Updates 4-14-2017: Mozilla now publishes instructions on keeping Firefox from making any automatic connections at all, useful when you need a machine that makes no connections you don’t explicitly ask it to. When this is necessary, best practice is to set the clock forward one day with the browser not running, start Wireshark, then start Firefox with the homepage set to about:blank. No data should be sent or received. Do this again at every browser update, as new “services” seem to constantly be added!
First up on a new install is to disconnect from Google and their trackers: be sure to “clear all cookies” immediatly after a new install, disable all of the Google anti-phishing filters, then clear all cookies again. Go to “preferences” and uncheck “block reported attack sites” and “block reported web forgeries” to disconnect this Google service from your browser. Make sure the Google “prefs” cookie does NOT reappear or the browser is unsafe. If you use Google’s phishing filter, Google gets a list of every website you visit! Having disconnected this filter Google no longer gets that list, but you should avoid ever banking or shopping online with no phishing filter at all. Best solution is to avoid those anyway, but if you cannot the use of two different machines is recommended: one for banking etc, one for everything else.
Another serious security hole in Firefox (shared with many other browsers) is geolocation. Geolocation is dangerous, as it allows a malicious website to determine your location. Firefox in recent versions by default allows websites to use Geolocation and connect to a Google database to do so. Google’s own Chrome browser includes a feature buried in preferences to disable this, in Firefox you have to go to about:config and click past the “void your warranty” box to get to this option.
Go to about:config , enter “geo” in the search box, and disable it. Do do this, go to geo.enabled , click on the word “true” and set it to “false.” then, as a further precaution, go to geo-wifi-url and set it to “about:blank” replacing Google’s site they set up by sniffing everyone’s wi-fi.
Next, still in about:config, enter “keyword” in the search bar, set keyword.enabled to “false” to disable prefetch and automatic Google searches of invalid URL’s. Google LOGS ALL THESE SEARCHES and may log every word you type if location bar suggestion is also enable, so be sure to disable that from “preferences.”
Finally, enter “prefetch” in the search bar of about:config and set network.prefetch-next to “false” to prevent individual typed characters from bringing attempts to search for/connect to whatever URL that might go to. In Chrome prefetch generates logged content on Google, assume the same in Firefox.
The above privacy threats are actually worse in Firefox than in Chrome, as they are harder to find for the purpose of disabling them. Mozilla is now coming under fire for bloating Firefox with bullshit like compiled-in support for the “pocket” extension, a commercial service that replaces locally downloading saved pages with unsafe cloud storage. Unknown what this hard to remove extension does when no Pocket account exists, but it can be disabled in about:config by setting every string that “pocket” brings up to a blank string and every boolean option to “false.” It can be removed in any case by removing relevant files from the Firefox install directory, but this has to be repeated every time Firefox is updated.
Update 4-14-2017Not sure if two URLs mentioned in paragraph below are still unblockable in Firefox, as that would be incompatable with Mozilla’s instructions for stopping all automatic connections.
Update Dec 18,2015: recent versions of Firefox have a lot of “telemetry” functions that phone home to Mozilla built in. There are so many of them that the best way to disable them is to fire up Wireshark first, then start the browser with the homepage having been previously set to about:blank. You will want to block every URL that comes up. Most can be cut off by replacing them with blank strings in about: config (use the URL as the filter to bring them up) but as of now at least one will have to be blocked in /etc/hosts. If you are running Linux, add these two lines to the file /etc/hosts :
These are auto-update URLS, and unlike the extension auto-updating that Mozilla themselves gives instructions for disabling in about:config, these two can only be blocked in /etc/hosts or at the firewall. Only extensions can be set to auto-update in Linux, yet the browser will connect once a day to these URLS. Any auto-updating can be dangerous on a laptop because it could allow an adversary to get a list of most or all of the wifi hotspots you connect to the Internet from.
Having done these things, close your browser, clear Wireshark’s list of IP addresses, then start the browser again. When you can open the browser without any connections showing up in Wireshark until you visit a website, you have protected yourself against Mozilla or anyone else gettting a list of every website you visit by “monetized” browser anti-features. Presumably you could do this even in Chrome by simply adding all the offending URL’s to /etc/hosts but I have not tested that due to Chrome’s status as mostly a frontend to Google services.
There is a dangerous collaboration between Firefox and Google, but Firefox still sends out far less information in the user-agent string than Chrome and most of the spyware (except GEO) either does not exist or is easily disabled in preferences. The fact that Firefox is much harder to “fingerprint” than Chrome is an advantage is stopping cookieless tracking, as is its support for the NoScript and Canvasblocker plugins.
Justin Samual (snitch) and Firefox
Notorious snitch Justin Samuel, responsible for sending multiple activists to jail, was later found to be one of the programmers of Firefox 4, leading many to blacklist that browser. He was said to have worked on “security software” for Firefox 4. Some time ago, that software was found-the “RequestPolicy” extension, whose stated purpose is a useful security improvement. I am NOT sure this is all of it, but this is what he admits to writing. Unfortunately the rest of Mozilla is no longer as trustworthy as they used to be either. Firefox can still be secured against phone-home shit as of version 42 but it now takes some work with Wireshark to fully safe this browser. The torbrowser developers also have to “clean” Firefox as well as add their Tor modifications to create Torbrowser.
On his own website, Justin Samuel lists “requestpolicy” a cross site scripting policy manager plugin, as his main open source project.
The web page for it is
This link should be treated as dangerous, which is why I have disabled it in this page. To follow it, use a browser other than Firefox!
One thing is for sure: Justin Samuel must have had a lot of help from his FBI masters to get a PHD in computer science while his former comrades went to prison thanks to his snitching. He says he feels like the “luckiest person in the world,” he would not have been saying that if he had done his snitching in a place like Afghanistan.
Here are two of his pages, visit with caution: