Browsers

DO NOT USE:

Chrome
Internet Explorer
Microsoft Edge
Epic Privacy Browser

USE:

Firefox
Tor Browser Bundle
Brave
Ungoogled Chromium

Firefox

Firefox logo

Edit these about:config settings in Firefox you can use my user.js file to apply the settings automatically.

The settings that say 'blank' are meant to be left empty. It does not mean the string 'blank'.

For an explanation of what each setting does, go here.


media.peerconnection.enabled = false
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
browser.cache.offline.enable = false
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.speculativeConnect.enabled = false
dom.event.clipboardevents.enabled = false
geo.enabled = false
media.eme.enabled = false
media.gmp-widevinecdm.enabled = false
media.navigator.enabled = false
network.cookie.cookieBehavior = 1 (Block third-party cookies. Set to 0 to block all cookies.)
network.cookie.lifetimePolicy = 2
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
webgl.disabled = true
browser.sessionstore.privacy_level = 2
network.IDN_show_punycode = true
extensions.blocklist.url = https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/
dom.event.contextmenu.enabled = false
network.http.referer.spoofSource = true
privacy.trackingprotection.enabled = false (Tracking protection is useless with UBO)
geo.wifi.uri = blank
browser.search.geoip.url = blank
browser.aboutHomeSnippets.updateUrL = blank
browser.startup.homepage_override.mstone = ignore
browser.startup.homepage_override.buildID = blank
startup.homepage_welcome_url = blank
startup.homepage_welcome_url.additional = blank
startup.homepage_override_url = blank
toolkit.telemetry.cachedClientID = blank
browser.send_pings.require_same_host = true
network.dnsCacheEntries = 100
places.history.enabled = false
browser.formfill.enable = false
browser.cache.disk.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.memory.enable = false
browser.cache.offline.enable = false
network.predictor.enabled = false
network.dns.disablePrefetch = true
network.prefetch-next = false
network.http.speculative-parallel-limit = 0
extensions.pocket.enabled = false
extensions.pocket.site = blank
extensions.pocket.oAuthConsumerKey = blank
extensions.pocket.api = blank
browser.newtabpage.activity-stream.feeds.telemetry = false
browser.newtabpage.activity-stream.telemetry = false
browser.ping-centre.telemetry = false
toolkit.telemetry.archive.enabled = false
toolkit.telemetry.bhrPing.enabled = false
toolkit.telemetry.enabled = false
toolkit.telemetry.firstShutdownPing.enabled = false
toolkit.telemetry.hybridContent.enabled = false
toolkit.telemetry.newProfilePing.enabled = false
toolkit.telemetry.reportingpolicy.firstRun = false
toolkit.telemetry.server = blank
toolkit.telemetry.shutdownPingSender.enabled = false
toolkit.telemetry.unified = false
toolkit.telemetry.updatePing.enabled = false
network.allow-experiments = false
browser.tabs.crashReporting.sendReport = false
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = false
toolkit.crashreporter.infoURL = blank
datareporting.healthreport.infoURL = blank
datareporting.healthreport.uploadEnabled = false
datareporting.policy.firstRunURL = blank
privacy.spoof_english = 2 (You may need to create this)
intl.accept_languages = en-US (This sets your default language to en-US which is the most common language for browsers so you will blend in more.)
accessibility.force_disabled = 1
network.captive-portal-service.enabled = false
captivedetect.canonicalURL = blank
browser.newtabpage.activity-stream.feeds.snippets = false
gfx.font_rendering.graphite.enabled = false
network.jar.block-remote-files = true
javascript.options.ion = false
javascript.options.native_regexp = false
javascript.options.baselinejit = false
dom.webaudio.enabled = false
media.webaudio.enabled = false
mathml.disabled = true
gfx.font_rendering.opentype_svg.enabled = false
svg.disabled = true

Edit these settings to disable Google Safebrowsing. Firefox uses Google Safebrowsing's Update API which means Google doesn't know the URLs you visit so disabling it isn't necessary but it still stops connections to google.

browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.provider.google4.dataSharing.enabled = blank
browser.safebrowsing.provider.google4.updateURL = blank
browser.safebrowsing.provider.google4.reportURL = blank
browser.safebrowsing.provider.google4.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google4.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google4.lists = blank
browser.safebrowsing.provider.google4.gethashURL = blank
browser.safebrowsing.provider.google4.dataSharingURL = blank
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.advisoryURL = blank
browser.safebrowsing.provider.google4.advisoryName = blank
browser.safebrowsing.provider.google.updateURL = blank
browser.safebrowsing.provider.google.reportURL = blank
browser.safebrowsing.provider.google.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google.pver = blank
browser.safebrowsing.provider.google.lists = blank
browser.safebrowsing.provider.google.gethashURL = blank
browser.safebrowsing.provider.google.advisoryURL = blank
browser.safebrowsing.downloads.remote.url = blank

Credit to https://gist.github.com/0XDE57/fbd302cef7693e62c769, https://privacytools.io, https://www.thewindowsclub.com/firefox-quantum-disable-telemetry-data-collection and https://2019.www.torproject.org/projects/torbrowser/design for some of these settings.

Install Ublock Origin, NoScript, HTTPS Everywhere, Decentraleyes and Cookie AutoDelete. Cookie AutoDelete isn't really necessary as long as you applied the about:config settings above. Private browsing mode clears cookies at shutdown and first party isolation restricts cookies and other local data to first party domains which makes Cookie AutoDelete partly redundant.

Configure NoScript to not whitelist any domains and not allow anything at blacklist and default settings.

Watch https://invidio.us/watch?v=AC4ALEKZRfg for more information on NoScript.

