Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2024-11-22 02:21:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Created 4.1 Extensions (markdown)

Thorin-Oakenpants 2022-01-30 11:52:50 +00:00
parent f87f76921f
commit 22ecf5b9c3
1 changed files with 88 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
4.1-Extensions.md Normal file

@ -0,0 +1,88 @@
These are our current web browser recommendations and settings you can use to preserve your privacy. We recommend keeping extensions to a minimum: they have [privileged access](https://blog.mozilla.org/attack-and-defense/2020/06/10/understanding-web-security-checks-in-firefox-part-1/) within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation.
This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions.
---
#### 🟪 EXTENSIONS
* [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) <sup>✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uBlock)
* ⭐ Setup your [blocking mode](https://github.com/gorhill/uBlock/wiki/Blocking-mode)
* ⭐ Import [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) | [GitHub](https://github.com/DandelionSprout/adfilt/blob/master/LegitimateURLShortener.txt)
* ⭐ Enable `AdGuard URL Tracking Protection`
* [Smart Referer](https://addons.mozilla.org/firefox/addon/smart-referer/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/smart-referer/privacy/)</sup> | [GitLab](https://gitlab.com/smart-referer/smart-referer) | [GitHub <sup>Archive</sup>](https://github.com/meh/smart-referer)
* Only needed if `1601` is too strict for you, and you override it to default `0` (so Smart Referer works)
* We recommend Strict mode and adding exceptions
* [Skip Redirect](https://addons.mozilla.org/firefox/addon/skip-redirect/) | [GitHub](https://github.com/sblask/webextension-skip-redirect)
* [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/)</sup> | [GitHub](https://github.com/kkapsner/CanvasBlocker)
* ⭐ non-RFP users only
- Good protection against naive scripts, detectable with advanced scripts
- Just randomize canvas and audio, maybe webgl if you use that: the rest is not needed
---
#### 🟪 MAYBE
* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor)
- Allows you to run rules to modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links)
* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) <sup>✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md)</sup> | [GitHub](https://github.com/einaregilsson/Redirector)
---
#### 🟪 TOOLS
These extensions will not mask or alter any data sent or received, but may be useful depending on your needs
* [Behave](https://addons.mozilla.org/firefox/addon/behave/) | [GitHub](https://github.com/mindedsecurity/behave)
- Monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans
* [True Sight](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/privacy/)</sup> | [GitHub](https://github.com/claustromaniac/detect-cloudflare-plus)
- Why would you want to detect CDNs? Read [this](https://github.com/claustromaniac/detect-cloudflare-PA/blob/master/README.md#motivation)
* [mozlz4-edit](https://addons.mozilla.org/firefox/addon/mozlz4-edit/) | [Github](https://github.com/serj-kzv/mozlz4-edit)
- Inspect and/or edit `*.lz4`, `*.mozlz4`, `*.jsonlz4`, `*.baklz4` and `*.json` files within FF
* [CRX Viewer](https://addons.mozilla.org/firefox/addon/crxviewer/) | [GitHub](https://github.com/Rob--W/crxviewer)
* [Enterprise Policy Generator](https://addons.mozilla.org/firefox/addon/enterprise-policy-generator/) | [GitHub](https://github.com/cadeyrn/enterprise-policy-generator)
- For ESR60+ and [Enterprise Policies](https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise)
* [Compare-UserJS](https://github.com/claustromaniac/Compare-UserJS)
- Not an extension, but an tool to compare user.js files and output the diffs in detailed breakdown - by our very own [claustromaniac](https://github.com/claustromaniac) :cat2:
---
#### 🟪 DON'T BOTHER
* uMatrix
- ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc)
- Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking.
* NoScript
- Redundant with uBlock Origin
* Ghostery, Disconnect, Privacy Badger, etc
- Redundant with [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) (dFPI) or FPI
- Note: Privacy Badger [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [heuristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work) by default, and enabling it makes you easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/)
* Neat URL, ClearURLs
- Redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) and added lists. Any potential extra coverage provided by additional extensions is going to be minimal
* HTTPS Everywhere
- Redundant with [HTTPS-Only Mode](https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/) and scheduled for [deprecation](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere)
* CSS Exfil Protection
- Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about
* LocalCDN, Decentraleyes
- Third parties are already isolated if you use [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) (dFPI) or FPI
- Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesnt help with most other third party connections
- CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not likely be used anyway
* Temporary Containers, Cookie extensions
- Redundant with [Total Cookie Protection](https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/) (dFPI) or FPI
- ❗Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires _both_ full sanitizing _and_ a new IP. The same applies to Firefox
- ❗Cookie extensions lack [APIs](https://bugzilla.mozilla.org/1669716) to work with Total Cookie Protection which [will be the default](https://bugzilla.mozilla.org/1731713)
* Anti-Fingerprinting Extensions
- Redundant with RFP: We enable RFP by default as the [best solution](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-[To-RFP-or-Not])
- Robust, built-in, performant, extra timing mitigations, and doesn't leak
- ⭐ If you don't use RFP, then we recommend Canvas Blocker (see above) as your best option
- Most extensions cannot protect what they claim:
- It's impossible (engine, OS, version)
- It's not a lie (the sites expect and use a valid value)
- It's dumb (randomizing is not very usable, and/or successfully spoofing is the same as setting that)
- It's equivalency
- It has too many methods (fonts: at least a dozen methods and counting)
- ... and more
- Web Extensions lack APIs to properly protect metrics (without breaking basic functionality)
- Web Extensions are detectable, and often uniquely fingerprintable, when they touch the DOM (and sometimes when they don't)