Mozilla Firefox Settings for the Paranoid and Mullvad Browser Test

[Man]

Mozilla Firefox is a real long-liver, this browser, developed by a conditionally independent non-profit organization (Google donates to it mainly) remains the penultimate hope for privacy. At least, that's what its developers tell us. In fact, it is stuffed with all sorts of user tracking mechanisms, BUT: they can be turned off. And I will tell you how to do it.

This article is a hybrid of two topics. On the one hand, it is a full-fledged guide on how to attract Firefox to the side of anonymity by changing the settings. On the other hand, it is also an analysis of which of these settings “out of the box” are correctly set in the new browser, claiming anonymity and privacy without any tweaking.

Mullvad browser is a new product from the developers of Mullvad VPN and the Tor Project team. What a crossover, huh? That's what I thought, and decided to test the browser. Today I will have (or have already) published a video review of a new contender for the role of "private and secure browser" on my channel. Here I will also go over the settings that are recommended to be made in Firefox for optimal protection against fingerprinting, to see which of them are already set as needed in Mullvad Browser.

As a "standard" for the settings, I will use the guide https://brainfucksec.github.io/firefox-hardening-guide#firefox-preferences, and for my readers who do not speak the language and do not understand some of the settings, I will give comments on some points. Yes, this will be a damn longread
.

Search​

The first thing we recommend is to start using a search engine that does not collect a huge amount of data about the user. It is recommended to use DuckDuckGo.

It is the default in MullvadBrowser.

In any Firefox-based browser, this option is switched like this:

• enter aboutreferences#search into the browser line
• choose DuckDuckGo

Fine tuning -about:config​

The settings we can see and change in every possible way by selecting Settings in the browser menu or entering aboutreferences in the browser line are just the tip of the iceberg. The real, fine-tuning is carried out in a special interface that opens by entering about:config in the browser line.

The options in this section are not buttons and switches, but option = value values, and when you go to this section, the browser warns you that serious guys and aunts work here, if you are not sure of your seriousness, then put your hands in your pockets and go watch cartoons instead. Simply put, you are shown a warning that you can break the browser with a crooked setting.

Next, so that you do not get confused, there will be a setting and the value that needs to be set for it. If there is a symbol next to the setting, then in Mullvad Browser the setting matches the optimal one and nothing needs to be changed. If there is a symbol, then you need to change this setting
.

Launch Settings​

Customize the home page and startup behavior​

browser.aboutConfig.showWarning = false

This setting will only remove the warning that you need to be vigilant when entering the config. It does not affect privacy and anonymity.

browser.startup.page = 1

This setting determines what will be opened after the browser is launched. A value of 1 means that an empty tab will be opened.

browser.startup.homepage = "about:home"
Value in Mullvad: about:mullvad-browser

Defines the home page, that is, the one opened by the browser by default or by clicking on "home page". In the case of mullvad-browser, the parameter set in it is home, if you enter about:mullvad-browser or about:home, the behavior is absolutely the same.

Results: 2 of 3

Disabling Activity Stream​

Activity Stream is a display of pages you've recently visited or visited frequently in an empty tab. The settings below disable everything related to this user-tracking-friendly browser feature.

browser.newtabpage.enabled = false

If set to true, the browser will show you history and frequently visited pages when you open a new tab.

browser.newtab.preload = false

If this parameter is set to true, the browser will start loading the home page in the background when the browser is launched, before you have clicked anything or entered an address. By setting the value to false, we reduce the load on RAM.

browser.newtabpage.activity-stream.feeds.telemetry = false

If this parameter is set to true, the browser will send information to developers about how you use the function of displaying history and frequently visited pages.

browser.newtabpage.activity-stream.telemetry = false

If this parameter is set to true, the browser will send information to developers about how you use the function of displaying history and frequently visited pages.

browser.newtabpage.activity-stream.feeds.snippets = false

If this parameter is set to true, then when the feed of visited sites is enabled, the browser will download and display a page snippet (a short text extract and an image), that is, it will send requests to where we did not ask it to.

browser.newtabpage.activity-stream.feeds.section.topstories = false

When set to true, this parameter displays content from Firefox partners (advertisers) on an empty tab. These are additional requests that we did not want, additional load on the system, and interaction with trackers on sites that we did not intend to visit.