Configure Cookie AutoDelete to clear local storage.

Go into Ublock Origin's settings and check the "I am an advanced user" user box. Enable all the settings under "Privacy" and the first three under "Default behavior". Go into "Filter lists" and update them. Click on Ublock Origin and block "3rd-party", "3rd-party scripts" and "3rd-party frames" globally.

Watch https://invidio.us/watch?v=2lisQQmWQkY for more information on Ublock Origin.

To increase security you can use apparmor to restrict what Firefox can do. I've made an apparmor profile that you should be able to use with Firefox.

Tor Browser Bundle

Tor logo

The Tor Browser is the best browser we have to protect our privacy. It includes many security and privacy enhancing patches and forces all traffic in the browser through the Tor network.

Install it from https://torproject.org. For maximum anonymity click the shield at the top right, click "Advanced Security Settings" and select the safest level. This disables javascript so you should learn how to use NoScript.

Do not change any other setting or add any extensions in the Tor Browser. It makes you stand out from all other Tor Browser users which can de-anonymize you.

Using a VPN with Tor is pointless in most cases. See this blog post from a Tor dev to know why.

See my post on Tor for more information about Tor.

To increase security, you can use AppArmor with the Tor Browser. I recommend Micah Lee's apparmor profiles. You will need to configure it to work with your system.

Brave

Brave logo

The Brave Browser is a browser designed to block trackers and ads out of the box. It's based off chromium and strips out Google tracking. It isn't as good as a hardened Firefox or the Tor Browser but it is still great for beginners. You can still harden it even more. Change the flags as shown below.

Go to chrome://flags

Then,

Disable - The Following Flags
==========================
#enable-offline-auto-reload
#disable-hyperlink-auditing
#safe-search-url-reporting
#enable-nostate-prefetch

Enable - The Following Flags
==========================
#reduced-referrer-granularity
#autoplay-policy set to: Document user activation required
#enable-block-tab-unders
#unified-consent

Restart Brave to enable these flags. Go into the settings and set your search engine to something more privacy respecting like DuckDuckGo.

Disable everything in "Passwords", "Payment methods", and "Addresses and more".

Set the Brave shields to block all ads, fingerprinting and third party cookies. You can set it to block all cookies and block scripts but I prefer to use uMatrix for these as it's a lot more manageable.

Disable hangouts and set brave to open a new tab on start-up. Go into the advanced options. Disable safe browsing and set WebRTC to "Disable non-proxied UDP".

Go into content settings then cookies. Turn on the option that clears local data when you quit the browser.

If English is your main language then switch the langauge to "English(United States)". The US version of English is the most common and will make you less fingerprintable. Set the spell check to the US version too or disable it entirely.

If you want to use uMatrix for scripts and cookie blocking then go to the chrome webstore and add it to your browser.

Go into your extension settings and allow uMatrix to work in incognito mode. Go into the extension options.

Enable every setting under "Privacy" and change the timers if you want. Go into "Assets" then update all the filter lists.

Go onto any website and click the uMatrix icon at the top right. Click the "*" symbol to switch to global mode.

Don't allow all first party stuff or all css and images. Make sure "all" is set to dark red. Allow only first party css and images then click the padlock icon. This will block everything on sites except for first party css and images. This will also break a lot of sites so tweak the settings to your needs and learn how to use uMatrix.

uMatrix should look like this:

umatrix

Watch this video https://invidio.us/watch?v=TVozpo3zUBk to learn more about uMatrix.

Don't use Firefox Forks. Except the Tor Browser.

Why not?

Firefox forks don't improve your privacy. If you use them because of Firefox telemetry then stop. Telemetry can easily disabled in about:config as described here.

Firefox forks get updates later than normal Firefox. This means you can miss out on important security updates.

They're usually made by a small team, sometimes even one person who can stop at any team and you'll be left without a good browser.

You'll stand out more and be easily fingerprinted as not many people use those forks.

Some of them have very poor security. Pale moon is a prime example of this as it doesn't even have a browser sandbox, runs on a very old engine that will contain many bugs and the developers are cocky and have said they defeated Spectre and Meltdown which they obviously didn't.

Brave Warning

Brave whitelists trackers from Twitter and Facebook. They do this to stop it from breaking the share buttons on some websites. There was a post on Hacker News that linked this part of Brave's Github repository. The code is:


const whitelistHosts = ['connect.facebook.net', 'connect.facebook.com', 'staticxx.facebook.com', 'www.facebook.com', 'scontent.xx.fbcdn.net', 'pbs.twimg.com', 'scontent-sjc2-1.xx.fbcdn.net', 'platform.twitter.com', 'syndication.twitter.com', 'cdn.syndication.twimg.com'].

This whitelists trackers from Facebook and Twitter.

The Brave CTO responded and said this was from the old repository that is not used anymore here. This is only part truth. The code is from an old repostitory but there is also a whitelist in the new repository. He has apologised for not giving a full answer.

The CTO replied to the Hacker News post and said,

Hi Im Brave's CTO.

There's a balance between breaking the web and being as strict as possible. Saying we fully allow Facebook tracking isn't right [1], but we admittedly need more strict-mode like settings for privacy conscious users.

We do block Facebook at least as good as uBlock origin with EasyPrivacy. The referenced code is in a separate component which does the same as Disconnect blocking.

We're taking this seriously internally and we'll iterate on where we are to improve the situation. We're looking at if we can polyfill a local JS resource instead for example as one option if it doesn't make further requests.

[1]: https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L41

https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L42

https://github.com/brave/adblock-lists/blob/f25b698aff4666bbd6a6038ec029855e971b57cc/brave-unbreak.txt#L43.

The whitelist is now optional and can be disabled in the browser settings.