for this script is available here: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-maclinux

Please observe the following information:
    Firefox profile:  /home/jr/.mozilla/firefox/v5kwl3c0.default-release
    Available online: * version: 140
    Currently using:  * version: 140


This script will update to the latest user.js file and append any custom configurations from user-overrides.js. Continue Y/N?
y

Status: user.js has been backed up and replaced with the latest version!
Status: Override file appended: user-overrides.js

User Agent Spoofing

❗️ NOTE: Spoofing your useragent alone likely isn’t worth the protections you lose from disabling resistFingerprinting. resistFingerprinting spoofs many different fingerprinting aspects. If you don’t get it right, you will get captcha requests constantly.

Research what the most common user agent is. You’ll need to disable privacy.resistFingerprinting for this to work.

Place the user agent string in general.useragent.override something like: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 https://www.whatsmyuseragent.com

https://www.useragentstring.com

uBlock Origin

BetterFox does a great job explaining how to use uBlock with solid recommendations.

• BetterFox uBlock filterlists

If you wanted to apply the Privacy Essentials list you would click subscribe, which launches the uBlock asset viewer where you can see all of the domains that will be blocked before clicking Subscribe again to apply them.

Adding other lists

• Hagezi dns-blocklists

• adguard-filter-list

Click the uBlock logo, Settings, Filter lists, scroll to the bottom and choose Import…, Paste the url of your chosen list, and click Apply changes.

For example, Arkenfox suggests adding the Actually Legitimate URL Shortener Tool. Add https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt to the Import… section and click Apply changes. If you scroll up, you’ll see that it was added and chosen.

Setup your Blocking mode

Many opt for medium mode. To do so you need to:

Settings pane:

• Open the dashboard, and choose I am an advanced user.

Filter lists pane:

• All of uBO’s filter lists: checked

• EasyList: checked

• Peter Lowe’s Ad server list: checked

• EasyPrivacy: checked

• Online Malicious URL Blocklist: checked

My rules pane (4th pane from the left):

Underneath Temporary rules add, you literally type this in:

• Add * * 3p-script block

• Add * * 3p-frame block

• Click Save

• Click <- Commit (Not required on phone)

Fallback to easy mode

Click the uBlock logo while on the site you want to use easy mode on. You’ll see the power button to the top right, the Global rules and the Local rules which start 3 boxes from the left. Click the box under the Local rules for 3rd-party scripts. The box will change colors, dark gray = NOOP (No Operation). This tells uBO to ignore the aggressive global block for this site, and let the normal filter lists handle the blocking.

You can also disable JavaScript in My rules as needed.

Set up a SOCKS5 Proxy with Arti

❗️ NOTE: This is one example of using a SOCKS5 proxy to circumvent censorship or add additional privacy without the Tor Browser. You can also route other apps through the proxy, such as email clients, messaging apps, torrent clients, and more.

1. Clone the arti repo:

# clone the repo
git clone https://gitlab.torproject.org/tpo/core/arti.git

# navigate to the directory
cd arti

2. To build the Arti binary, compile the code and generate the executable run:

These are the safer build options so you can leave the arti repo in your home directory without it leaking your username:

RUSTFLAGS="--remap-path-prefix $HOME/.cargo=.cargo --remap-path-prefix $(pwd)=." \
   cargo build --release -p arti

3. To allow Arti SOCKS proxy traffic you need to add a rule permitting incoming connections to port 9150.

For nftables, you would open /etc/nftables.conf and add:

chain input {
  # ...snip...

  # Allow Arti SOCKS proxy (port 9150)
    tcp dport 9150 ct state new accept

  # ...snip...
}

Enable it with sudo nft -f /etc/nftables.conf

4. To run Arti as a SOCKS proxy on port 9150, execute:

./target/release/arti proxy

5. Configure LibreWolf/Firefox to use the Arti proxy:

Open LibreWolf or Firefox

Go to the menu and open Preferences/Settings.

Scroll to the bottom Network Settings section.

Click on “Settings...” under Network Settings.

In the connection settings dialog:

Select “Manual proxy configuration”.

For “SOCKS Host”, enter 127.0.0.1.

For the port next to SOCKS Host, enter 9150.

Select the SOCKS version 5 option (SOCKS v5).

Optionally check the box “Proxy DNS when using SOCKS v5” to route DNS queries through the proxy for enhanced privacy.

Click “OK” to apply the settings.

6. Verify Your Proxy Setup Open a new tab and visit https://dnsleaktest.com and run an Extended Test.

Your IP address should now appear as a Tor exit node IP, indicating your traffic is routed through the Arti proxy.

• Make sure Arti is running in its terminal or background before you start browsing.

• If you close the terminal or stop Arti, your browser will lose the proxy connection.

This setup only proxies the configured browser traffic; other apps are not affected unless configured similarly.

This setup turns LibreWolf or Firefox into a Tor-enabled browser without installing the Tor Browser Bundle, using the Arti SOCKS proxy instead. It can be useful if you want to use a more customizable or alternative browser while still accessing the Tor network securely.

⚠️ While using LibreWolf with the Arti SOCKS5 proxy provides network-level anonymity by routing traffic through the Tor network, it does not include the extensive browser-level privacy and security enhancements found in the official Tor Browser. For casual or moderate privacy needs the SOCKS proxy can be useful but for stronger anonymity guarantees and protection, the Tor Browser is recommended.

Setup an Arti service to run in the background

Be careful here, its not as easy to tell if Arti failed for some reason.

Create a service file at /etc/systemd/system/arti.service:

Replace your-username with your username

[Unit]
Description=Arti Tor Proxy Service
After=network.target

[Service]
ExecStart=/home/your-username/arti/target/release/arti proxy
Restart=on-failure
User=jr
Group=jr
WorkingDirectory=/home/your-username/arti
Environment=RUSTFLAGS="--remap-path-prefix $HOME/.cargo=.cargo --remap-path-prefix $(pwd)=."

[Install]
WantedBy=multi-user.target

Enable & Start the service:

sudo systemctl enable arti
sudo systemctl start arti --now

Ensure its running:

sudo systemctl status arti