This post marks the second in a series of posts covering the customization of privacy settings in Mozilla Firefox. In an earlier post we described how to increase your privacy using the about:config interface. In this post, we will look at some privacy-enhancing add-ons.
Add-ons are small pieces of software that add new features or functionality to your installation of Firefox. If you are not familiar with Firefox add-ons these FAQs might be helpful.
How to install add-ons
Courtesy of Firefox Help here is an overview to get you started:
- At the top of the Firefox window, click on the Firefox button. At the top of the Firefox window, click on the Tools menu, and then click Add-ons. The Add-ons Manager tab will open.
- In the Add-ons Manager tab, select the Get Add-ons panel.
- To see more information on a Featured Add-on or Theme, click it. You can then click the green Add to Firefox button to install it. You can also search for specific add-ons by using the search box at the top. You can then install any add-ons you find with the Install button.
Firefox will download the requested add-on and may ask you to confirm that you want to install it. Click Restart Now if it pops up. Your tabs will be saved and restored after the restart.
The rest of this post alphabetically lists the best privacy add-ons. In our recommendations below we distinguish between basic, advanced, and optional privacy-add-on bundles.
Users that only start to worry about their digital footprint and want to take some first steps to protect their privacy should install the add-ons from the basic privacy-add-on bundle.
Users that are willing to go at greater lengths to protect their privacy should consider installing the add-ons from the advanced privacy-add-on bundle.
Both bundles could be complemented with the add-ons we marked as optional. However, we recommend to keep the number of installed add-ons to a minimum since every installed add-on---potentially---increases the uniqueness of your browser; moreover, every installed add-on slows down your Firefox. Therefore, we suggest that you first try out our recommendations on about:config customizations to increase your browsing privacy and only install the optional add-ons if your about:config changes cause problems.
Since 2011, Adblock Plus allows by default what they consider "acceptable ads". This move was criticized by many, as some authors are accusing the Adblock Plus developers of having connections to advertising and affiliate programs and that their advertisements are included in the whitelist as a result (link in German). As a reaction Adblock Edge was created as a fork without the "acceptable ads"-option.
As the name suggests, Adblock Edge is first and foremost an ad blocker and not an actual tracking blocker. However, since most of the trackers are advertisements on web pages, Adblock Edge is also quite effective in defeating trackers. Moreover, you can subscribe to blocking lists that explicitly focus on browsing privacy.
At WebDevelopmentAid we do not use Adblock Edge since all functions provided by this add-on are already covered by the add-ons we suggest for either the basic or the advanced privacy add-on bundle. Thus we consider this extension as being an optional privacy add-on. If for whatever reason you want to stick with Adblock Plus, make sure to uncheck "Allow some non-intrusive advertising" in your filter preferences.
In a nutshell, Cookie Monster allows for easier managing of what sites a user allows to set cookies and what sites cannot. It works best for users who do not accept cookies by default, although this is not necessary.
At WebDevelopmentAid we use the cookie managing tools that come with the standard Mozilla Firefox. If you miss some functionalities, you might want to look into this add-on. Thus, we would recommend this extension as an optional privacy add-on.
Disconnect helps users monitor and block data requests from over 2000 third-party tracking companies without disrupting the browsing activity and without degrading the functionality of the visited sites.
To learn more about the functionalities provided by Disconnect you might want to watch their promotional video:
Despite the sweet irony that Disconnect was cofounded by an ex-Googler and has a former NSA-employee among its founding members, we recommend to use Disconnect as part of a basic privacy-add-on-bundle as it is effective in what it does and it is free and open source.
Disconnect Search allows you to search privately on Google, Bing, Yahoo, and other popular search engines by protecting your search queries in a threefold way: First, they route your search queries through their proxy servers before they go to the popular search engines, including Google, Bing and Yahoo. Instead of these search engines knowing that a search is coming from you or your computer, all searches look like they are coming from Disconnect; second, Disconnect Search prevents search engines from sending your search queries to the web sites you visit from search results pages; and third, Disconnect Search encrypts your search queries, which prevents your Internet Service Provider (ISP) from seeing your searches.
According to the FAQ, Disconnect Search does not log, save, or store your search queries, your IP address, or any other information that could be associated with you. They do, however, track non-personal, aggregate usage data.
As a user you have no way of verifying the validity of their claims. At least they openly admit that "[b]ased on recent revelations, you should not assume that any company or organization can prevent the US government from accessing your search queries. Disconnect Search focuses on preventing companies from accessing your searches".
At WebDevelopmentAid we have briefly experimented with this add-on and found it a helpful addition to reduce our digital footprint and we thus can recommend this extension as an optional privacy-add-on.
Similar to Disconnect, Ghostery helps users monitor and block data requests from third-party tracking companies.
You can enable GhostRank which allows Ghostery to track trackers as your browser traverses the internet.
We used to have installed Ghostery as our basic privacy-addon of choice since we felt it blocked more effectively than Disconnect. However, the involvement of Evidon, the company owning Ghostery, has come under criticism. Evidon, as it is transparently stated in Ghostery's FAQ, uses the anonymized data collected by GhostRank to produce reports which they sell to buyers from the advertising industry.
Nevertheless, we decided to keep Ghostery as part of a basic privacy-add-on bundle. If you choose to use Ghostery, make sure that you do not enable GhostRank.
Developed by the Electronic Frontier Foundation, an international non-profit digital rights group, HTTPS Everywhere forces a browser to use HTTPS (encrypted HTTP) whenever possible (i.e. when the website allows it).
Using HTTPS instead of HTTP can protect you against eavesdropping and tampering with the contents of the site or with the information you send to the site. Ideally, this provides some protection against an attacker learning the content of the information flowing in each direction---for instance, the text of e-mail messages you send or receive through a webmail site, the products you browse or purchase on an e-commerce site, or the particular articles you read on a reference site.