browser.newtabpage.activity-stream.section.highlights.includePocket = false

If set to true, this setting will allow the browser to display content from Firefox Pocket, a cloud service where you can (but are not recommended to) save all sorts of web finds, in an empty tab.

browser.newtabpage.activity-stream.feeds.discoverystreamfeed = false

This setting is required to be created , if set to true, allows the browser to suggest content to you based on your interests (tracking your surfing). We don't want that.

browser.newtabpage.activity-stream.showSponsored = false

If true, the browser will show you "sponsored content," which is advertising. What do we say to the god of online advertising?

browser.newtabpage.activity-stream.showSponsoredTopSites = false

The browser will show sponsored sites in recommendations if the value is true.

browser.newtabpage.activity-stream.default.sites = ""

Another attempt to show you "top sites", now by their overall popularity parameter. Will show Google, YouTube and the like. **Parameter removed from Mullvad Browser.

Results: 9 out of 14 items are configured as needed

Geolocation​

Our favorite section is about how the browser can track our location. And of course, about what we tell it about it.

geo.provider.network.url = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"

This setting will determine which service the browser will use if we give permission to determine the geolocation. The setting has been removed from Mullvad Browser

Below are the parameters that prevent the browser from using the geolocation services built into the OS. The parameters are different for different OS.
geo.provider.ms-windows-location = false (Windows)
geo.provider.use_corelocation = false (macOS)
geo.provider.use_gpsd = false (Linux)
geo.provider.use_geoclue = false (Linux)

The two parameters below determine the browser's ability to determine your region.

browser.region.network.url = ""

The parameter was removed from Mullvad Browser, and it defines the URL by which the browser will access the region detection service.

browser.region.update.enabled = false

In general, it determines whether the region detection feature is enabled. If true, it is enabled.

Mullvad Browser gets a 7 out of 7 for geolocation settings
.

Language and Locale​

intl.accept_languages = "en-US, en"

We indicate that by default we want to see sites in English. English is a "universal language", it is available in all operating systems. But the preference to view content in Russian, for example, clearly indicates that you are most likely a native speaker, and thus "burn" your nationality.

javascript.use_us_english_locale = true

The parameter must be created and specified as a Boolean value type, and set as True. This parameter sets the default value for the JavaScript code regarding how to format strings for numbers and dates. If the parameter is set to true, the browser will use the formatting adopted in US English: commas as a separator in a fractional number, dates in American format. If it is not created or specified as false, then the formatting type from your OS will be used.

Mullvad Browser Result: 1 of 2

Automatic updates and recommendations​

Here we are stepping on thin ice. If this is your "combat" browser for OSINT and other pranks, it is recommended to disable updates and install them strictly manually, having previously studied what new things the developers have come up with. This must be done so that it does not turn out that a new wonderful parameter has appeared in the updated version of the browser that allows neural networks, Masons or reptilians to watch your online adventures, and you did not disable it simply because neither you nor anyone else could predict the appearance of such a parameter.

Also, when installing the update, all sorts of browser add-ons may fly off, in general, with automatic updates, you lose control over the browser. If you have decided to turn your grandfather's "Volga" into your personal Batmobile, do not ask the manufacturer about warranty service. You are now responsible for it yourself.

app.update.background.scheduling.enabled = false

The parameter needs to be created

app.update.auto = false

In general, enables (true) or disables (false) automatic updates.

The parameters below use Google Analytics, as well as the history of visited sites and the list of extensions already installed in our browser, to advise us which extensions to install.

extensions.getAddons.showPane = false
extensions.htmlaboutaddons.recommendations.enabled = false
browser.discovery.enabled = false

Result: 3 out of 5

Telemetry​

Well, this is already straight-up surveillance, telemetry is all sorts of different indicators of how you use the browser. The telemetry service regularly generates a report and sends it to the developers, if we do not turn it off.

datareporting.policy.dataSubmissionEnabled = false
datareporting.healthreport.uploadEnabled = false
toolkit.telemetry.enabled = false
toolkit.telemetry.unified = false
toolkit.telemetry.server = "data:,"
toolkit.telemetry.archive.enabled = false
toolkit.telemetry.newProfilePing.enabled = false

Well, it all started so well. But the developers of Mullvad Browser couldn't resist the most basic telemetry. This setting sends them a "ping" every time you create a new browser profile.

toolkit.telemetry.shutdownPingSender.enabled = false

This setting, when enabled, will allow the browser to send information to the developers' servers about the browser closing, the reason for the closing (the user closed it or the browser crashed on its own), as well as the date and time of the event.

toolkit.telemetry.updatePing.enabled = false
toolkit.telemetry.bhrPing.enabled = false
toolkit.telemetry.firstShutdownPing.enabled = false

The same ping when turning off, but sent only once, when the browser is first closed. Apparently, according to the developers, once is not ....

toolkit.telemetry.coverage.opt-out = true
toolkit.coverage.opt-out = true
toolkit.coverage.endpoint.base = ""

The parameter must be created and the value left empty. In general, the parameter contains the URL to which the browser would send some reports.

browser.ping-centre.telemetry = false
beacon.enabled = false

Telemetry Result: 10 out of 16

Research​

This is also a type of surveillance, but a little different. Telemetry is data that is (presumably) collected to evaluate the browser's performance and catch errors. But studies study user behavior.

app.shield.optoutstudies.enabled = false

If this setting is enabled (true), the browser will collect data about you unless you specifically prohibit it.

app.normandy.enabled = false
app.normandy.api_url = ""

Normandy is like constitutional amendments: a pretty wrapper on the outside, but a surprise on the inside. This service seems to do valuable work - it allows developers to install especially important updates that close some browser vulnerabilities without having to update the entire browser. However, this service is also used to collect data as part of those very studies of your behavior.

Result: 3 of 3

Browser Crash Messages​

In crash reports, information about our device can still leak to the browser developers' servers, it's just that the reason for sending it is different.

breakpad.reportURL = ""
browser.tabs.crashReporting.sendReport = false

Overall, it's good that the service is disabled, but the URL hasn't been removed. 1 of 2

Captive portal detection - WiFi login page​

When you connect to a WiFi point for the first time, the browser by default checks for the presence of an authorization page. In case you need to log in via SMS or something else. The browser does this by trying to download the file http://detectportal.firefox.com/success.txt . If the file was successfully downloaded, then there is Internet, which means there is no need to search for and display the authorization page. But this behavior means that when you connect to WiFi, the browser will make an HTTP request to the developer's server without asking you about it.

captivedetect.canonicalURL = ""
network.captive-portal-service.enabled = false

As you can see, this functionality is generally disabled in Mullvad Browser, but it is better to eliminate it altogether by removing the URL for such requests from the browser.

Overall it's good that the service is disabled, but the URL is not removed. 1 of 2

Checking the network using OS tools​

If the following setting item is enabled (true), the browser will check the status and parameters of the network connection, requesting it from the OS. And the OS will, at its discretion, use the mechanisms that it has.

network.connectivity-service.enabled = false

Safe Browsing​

Safe Browsing uses Google Safe Browsing - a set of services from whom it is clear. Its task is to protect the user from malware and phishing sites. If a site is marked as distributing malware or as phishing, the browser will refuse to load it. For the average user, this is real protection. For us, it is another layer of surveillance and censorship, so we disable it. Do this knowing the risks, preferably in a secure OS.

browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.blockedURIs.enabled = false
browser.safebrowsing.provider.google4.gethashURL = ""
browser.safebrowsing.provider.google4.updateURL = ""
browser.safebrowsing.provider.google.gethashURL = ""
browser.safebrowsing.provider.google.updateURL = ""
browser.safebrowsing.provider.google4.dataSharingURL = ""
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.downloads.remote.enabled = false
browser.safebrowsing.downloads.remote.url = ""
browser.safebrowsing.downloads.remote.block_potentially_unwanted = false
browser.safebrowsing.downloads.remote.block_uncommon = false
browser.safebrowsing.allowOverride = false

Result: 10 out of 14

Network, DNS, Proxy and IPv6​

Get ready, this section is where the real shit is - a breeding ground for different browser components that analyze your behavior and create a bunch of "left" network requests.

