The Gentle Art of Firefox Tuning (and Taming)
By Rick Moen
In the bad old days, the best we had was the crufty and proprietary Netscape Communicator 4.x kitchen sink^W^W"communications suite" into which Netscape Navigator 3.x, a decent browser for its day, had somehow vanished. That was dispiriting, because an increasing number of complex Web pages (many of them Front Page-generated) segfaulted the browser immediately, and Netscape Communications, Inc. wasn't fixing it.
Following that was a chaotic period: Mozilla emerged in 1998, with Galeon as a popular variant, and Konqueror as an independent alternative from the KDE/Qt camp. Mozilla developers made two key decisions, the first being the move in October 1998 to write an entirely new rendering engine, which turned out to be a huge success. The rendering engine is now named Gecko (formerly Raptor, then NGLayout), and produced the first stunningly good, modern, world-class browsers, the Mozilla 0.9.x series, starting May 7, 2001. I personally found this to be the first time it was truly feasible to run 100% open source software without feeling like a bit of a hermit. So, I consider May 7, 2001 to be open source's Independence Day.
Anyway, defying naysayers' expectations, Firefox's winning feature has turned out to be its extensions interface, usable by add-on code written in XULRunner's XUL scripting language. At some cost in browser code bloat when you use it extensively, that interface has permitted development of some essential add-ons, with resulting functionality unmatched by any other Web browser on any OS. In this article, I detail several extensions to tighten up Firefox's somewhat leaky protection of your personal privacy, and protect you from Web annoyances. (For reasons I've detailed elsewhere, you should if possible get software from distro packages rather than "upstream" non-distro software authors, except in very exceptional circumstances. So, even though I give direct download links for three Firefox extensions, below, please don't use those unless you first strike out with your Linux distribution's own packages.) I also outline a number of modifications every Firefox user should consider making to the default configuration, again with similar advantages in user privacy and tightening of security defaults. For each such change, I will cite the rationale, so you can adjust your paranoia to suit.
The "Rich Computing Experience" and Its Discontents
There's a saying in the Cluetrain Manifesto, written in part by longtime Linux pundit Doc Searls, that "Markets are conversations." That is, it's a negotiated exchange: You give something; you get something. Sometimes you give information, and, oddly enough, Linux people seem to often miss the key point: information has value, even yours. In a market conversation, you're supposed to be able to judge for yourself whether you want what's being offered, and if you want to donate the cost thereof (such as some of your data). If you have no use for what's being offered, you can and should turn off the "service" -- and that's what this article will cover (or at least let you decide what "services" to participate in, instead of letting others decide for you).
The Essential Extensions
Adblock Plus ("ABP"): This extension does further filtering, making a variety of noxious banner ads and other advertising elements just not be fetched at all. Highly recommended, though some people prefer the preceding "Adblock" extension, instead. Privacy implication? Naturally, additional data mining gets disposed of, into the bargain. Available from: http://adblockplus.org/en/
ABP's effectiveness can be substantially enhanced through adding subscriptions to maintained ABP blocklists. I've found that a combination of EasyList and EasyPrivacy is effective and reliable, and recommend them. (EasyList is currently an ABP default.) Since these are just URL-pattern-matching blocklists, subscriptions are not as security-sensitive as are Firefox extensions themselves, but you should still be selective about which ones to adopt.
CustomizeGoogle: This extension largely defangs Google search engine lookup of its major advertising and data-mining features, makes your Google preferences persistent for a change, adds links to optionally check alternative search engines' results on the same queries, anonymises the Google userid string sent when you perform a Google Web search (greatly reducing the ability of Google's data mining to link up what subjects you search for with who you are), etc. Be aware that you'll want to go through CustomizeGoogle's preferences carefully, as most of its improvements are disabled by default. Available from: http://www.customizegoogle.com/
For the record, I like the Google, Inc. company very much, even after its 2007 purchase of notorious spying-on-customers firm DoubleClick, Inc., which served as a gentle reminder that the parent firm's core business, really, intrinsically revolves around data mining/collection and targeted advertising. What I (like, I assume, LG readers) really want is to use its services only at my option, not anyone else's, and to negotiate what I'm giving them, the Mozilla Corporation, and other business partners, rather than having it taken behind my back. For example, Ubuntu's first alpha release of 10.04 "Karmic Koala" included what Jon Corbet at LWN.net called "Ubuntu's multisearch surprise": a custom Firefox search bar that gratuitously sent users to a Google "search partner" page to better (and silently, without disclosure) collect money-making data about what you and I are up to. (This feature was removed following complaints, but the point is that we the users were neither informed nor asked about whether we wanted to be monitored a bit more closely to make this "service" possible.)
