diff --git a/4.1-Extensions.md b/4.1-Extensions.md index 425e251..f31db5f 100644 --- a/4.1-Extensions.md +++ b/4.1-Extensions.md @@ -1,3 +1,5 @@ +These are our current web browser recommendations and settings you can use to preserve your privacy. We recommend keeping extensions to a minimum: they have [privileged access](https://blog.mozilla.org/attack-and-defense/2020/06/10/understanding-web-security-checks-in-firefox-part-1/) within your browser, require you to trust the developer, can make you [stand out](https://en.wikipedia.org/wiki/Device_fingerprint#Browser_fingerprint), and [weaken](https://groups.google.com/a/chromium.org/g/chromium-extensions/c/0ei-UCHNm34/m/lDaXwQhzBAAJ) site isolation. + This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions. ### :small_orange_diamond: Extensions (in no particular order...) @@ -5,15 +7,8 @@ This list covers privacy and security related extensions only. While we believe * [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) ✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy) | [GitHub](https://github.com/gorhill/uBlock) * ⭐ import [Actually Legitimate URL Shortener Tool](https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt) | [GitHub](https://github.com/DandelionSprout/adfilt/blob/master/LegitimateURLShortener.txt) * ⭐ enable `AdGuard URL Tracking Protection` -* [Temporary Containers](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/) ✔ Privacy (stated on AMO) | [GitHub](https://github.com/stoically/temporary-containers) - * This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot. - * Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki) * [Smart Referer](https://addons.mozilla.org/firefox/addon/smart-referer/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/smart-referer/privacy/) | [GitLab](https://gitlab.com/smart-referer/smart-referer) | [GitHub Archive](https://github.com/meh/smart-referer) -* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor) - * Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint * [Skip Redirect](https://addons.mozilla.org/firefox/addon/skip-redirect/) | [GitHub](https://github.com/sblask/webextension-skip-redirect) -* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links) -* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) ✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md) | [GitHub](https://github.com/einaregilsson/Redirector) --- ### :small_orange_diamond: Extensions (maybe) @@ -21,8 +16,13 @@ This list covers privacy and security related extensions only. While we believe - `Canvas API`: great fallback if you allow an RFP canvas site exception - `Screen API` and `Navigator API`: don't use with RFP - `The rest`: good protection against naive scripts, detectable with advanced scripts -* [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) - - Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about +* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor) + * Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint +* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links) +* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) ✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md) | [GitHub](https://github.com/einaregilsson/Redirector) +* [Temporary Containers](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/) ✔ Privacy (stated on AMO) | [GitHub](https://github.com/stoically/temporary-containers) + * This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot. + * Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki) --- ### :small_orange_diamond: Extensions [Tools] @@ -50,20 +50,23 @@ These extensions will not mask or alter any data sent or received, but may be us - Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking. * HTTPS Everywhere - Scheduled for [deprecation](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) and redundant with [HTTPS-Only Mode](https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/) +* NoScript, Ghostery, Disconnect, Privacy Badger, etc + * redundant with uBlock Origin + * Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work) +* Neat URL, ClearURLs + * redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) +* [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) + * Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about +* Decentraleyes, LocalCDN + * Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI + * Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesn’t help with most other third party connections + * CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely be used anyway * Cookie extensions * ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy * see [1340511](https://bugzilla.mozilla.org/1340511) for progress on this * FF77+ [1551301](https://bugzilla.mozilla.org/1551301) IDB [1632990](https://bugzilla.mozilla.org/1632990) Service Workers cache * FF78+ [1636784](https://bugzilla.mozilla.org/1636784) cache * Use FPI (First Party Isolation) or Total Cookie Protection (FF86+) ... and/or Temporary Containers -* NoScript, Ghostery, Disconnect, Privacy Badger, etc - * redundant with uBlock Origin - * Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work) -* Neat URL, ClearURLs - * redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) -* Decentraleyes, LocalCDN - * Third parties are already isolated if you use FPI/dFPI. [Do not confuse this](https://en.wikipedia.org/wiki/XY_problem) as a solution to hide your IP. If you want to hide your IP, then use the appropriate tools - * Decentraleyes is practically abandonware with little to no impact with [years old outdated resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) ---