network.prefetch-next = false

If this setting is enabled (true), the browser will pre-request and download pages linked to by the page you are viewing. This is done to speed things up so that when you browse the site, it feels like it is loading instantly.

network.dns.disablePrefetch = true

If the setting is disabled (false), then in addition to preloading the web pages themselves from the point above, the browser will also preload information from the DNS for the domains the page links to.

network.predictor.enabled = false

This item controls whether the "predictor" or browser predictor is enabled. This thing tries to predict which links you are likely to click on a loaded site, and pre-loads documents on these links into the browser cache. And the browser does this (if the function is enabled) by analyzing: your browser history, bookmarks, frequency of visiting certain sites, clickstream - patterns of how you click with your mouse, as well as network information.

network.http.speculative-parallel-limit = 0

This item sets a limit on how many of these "predicted" pages the browser is allowed to preload into the cache.

browser.places.speculativeConnect.enabled = false

This setting, if enabled, allows the browser to preload sites from your bookmarks (not what you think).

network.dns.disableIPv6 = true

IPv6 is currently poorly implemented, but it can create serious anonymity problems. The thing is that IPv6 has such a large address space that there is no need to use NAT, which beautifully masks the IP address of your device, replacing it with the public address of the provider. Moreover, IPv6 has a different network packet structure, and the VPN solutions we are used to require additional configuration so that they also tunnel IPv6 traffic. As a result, this can lead to a leak of your real IPv6 address, which will clearly indicate your device. So if you add "v6" to the threat of "I will figure you out by IP", it sounds much more realistic. To avoid such problems, it is better to generally prohibit the browser from working with IPv6.

network.gio.supported-protocols = ""

The setting is relevant for Linux users, GIO = GNOME Input/Output and controls various protocols that, when listed in the setting, are allowed to be used by the browser (in addition to its basic functionality).

network.file.disable_unc_paths = true

This setting, when disabled (false), allows using UNC (Universal Naming Convention) paths like \\servername\sharename\path\to\file to access files over the network. The problem is that UNC is often used as a vector for downloading malware, so if you are not sure that you need it, it is better to disable it.

permissions.manager.defaultsUrl = ""

This setting contains the path to the file with permissions to provide the site with certain functions (access to geolocation, camera, microphone, etc.). In this file, the browser stores default values, as well as those that you set if you gave the site access to something. But since we configure the browser for maximum protection from surveillance and deanonymization, we initially do not plan to give anyone any permissions.

network.IDN_show_punycode = true

This setting, when enabled, will display non-Latin domains in punycode format. These can be domains in the .рф zone or any other that use non-latin characters. If we enable it, the site résumé.com will be displayed as xn--rsum-bpad.com. Why? To reduce the risks of phishing and obfuscation, with these tricky Unicode characters, like é, there are many security problems in general.

Result: 7 out of 10, but I will note that the most nasty surveillance components are disabled by default.

Search settings​

Because the browser's address bar is integrated with search, the browser by default tries to predict what we want from it when we start typing something there. The characters we type are sent to the network even before we press Enter to show us all sorts of search suggestions, which creates a threat to anonymity and privacy.

browser.search.suggest.enabled = false

Disable search suggestions in search

browser.urlbar.suggest.searches = false

Disable search suggestions in the address bar

browser.fixup.alternate.enabled = false

We disable attempts to guess and automatically complete the domain entry for us that we enter.

browser.urlbar.trimURLs = false

Disable URL "truncation", forcing the browser to show the entire path

browser.urlbar.speculativeConnect.enabled = false

Disable preloading of the entered address. If the parameter is enabled, then even before we press enter, the browser will start loading the site into the cache.