User Agent Switcher: This extension doesn't technically concern security and privacy, exactly, but is both useful in itself and as a way to make a statement to Web-publishing companies about standards. It turns out that many sites query your browser about its "User Agent" string, and then decide on the basis of the browser's answer whether to send it a Web page or not — and what Web page to send. User Agent Switcher lets you pick dynamically which of several popular Web browsers you want Firefox to claim to be, or you can write your own. I usually have mine send "W3C standards are important. Stop f---ing obsessing over user-agent already", for reasons my friend Karsten M. Self has cited:
In the finest Alice's Restaurant tradition, if one person does this, they may think he's sick, and they'll deny him the Web page. If two people do it, in harmony, well, they're free speech fairies, and they won't serve them either. If three people do it, three, can you imagine, three people setting their user-agent strings to "Stop f---ing obsessing over user-agent...". They may think it's an organization. And can you imagine fifty people a day? Friends, they may think it's a movement. And that's what it is... If this string shows up in enough Web server logs, the message will be felt.
Available from: http://chrispederick.com/work/user-agent-switcher/
I list a number of other extensions that might be worth considering on my personal pages.
[ I can also recommend the Web Developer toolbar extension. Even if you're not a Web developer, the tool can help you to deactivate obnoxious style sheets and layouts. In addition, you can instantly clear all cookies and HTTP authentications for the site you are viewing (by using the menu item Miscellaneous/Clear Private Data/...). -- René ]
Configuration of the Browser Itself
Edit: Preferences: Privacy: Uncheck "Accept third-party cookies." Reason: I've only seen one site where such were essential to the site's functionality, and even then it was clearly also being used for data mining. Enable "Always clear my private data when I close Firefox". Click "Settings" and check all items. Reason: When you ask to delete private data, it should actually happen. Disable "Remember what I enter in forms and the search bar". Reason: Your prior forms data is often security-sensitive. Consider disabling "Keep my history for n days" and "Remember what I've downloaded". Reason: You don't get much benefit from keeping this private data around persistently, so why log it?
Edit: Preferences: Security: Visit "Exceptions" to "Warn me when sites try to install add-ons" and remove all. Reason: You should know. Disable "Tell me if the site I'm visiting is a suspected attack site" and "Tell me if the site I'm visiting is a suspected forgery". Reason: Eliminate periodic visits to an anti-phishing, anti-malware nanny site. Really, can't you tell EBay and your bank from fakes, and can't you deal with malware by just not running it? "Remember passwords for sites": If you leave this enabled, remember that Firefox will leave them in a central data store that is only moderately obscured, and then only if you set a "master password". Don't forget, too, that even the list of sites to "Never Save" passwords for, which isn't obscured at all, can be very revealing. The cautious will disable this feature entirely — or, at minimum, avoid saving passwords for any site that is security-sensitive.
Edit: Preferences: Advanced On General tab, enable "Warn me when Web sites try to redirect or reload the page". Reason: You'll want to know about skulduggery. On Update tab, disable "Automatically check for updates to: Installed Add-ons" and "Automatically check for updates to: Search Engines", and select "When updates to Firefox are found: Ask me what I want to do". Reason: You really want those to happen when and if you choose.
Now we head over to URL "about:config". You'll see the condescending "This might void your warranty!" warning. Select the cutesy "I'll be careful, I promise!" button and uncheck "Show this warning next time". Reason: It's your darned browser config. Hypothetically if you totally screw up, at worst you can close Firefox, delete ~/.mozilla/firefox/ (after saving your bookmarks.html), and try again.
