Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Hardening Firefox on Arch

✔️ Click to Expand Table of Contents

❗️ NOTE: Browser hardening recommendations have started to change from suggesting that you install a bunch of add-ons to choosing secure defaults and changing minimal settings to get the most out of it.

Fingerprinting Explained

Browser fingerprinting is a tracking technique, often done by third-party companies that specialize in it. They provide code (usually JavaScript) that a website owner can embed on their site. When you visit the site, the script runs in the background, silently collecting data about your device and browser.

The most concerning aspect of browser fingerprinting is that it operates silently and without user consent. It's not something you can easily see or something like cookies that you can opt-out or delete. Browser fingerprinting is stateless meaning that it doesn't need to store any data on your computer. It can identify you while behind a VPN or in incognito mode as well.

There are two main approaches to obfuscating your fingerprint:

  • Standardization: Make browsers standardized and therefore have the same fingerprint to blend into a crowd. This is what Tor does.

  • Randomization: Randomize fingerprint metrics so it's not directly tieable to you. Brave has this feature.

Test your browsers fingerprint:

Don't put too much weight into the results as people often check their fingerprint, change one metric and check it again over and over skewing the results. It is helpful for knowing what the values actually are and seeing what the tracking companies see.

You can use something like NoScript to block JavaScript, preventing the scripts from running that do most of the fingerprinting. Extensions can make you more unique but it's a give and take.

Metasearch Engines

SearXNG

SearXNG an open-source, privacy-respecting metasearch engine that aggregates results from various search services, such as Google, DuckDuckGo, etc without tracking you or profiling your searches. You can add SearXNG to firefox by going to about:preferences#search and at the bottom click Add, URL will be https://searx.be/search?q=%s.

❗️ NOTE: The above searx is the default and doesn't give many relevant results. To get relevant results find a public instance with a good rating from your area and add the search?q=%s to the end of it. For example, I'm using https://priv.au/search?q=%s. This gives much better results than DDG in my opinion.

Searx is a bit different, you can choose which search engine you want for your current search with !ddg search term to use duckduckgo for example.

Startpage is another metasearch engine that I've heard good things about.

Encrypted DNS

DNS (Domain Name System) resolution is the process of translating a website's domain name into its corresponding IP address. By default, this traffic isn't encrypted, which means anyone on the network, from your ISP to potential hackers, can see the websites you're trying to visit. Encrypted DNS uses protocols to scramble this information, protecting your queries and responses from being intercepted and viewed by others.

❗ NOTE: There are many other ways for someone monitoring your traffic to see what domain you looked up via DNS that it's effectiveness is questionable without also using Tor or a VPN. Encrypted DNS will not help you hide any of your browsing activity.

There are 3 main types of DNS protection:

  • DNS over HTTPS (DoH): Uses the HTTPS protocol to encrypt data between the client and the resolver.

  • DNS over TLS (DoT): Similar to (DoH), differs in the methods used for encryption and delivery using a separate port from HTTPS.

  • DNSCrypt: Uses end-to-end encryption with the added benefit of being able to prevent DNS spoofing attacks.

Useful resources:

✔️ Click to Expand DNS Resources

Hot Take:

I recommend either setting up dnscrypt-proxy:

Or set Firefox's DNS over HTTPS to Max protection with a custom resolver:

In about:preferences#privacy scroll down to DNS over HTTPS, Select Max Protection -> Custom -> https://dns.quad9.net/dns-query

Enhanced Tracking Protection (ETP)

  • Enhanced Tracking Protection (ETP) blocks known "third-party requests" to companies that participate in fingerprinting, according to the Disconnect List

    • In about:preferences#privacy, setting Enhanced Tracking Protection to either Strict or Custom enables FPP as well explained further down.

    • When you enable ETP strict mode, Total Cookie Protection is enabled by default. It confines cookies to the site where they were created, preventing companies from using them to track your browsing from site to site.

  • First-Party Isolation From the Tor Uplift Project.

Fingerprinting

  • Fingerprinting

  • RFP (Resist Fingerprinting) set in about:config with privacy.resistFingerprinting. Resist Fingerprinting alters the following:

    • The timezone is reported as UTC or Icelandic

    • Locale is reported as en-US

    • Several properties of the navigator object are fixed, including the hardware concurrency value, application version and build ID. The User Agent version is reported to be the major version (for example, 119.0 instead of 119.1)

      • And much more...

    • You can set privacy.resistFingerprinting.pbMode (private-browsing) without privacy.resistFingerprinting and still get certain Resist Fingerprinting behaviors on normal windows, because it's impossible to separate these behaviors per-window.

  • FPP (Fingerprinting Protection) is enabled in normal browsing when Enhanced Tracking Protection is set to Strict. Both Known Fingerprinters and Suspected Fingerprinters Protection are enabled in Private Browsing and when ETP is set to strict. On the Custom level of ETP you can toggle on/off different features.

WebRTC

The main reason people disable WebRTC is to prevent an IP address leak. WebRTC is designed for real-time communication like video calls and file sharing. If you don't use those features, it makes sense to disable it.

In about:preferences#privacy -> Privacy & Security -> Permissions. Click Settings.

  • Block new requests asking to access your microphone

  • Block new requests asking to access your camera

  • You may also want to block Location, but that isn't involving WebRTC.

You can also use the master switch by going to about:config and setting media.peerconnection.enabled to false

Canvas Fingerprinting

Canvas Fingerprinting uses the HTML5 <canvas> element to generate a fingerprint. It gets your device to render an image or text on a canvas and then reads the pixel data. Since devices render things differently, those differences are identifiable.

When you set privacy.resistFingerprinting it modifies both Canvas and WebGL behavior to make their outputs non-unique.

WebGL

Similar to canvas fingerprinting, this technique uses the WebGL API to render 2D and 3D graphics. The way your system renders these graphics provides information about your GPU and graphics drivers, which contributes to your unique fingerprint.

❗️ NOTE: It's unnecessary to disable webgl if you're already using RFP and will likely make you stand out more because most people don't disable it.

It can be disabled in about:config by setting webgl.disabled to true.

Install Firefox/LibreWolf & ArkenFox

Download Firefox from the Mozilla FTP site if you are worried about the download token, the FTP site lets you download the version you want without a token.

For example, for the latest firefox as of 09-30-25 for the US:

https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US

LibreWolf is an open-source fork of Firefox with a strong focus on privacy, security, and user freedom. LibreWolf enables always HTTPS, includes uBlockOrigin, and more providing strong defaults.

✔️ Click to Expand Arkenfox How To

The process is the same for both Firefox & LibreWolf. I like LibreWolf for it's strong defaults but may lag behind Firefox getting security patches.

paru -S librewolf-bin

Read the ArkenFox Wiki

Apply

Open about:support and look for Profile Directory under Application Basics Select Open Directory, it will bring you to somewhere like ~/.librewolf/pefoo8xx.default-default/ and that is where you place the user.js.

Place the following files in your Profile Directory:

  1. Arkenfox user.js Read through the user.js, not all settings are applied by default such as RFP Fingerprinting protection.

  2. updater.sh

  3. prefsCleaner.sh

  4. Also create your own user-overrides.js with any changes you want to make to the default user.js. These changes are amended to the user.js and applied last enabling them to override the default settings. It's best to make changes here so that updating the Arkenfox user.js doesn't make you lose all of your customizations.

Example user-overrides.js spoofing the user agent:

❗️ This is just an example, always check for common useragent strings yourself. Read the Arkenfox Wiki!

<!-- user_pref( -->
  <!-- "general.useragent.override", -->
  <!-- "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", -->
<!-- ); -->
// Disable Activity Stream on new windows and tab pages
user_pref("browser.newtab.preload", false);
// Enhanced Tracking Protection (ETP)
user_pref("privacy.bounceTrackingProtection.mode", 1); // [FF131+] [ETP FF133+]
user_pref("privacy.trackingprotection.enabled", true);
// Resist Fingerprinting (RFP)
user_pref("privacy.resistFingerprinting", true); // [FF41+]
user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
// WebRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.ice.default_address_only", true);
// WebGL
user_pref("webgl.disabled", true);
// Geolocation
user_pref("geo.enabled", false);
user_pref("full-screen-api.enabled", false);
user_pref(
  "geo.provider.network.url",
  "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%",
);
// Disable studies
user_pref("app.sheild.optoutstudies.enabled", false);
// Master Switches, Be Careful
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.updateURL", "");
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
user_pref("signon.rememberSignons", false);
user_pref("browser.xul.error_pages.expert_bad_cert", true);
//* [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.sendRefererHeader", 1);
// 0 is most strict:
user_pref("network.http.referer.trimmingPolicy", 0);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);

To apply your prefs you have to run the updater.sh script.

~/.mozilla/firefox/v5kwl3c0.default-release> ./updater.sh

                ############################################################################
                ####                                                                    ####
                ####                          arkenfox user.js                          ####
                ####       Hardening the Privacy and Security Settings of Firefox       ####
                ####           Maintained by @Thorin-Oakenpants and @earthlng           ####
                ####            Updater for macOS and Linux by @overdodactyl            ####
                ####                                                                    ####
                ############################################################################


Documentation for this script is available here: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-maclinux

Please observe the following information:
    Firefox profile:  /home/jr/.mozilla/firefox/v5kwl3c0.default-release
    Available online: * version: 140
    Currently using:  * version: 140


This script will update to the latest user.js file and append any custom configurations from user-overrides.js. Continue Y/N?
y

Status: user.js has been backed up and replaced with the latest version!
Status: Override file appended: user-overrides.js

Check

Launch LibreWolf or Firefox and press Ctrl-Shift-J to launch Browser Console Mode, and look for any errors.

Go to about:config -> [x] Show only modified preferences. You should see SUCCESS: No no he's not dead, he's, he's restin'!

User Agent Spoofing

❗️ NOTE: Spoofing your useragent alone likely isn't worth the protections you lose from disabling resistFingerprinting. resistFingerprinting spoofs many different fingerprinting aspects. If you don't get it right, you will get captcha requests constantly.

Research what the most common user agent is. You'll need to disable privacy.resistFingerprinting for this to work.

Place the user agent string in general.useragent.override something like: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 https://www.whatsmyuseragent.com

https://www.useragentstring.com

✔️ Click to Expand Resources

If you should trust the U.S. Governments recommendations is another story but it can be good to compare and contrast with other trusted resources. You'll have to think whether the CISA recommending that everyone uses Signal is solid advice or guiding you towards a honeypot, I can't say for sure.