Next, we disable the autofill settings for all forms

browser.formfill.enable = false
extensions.formautofill.addresses.enabled = false
extensions.formautofill.available = "off"
extensions.formautofill.creditCards.available = false
extensions.formautofill.creditCards.enabled = false
extensions.formautofill.heuristics.enabled = false

The four settings below disable contextual hints in the address bar. Another attempt to analyze the input or context (document content) to predict what we might want to enter in the address bar.

browser.urlbar.quicksuggest.scenario = "history"
browser.urlbar.quicksuggest.enabled = false
browser.urlbar.suggest.quicksuggest.nonsponsored = false
browser.urlbar.suggest.quicksuggest.sponsored = false

Result: 8 out of 15

Passwords​

signon.rememberSignons = false

We prohibit saving of entered passwords

signon.autofillForms = false

We prohibit autofilling of logins and passwords

signon.formlessCapture.enabled = false

Prevent browsers from intercepting passwords outside of forms

network.auth.subresource-http-auth-allow = 1

By setting this parameter to 1, we prohibit opening login dialogs from cross-origin documents. Simply put, if we go to foo.com, the browser will not allow loading the login form from bar.com within this site.

Result: 3 of 4

Cache and Memory​

browser.cache.disk.enable = false

Prevent the browser from storing anything in the cache

browser.sessionstore.privacy_level = 2

We prohibit storing data from any sessions

browser.sessionstore.resume_from_crash = false

We prohibit restoring sessions interrupted by a browser crash

browser.pagethumbnails.capturing_disabled = true

We prohibit the creation of mini-screenshots (thumbnails) of visited pages

browser.shell.shortcutFavicons = false

We prohibit storing favicons of visited pages in the profile folder

browser.helperApps.deleteTempFileOnExit = true

Delete temporary files opened by third-party applications (if you selected "open" instead of "save" when downloading a file) after closing these applications

Result: 5 out of 6

HTTPS / SSL/TLS / OSCP / CERTS - security certificates​

dom.security.https_only_mode = true

We prohibit opening links without HTTPS encryption

dom.security.https_only_mode_send_http_background_request =
false

Disable sending HTTP requests to check if the server supports HTTPS

browser.xul.error_pages.expert_bad_cert = true

Display detailed information about bad certificates (insecure connection)

security.tls.enable_0rtt_data = false

TLS 1.3 introduced a feature to speed up the Internet, which allows encrypted data to be sent to the server before the encrypted connection is fully established. This is done to reduce the delay from the handshake. The problem is that in this case, the data is sent before the browser is sure that the server certificate is authentic. We don't need that.

security.OCSP.require = true

Online Certificate Status Protocol (OCSP) allows you to check the validity of a certificate, whether it has been revoked, for example, due to its compromise by attackers. By enabling this setting, we tell the browser that it is obliged to perform such a check for all URLs and not allow loading documents with invalid certificates.

security.pki.sha1_enforcement_level = 1

We prohibit the use of SHA-1 certificates

security.cert_pinning.enforcement_level = 2

We prohibit the OS from loading (injecting) certificates into the browser for sites that use SSL pinning.

security.remote_settings.crlite_filters.enabled = true

Enable CRLite (Certificate Revocation List Lite), an alternative mechanism for checking certificates for validity and validity, in addition to OCSP

security.pki.crlite_mode = 2

Allowing the browser to block requests based on CRLite checks

Result: 3 of 9

Headers and Referrers​

network.http.referer.XOriginPolicy = 2

Here we prevent the browser from adding a header indicating the referral source to cross-origin requests (when we go from foo.com to bar.com). These headers are used to track user behavior.

network.http.referer.XOriginTrimmingPolicy = 2

In addition to the previous point, we prohibit sending detailed information in X-origin headers in principle, leaving only the protocol, domain and port. By default, the browser would put the full URL there.

Result: 1 of 2

Audio and video: WebRTC, WebGL, DRM​

media.peerconnection.enabled = false

We prohibit WebRTC - peer-to-peer data transfer, which can give out our real IP to a remote server or user

media.peerconnection.ice.proxy_only_if_behind_proxy = true

We prevent the browser from establishing p2p WebRTC connections outside the proxy if we use a proxy and have allowed WebRTC

media.peerconnection.ice.default_address_only = true

We prohibit the browser from using all network interfaces for WebRTC connections except the default one. Otherwise, the browser uses all available interfaces, which can lead to IP address leakage even if you use a VPN.

media.peerconnection.ice.no_host = true

We prohibit the browser from using IPs from private network ranges (for example, 192.168.xx or 10.xxx) for WebRTC connections.