Set "browser.urlbar.matchOnlyTyped = true": This disables the
Firefox 3.x "Awesome Bar" that suggests searches in the Search box based
on what it learns from watching your bookmarks and history, which is
not (in my opinion) all that useful, and leaves information on your
browsing habits lying around.
Set "browser.tabs.tabMinWidth = 60" and "browser.tabs.tabMaxWidth = 60": Reduce tab width by about 40%. Reason: They're too wide.
Set "bidi.support = 0": Reason: Unless you're going to do data input in Arabic, Hebrew, Urdu, or Farsi, you won't need bidirectional support for text areas. Why risk triggering bugs?
Set "browser.ssl_override_behavior = 2" and "browser.xul.error_pages.expert_bad_cert = true": This reverts Firefox's handling of untrusted SSL certificates to the 2.x behaviour. Reason: The untrusted-SSL dialogues in Firefox 3.x are supremely annoying, "Do you want to add an exception?" prompt and all.
Set "network.prefetch-next = false": Disables link prefetching of pages Firefox thinks you might want next. Reason: Saves needless waste of bandwidth and avoids sending out yet more information about your browsing.
Set "xpinstall.enabled = false": Globally prevents Firefox from checking for updates to Firefox and installed extensions. Reason: This really should happen on your schedule, not Firefox's.
Set "permissions.default.image = 3": This control specifies which images (picture elements) to get, where 1 = all regardless of origin (default), 2 = block all, 3 = fetch only from the site you're browsing. Reason: Images from third-party sites are banner ads or Web bugs, 99% of the time. Note that the ability to block third-party images used to be part of regular Mozilla/Firefox preferences, but was banished to "about:config" as part of a general dummying down.
Set "network.dns.disableIPv6 = true": Prevents Firefox from attempting IPv6 lookups. Reason: At the moment, for most people, there's no point to this function, and it wastes network traffic trying IPv6 before falling back to regular IPv4. If the world changes, you can toggle this setting back.
Set "extensions.blocklist.enabled" to disabled: Stops Firefox from repeatedly polling a remote site for a malware blacklist. Reason: Wasted traffic, and usual logic about malware applies.
Set the three "browser.contentHandlers.types..uri" items to blank: Stops Firefox from repeatedly polling Bloglines, My Yahoo, and Google for RSS feeds that you don't necessarily care about at all. Reason: Wasted network traffic.
Set "plugin.default_plugin_disabled = false": This prevents Firefox's libnullplugin.so from popping up annoying dialogues suggesting you go hunting for plugins/extensions every time you encounter a file on the Web with an unfamiliar MIME type. Reason: Stops Firefox's repetitive suggestions (in a yellow bar at the top of the page) that you install yet more plugins/extensions.
We've already lightly touched on a favourite tinfoil-hat obsession: browser cookies. Like many other browser features, cookies have a fine legitimate purpose, that of offering a persistent-data store for what's normally a stateless protocol (HTTP), e.g., for session data. Of course, the feature was abused about a millisecond after its invention, but the aforementioned unchecking of "Accept third-party cookies" in my view controls such abuse well enough.
What's often neither understood nor controlled are Flash cookies, which Adobe calls "Local Shared Objects", a hidden datastore, holding up to 100kB per domain, maintained by the local Adobe (ex-Macromedia) Flash interpreter under your ~/.macromedia tree, in files with .sol filename extensions. What data? Anything and everything, but mostly the usual obnoxious per-user tracking, except with 25 times the storage and effectively no scrutiny. Bad? You bet. Researchers have found that companies have taken to using Flash cookies not only to track users but also to re-create, behind the user's back, regular browser cookies he or she has deliberately deleted -- invisibly to browser privacy controls and outside their reach. It should also be noticed that data in Flash cookies are also queryable by any other Flash-enabled application.
The standard recommendation to control Flash cookies (which, of course, are far less of an issue with NoScript and Adblock Plus than without them) is another Firefox extension, BetterPrivacy — but I would like to specifically disrecommend that solution, because BetterPrivacy is proprietary software for which source code is never even available for inspection. Can you imagine going to all the trouble of running an open-source browser on an open-source OS, and then throwing in a "hey, trust me" proprietary binary-only module from someone you don't even know?