However, HTTPS Everywhere does not conceal the identities of the sites you access, the amount of time you spend using them, or the amount of information you upload or download from a particular site.
HTTPS increases drastically your privacy with (almost) no side-effects. We therefore strongly recommend to use HTTPS Everywhere for both the basic and the advanced privacy-add-on bundle.
However, using HTTPS is not a panacea for your privacy worries as your web browser trusts a lot of certification authorities and chained sub-authorities, and it does so blindly. It is unclear how many intermediate certification authorities really exist, and yet each of them has "god-like power" to impersonate any HTTPS website using a Man in the Middle (MITM) attack scenario. To learn more about the deficiencies of HTTPS you might want to read
this blog post at Freedom to Tinker.
Despite these inconveniences we recommend to use NoScript as part of our advanced privacy-add-on bundle. But do not just take our word: NoScript enjoys the mixed blessing to be recommended by none other than the
Departement of Homeland Security's United States Computer Emergency Readiness Team (US-CERT).
Developed by Mozilla, this add-on enables you to see the first and third-party sites you interact with on the web. Using interactive visualizations, Lightbeam shows you the relationships between these third parties and the sites you visit. To learn more about the motivations and the workings of Lightbeam you might be interested in Gary Kovacs' TED Talk embedded below.
Although this add-on does not directly enhance your browsing privacy---as it does not block any of the trackers it encounters---it is highly educating to see how you are being tracked across the web. Therefore, we recommend this add-on an optional privacy add-on for all users that want to get a first idea of how tracking works.
As we have already discussed in our post on privacy-enhancing about:config customizations, HTTP Referers are a threat to your privacy because they tell the site you are visiting where you came from. RefControl is an extension for Firefox that lets you control what gets sent as the HTTP Referer on a per-site basis.
As we have outlined in our earlier post, we recommend that you turn off the HTTP/HTTPS Referer sending entirely by changing the about:config entries. If, however, you frequently run into troubles because of these global settings and you therefore need a tool that allows more fine-grained settings, you might consider installing this add-on. Thus, we would consider this add-on as an optional privacy-add-on.
RequestPolicy improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by websites you visit.
Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites knowing your browsing habits, including specific pages you view throughout the day.
Cross-site requests are also used in attacks on users who are browsing the web. Among the attacks that cross-site requests are used in, they are particularly dangerous with Cross-Site Request Forgery (CSRF) attacks where your browser is told to make a request to another website and that other website thinks you (the person) meant to make the request.
RequestPolicy blocks any request the browser makes from the current site a user is on to a third-party site and allows you to whitelist, temporarily or permanently, origins, destinations, and/or origins-to-destinations of cross-site requests. Moreover, RequestPolicy allows you to disable link and DNS prefetching.
On the one hand, using RequestPolicy is not only a highly effective tool to protect your privacy and security of your browsing but also highly educating as it makes visible the ubiquity of cross-site requests. On the other hand, exactly this ubiquity of cross-site requests makes your browsing difficult, to put it nicely.
Nevertheless, we recommend to use RequestPolicy as part of an advanced privacy-add-on bundle. As a side-note: You might want to consider installing the remarkably stable beta version that has a drastically improved user interface.
The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser.
In our earlier post on privacy-enhancing about:config settings, we recommended to spoof your User Agent. We also mentioned that you might run into problems because of your spoofed User Agent and that it is important to keep your spoofed User Agent up-to-date. If you think that manually spoofing your User Agent is too demanding, we recommend this extension as an optional privacy add-on.
We suggested to install Disconnect or Ghostery as part of the basic privacy add-on bundle. For the reasons outlined above (Disconnect is open source and Ghostery has a dubious business model) we recommend to go with Disconnect.
Whatever add-on you choose, make sure that you also install HTTPS Everywhere.
After the installation, HTTPS Everywhere asks you whether or not want to you use their SSL Observatory, we recommend you to politely decline this offer. When using Ghostery, make sure you opted out of GhostRank and to select all trackers and cookie blockers.
Using HTTPS Everywhere is a no-brainer.
After the installation, RequestPolicy will offer to set you up with a preconfigured whitelist which makes exceptions for Google and its domains. Decline this offer by unchecking the "International" box, and then click OK. For NoScript you have to make sure that it is set to "Deny scripts globally"; moreover you have to adjust its whitelist: We recommend that you delete all entries except those from your browser settings (about:addons, about:config etc.). HTTPS Everywhere will ask you whether or not you want to use their SSL Observatory, we recommend you to politely decline this offer.
Make no mistake, these settings,even when combined with our recommended about:config settings, will not make your browsing anonymous---far from it. At best, these changes help to decrease your digital footprint and help to evade the prying eyes of some tracking companies.
Enhancing browsing privacy is hard work as it requires a lot of fiddling and tweaking. You will miss out on many functionalities modern websites provide and you will be tempted to go back to the dark side with all the cookies. Therefore, our most important recommendation is that you do not give up. And before you give up on browsing privacy altogether, consider running two (or more) parallel Mozilla Firefox profiles (we will cover this in a later post). Such a setup allows you to have a first (everyday) profile with our basic privacy-add-on bundle installed alongside a second profile with our advanced privacy-add-on bundle which you could use for your more sensitive browsing quests.
Please share your preferred privacy add-on combinations with us and our readers in the comment section below and let us know if you have any questions or remarks about any of these add-ons.
 ↑ This post was expanded on January 13, 2014; on January 14, 2014 the post was last updated to include Adblock Edge instead of Adblock Plus.