webgl.disabled = true

We prohibit WebGL, a javascript API that uses the power of your device's video card to render 3D graphics on web pages. WebGL is used to fingerprint your system, because different combinations of OS, driver, and video card chip give different hash of the same graphics render.

media.autoplay.default = 5

We prohibit any sites from automatically playing any media files (audio and video)

Result: 0 of 6

Downloads​

browser.download.useDownloadDir = false

We make it so that the browser always asks us where to save the file

browser.download.manager.addToRecentDocs = false

Prevent the browser from adding downloaded files to the list of "recent downloads" in the OS

Result: 2 of 2

Cookies​

browser.contentblocking.category = "strict"

Enable the enhanced protection against trackers feature

privacy.partition.serviceWorkers = true

Enable isolation of processes of different sites inside the browser. If the option is enabled, the browser will eat up more system resources, but it will isolate the processes of code execution of different pages from each other, reducing the risks of cross-site attacks.

privacy.partition.always_partition_third_party_non_cookie_storage = true
privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage = true

The two options above enable isolated storage of data from different sites. This reduces the risk of tracking us through access to cross-site cookies for trackers.

Result: 1 of 4

Interface​

dom.disable_open_during_load = true

Prevent pop-up windows from opening until the page is fully loaded

dom.popup_allowed_events = click dblclick mousedown pointerdown

We set a whitelist of events that can cause a pop-up window to open

extensions.pocket.enabled = false

We turn off pocket - an interface for cloud synchronization of bookmarks and other information we have found and stored in this storage

extensions.Screenshots.disabled = true

Disable the built-in add-on for creating screenshots of web pages

pdfjs.enableScripting = false

Prevent JS code from executing if it is inside a PDF file that is opened in a browser

privacy.userContext.enabled = true

We enable the ability to create "containers" inside the browser. A container is a space isolated from other tabs, which allows, for example, to log into several accounts of the same resource within one browser window.

Results: 5 of 6

Additions​

extensions.enabledScopes = 5

Enable add-ons for all browser profiles

extensions.webextensions.restrictedDomains = ""

This parameter allows you to specify a list of domains in the context of which browser add-ons will be disabled. If you add google.com here, then when you visit Google, browser add-ons will be disabled for this tab.

extensions.postDownloadThirdPartyPrompt = false

Disable the additional question "Are you absolutely sure that you want to install this add-on" when installing it.

Results: 3 of 3

Shutdown Options​

Setting up automatic cleaning of history, cookies, cache, etc.
network.cookie.lifetimePolicy = 2
privacy.sanitize.sanitizeOnShutdown = true
privacy.clearOnShutdown.cache = true
privacy.clearOnShutdown.cookies = true
privacy.clearOnShutdown.downloads = true
privacy.clearOnShutdown.formdata = true
privacy.clearOnShutdown.history = true
privacy.clearOnShutdown.offlineApps = true
privacy.clearOnShutdown.sessions = true
privacy.clearOnShutdown.sitesettings = false
privacy.sanitize.timeSpan = 0

Result: 7 of 11

Fingerprinting​

privacy.resistFingerprinting = true
privacy.window.maxInnerWidth = 1600
privacy.window.maxInnerHeight = 900

The two points above set a limit for popup windows that can be opened via the window.open() javascript function. This is done to prevent a site from opening a window larger than your screen.

privacy.resistFingerprinting.block_mozAddonManager = true

When enabled, the setting blocks the visited site from accessing the list of browser add-ons installed.

browser.display.use_system_colors = false

This setting, when disabled, prevents sites from accessing your color scheme, which is used in your OS. Many sites adapt to the theme of your desktop interface (dark or light). But by giving this setting to a remote server, you give it another piece of the puzzle of your unique fingerprint.

Result: 3 out of 5

Results​

95 out of 150 parameters that need to be changed in the Mozilla Firefox browser, in the case of Mullvad Browser have the recommended value and do not require intervention. We can say that this is a very good result, because almost all of these 95 parameters are those that are most critical for privacy and anonymity, and many of the 55 parameters that require manual intervention are needed to "tweak" the browser to the maximum possible protection of our data, sometimes to the detriment of functionality.