A new, genuinely open source alternative is Greg Yardley's Objection, which seems worth looking into. Alternatively, it seems almost as easy to write a dirt-simple weekly cronjob to delete unwanted Flash cookies by filename. (E.g., you might want to keep certain domains' cookies, that seem to hold only innocuous Flash-related settings such as Flash games' settings and some sites' login data, and lop off the rest.)
Adobe Systems, Inc., themselves, offer a third alternative: Visiting a set of Adobe Web pages called Flash Settings Manager lets you view and control Flash Cookies via — guess what — a Flash-based control panel the company provides for that purpose. Use it if you like. Personally, I find the notion of using Adobe's help to control a privacy risk they created to be... unwise, on balance — although viewing its settings was enlightening and worthwhile.
There are plenty of aesthetic improvements one might also make to clean up Firefox's appearance, but those are obviously highly individual, so I'll omit my prejudices in that department. Suffice it to say that delving through all of the Edit: Preferences and the View menu will be well worth your time.
Acknowledgements: All of the above text is original, but many ideas about Firefox configuration were taken from bloggers Uwe Hermann and Wouter Verhelst and several anonymous commentators, to all of whom I'm grateful.
 IT columnist David Berlind defined "Web 2.0" as "When the Back button doesn't work".
: Firefox bloat generally is a real concern. Starting around 2006, Jason Halme has shown starkly just how severe the bloat is, by releasing an optimally configured and compiled (but proprietary-licensed) variant called Swiftfox, which is markedly faster in launching and rendering, and also includes protection against buffer overflow attacks.
Probably inspired by Halme's work, developer "SticKK" has released a very similar variant under Firefox's original MPL 1.1 open-source licensing, called Swiftweasel, which is well worth considering instead of vanilla Firefox, and is packaged by common Linux distributions. It's fully compatible with Firefox extensions. (If you're a Mozilla Thunderbird user, "SticKK's" Swiftdove lends the same advantages to that program, too.)
: For example, Debian and Ubuntu both offer maintained packages for Adblock, Adblock Plus, NoScript, and the Web Developer extension mentioned by René Pfeiffer. A package of User Agent Switcher is currently proposed. And even Fedora, not the most lavish of desktop distributions, at least packages NoScript. So, check your distribution-of-choice's package listings.
Linux and BSD users' ability to rely on their distribution package maintainers as gatekeepers against security problems, quality problems, and even against misbehaviour "upstream" (a term used to refer to original authors' source code that is selectively picked up and packaged, often with some tweaks, by Linux distributions) gives them a huge advantage that MS-Windows and MacOS users can only dream of. A decade-plus of experience suggests you're greatly safer when you rely on that gatekeeping function, and go outside that regime to "upstream" sources only with great caution if ever.
"Upstream sources" of what, you might ask? Firefox extensions would be one excellent example. Make no mistake: These are programs, and you need to be on-guard. Browse the listings at Mozilla Organization's https://addons.mozilla.org/ "portal" site skeptically, and you soon notice that the site says nothing about each entry's licensing or source code, and instead rushes you towards the big "Download Now!" button. In fact, many extensions listed turn out, upon more-careful scrutiny, to be proprietary, binary-only software that isn't audited by anyone you would have confidence in and never will be. In any situation where you find yourself casually expected to run code from nobody in particular -- a fair description of unauditable proprietary extensions from people you've never heard of -- your first reaction should be "No. Why on earth would I?" All of the extensions René and I have cited are genuine open source, and from people with established (generally good) reputations, notwithstanding which you should look among your distribution's packages for them first, before resorting to fetching "upstream" code from the authors' sites.
The advantage: The distribution package maintainer should be accepting code from upstream only when it's been checked for quality, made to comply with your Linux distribution's policies, not a buggy beta (not all new code from upstream is necessarily an improvement), read to (with luck) catch any unpleasant surprises, and verified to be signed by the real upstream coder to eliminate the possibility of trojaned (booby-trapped) substitute code inserted by malign parties in place of the author's real code. Plus, you will get subsequent updates semi-automatically in a rational fashion, with your regular package updates, as a harmonised part of your Linux distribution.
Other examples of third-party additions include Web apps enticingly offered as directly downloadable .tar.gz (or zip) archives, all manner of third-party .deb / .rpm packages, alleged screensavers, alleged Internet poker games, alleged video codecs, alleged desktop themes, alleged "birthday cards", alleged ancillary software, etc. You need to be on your guard: You might not be worried about the security of screensaver modules because they're just gloried wallpaper, but suppose one is published on a community site in .deb format (and you're on, say, Ubuntu). You need to install that with your software package installer, using sudo or root authority, right? Oops, bad idea, because that means you'll be running any included scripts with root authority, and how much did you trust the unknown person behind this screensaver? This scenario's already happened, and unwary novices shot themselves in the foot by installing trojaned software -- by trusting an alleged screensaver from nobody in particular who'd listed it on gnome-look.org.
It's important to realise that no security protections can protect a user who defeats his/her system's security by running untrustworthy software from nowhere in particular. If you go out of your way to fetch that metaphorical gun and aim it at your feet, the resulting hole in your pedal extremity is your responsibility. The best the Linux community can do is help train you to know when your danger alarms should be ringing loudly -- and going outside your system's packaged software regime to any source of third-party software is one of the chief signs of danger.
 My somewhat sarcastic reference to "rich computing experience" harks back to an encounter Microsoft Corporation had with the technical community: Specifically, Microsoft developer Bob Atkinson noticed in 1997 some critical discussion in RISKS Digest of his "Authenticode" algorithm for ensuring that ActiveX controls in Microsoft Internet Explorer are "safe" on account of being cryptographically signed with (what you hope is) an unrevoked, valid sender key. He reassured RISKS regulars that Microsoft wanted merely to ensure a "rich computing experience", that Microsoft had all the problems covered, and that everything would be fine. His logic and methods were then expertly but politely pureed over a ten-day period; the comments are popcorn-worthy, especially one fine summary by Peter Gutmann of New Zealand.
Rick has run freely-redistributable Unixen since 1992, having been roped
in by first 386BSD, then Linux. Having found that either one
sucked less, he blew
away his last non-Unix box (OS/2 Warp) in 1996. He specialises in clue
acquisition and delivery (documentation & training), system
administration, security, WAN/LAN design and administration, and
support. He helped plan the LINC Expo (which evolved into the first
LinuxWorld Conference and Expo, in San Jose), Windows Refund Day, and
several other rabble-rousing Linux community events in the San Francisco
Bay Area. He's written and edited for IDG/LinuxWorld, SSC, and the
USENIX Association; and spoken at LinuxWorld Conference and Expo and
numerous user groups.
His first computer was his dad's slide rule, followed by visitor access
to a card-walloping IBM mainframe at Stanford (1969). A glutton for
punishment, he then moved on (during high school, 1970s) to early HP
timeshared systems, People's Computer Company's PDP8s, and various
of those they'll-never-fly-Orville microcomputers at the storied
Homebrew Computer Club -- then more Big Blue computing horrors at
college alleviated by bits of primeval BSD during UC Berkeley summer
sessions, and so on. He's thus better qualified than most, to know just
how much better off we are now.
When not playing Silicon Valley dot-com roulette, he enjoys
long-distance bicycling, helping run science fiction conventions, and
concentrating on becoming an uncarved block.
His first computer was his dad's slide rule, followed by visitor access to a card-walloping IBM mainframe at Stanford (1969). A glutton for punishment, he then moved on (during high school, 1970s) to early HP timeshared systems, People's Computer Company's PDP8s, and various of those they'll-never-fly-Orville microcomputers at the storied Homebrew Computer Club -- then more Big Blue computing horrors at college alleviated by bits of primeval BSD during UC Berkeley summer sessions, and so on. He's thus better qualified than most, to know just how much better off we are now.
When not playing Silicon Valley dot-com roulette, he enjoys long-distance bicycling, helping run science fiction conventions, and concentrating on becoming an uncarved block.