From c4b18f09f0e6beca20697a1085a6c5514442c88a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 27 Nov 2021 03:47:27 +0000 Subject: [PATCH] Updated 4.1 Extensions (markdown) --- 4.1-Extensions.md | 50 +++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/4.1-Extensions.md b/4.1-Extensions.md index f31db5f..24398fa 100644 --- a/4.1-Extensions.md +++ b/4.1-Extensions.md @@ -13,16 +13,16 @@ This list covers privacy and security related extensions only. While we believe --- ### :small_orange_diamond: Extensions (maybe) * [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/) | [GitHub](https://github.com/kkapsner/CanvasBlocker) - - `Canvas API`: great fallback if you allow an RFP canvas site exception - - `Screen API` and `Navigator API`: don't use with RFP - - `The rest`: good protection against naive scripts, detectable with advanced scripts + - `Canvas API`: great fallback if you allow an RFP canvas site exception + - `Screen API` and `Navigator API`: don't use with RFP + - `The rest`: good protection against naive scripts, detectable with advanced scripts * [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor) - * Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint + - Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint * [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links) * [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) ✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md) | [GitHub](https://github.com/einaregilsson/Redirector) * [Temporary Containers](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/) ✔ Privacy (stated on AMO) | [GitHub](https://github.com/stoically/temporary-containers) - * This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot. - * Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki) + - This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot. + - Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki) --- ### :small_orange_diamond: Extensions [Tools] @@ -31,38 +31,38 @@ These extensions will not mask or alter any data sent or received, but may be us * [uBO-Scope](https://addons.mozilla.org/firefox/addon/ubo-scope/) | [GitHub](https://github.com/gorhill/uBO-Scope) * [Behave](https://addons.mozilla.org/firefox/addon/behave/) | [GitHub](https://github.com/mindedsecurity/behave) - * monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans + - Monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans * [True Sight](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/) ✔ [Privacy](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/privacy/) | [GitHub](https://github.com/claustromaniac/detect-cloudflare-plus) - * Why would you want to detect CDNs? Read [this](https://github.com/claustromaniac/detect-cloudflare-PA/blob/master/README.md#motivation). + - Why would you want to detect CDNs? Read [this](https://github.com/claustromaniac/detect-cloudflare-PA/blob/master/README.md#motivation). * [mozlz4-edit](https://addons.mozilla.org/firefox/addon/mozlz4-edit/) | [Github](https://github.com/serj-kzv/mozlz4-edit) - * inspect and/or edit `*.lz4`, `*.mozlz4`, `*.jsonlz4`, `*.baklz4` and `*.json` files within FF + - Inspect and/or edit `*.lz4`, `*.mozlz4`, `*.jsonlz4`, `*.baklz4` and `*.json` files within FF * [CRX Viewer](https://addons.mozilla.org/firefox/addon/crxviewer/) | [GitHub](https://github.com/Rob--W/crxviewer) -* [Compare-UserJS](https://github.com/claustromaniac/Compare-UserJS) - * Not an extension, but an excellent tool to compare user.js files and output the diffs in detailed breakdown - by our very own incomparable [claustromaniac](https://github.com/claustromaniac) :cat2: * [Enterprise Policy Generator](https://addons.mozilla.org/firefox/addon/enterprise-policy-generator/) | [GitHub](https://github.com/cadeyrn/enterprise-policy-generator) - * For ESR60+ and [Enterprise Policies](https://support.mozilla.org/en-US/products/firefox-enterprise/policies-enterprise) + - For ESR60+ and [Enterprise Policies](https://support.mozilla.org/en-US/products/firefox-enterprise/policies-enterprise) +* [Compare-UserJS](https://github.com/claustromaniac/Compare-UserJS) + - Not an extension, but an tool to compare user.js files and output the diffs in detailed breakdown - by our very own [claustromaniac](https://github.com/claustromaniac) :cat2: --- ### :small_orange_diamond: Don't Bother... * uMatrix - - ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc) - - Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking. -* HTTPS Everywhere - - Scheduled for [deprecation](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) and redundant with [HTTPS-Only Mode](https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/) + - ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc) + - Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking. * NoScript, Ghostery, Disconnect, Privacy Badger, etc - * redundant with uBlock Origin - * Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work) + - Redundant with uBlock Origin + - Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work) * Neat URL, ClearURLs - * redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) -* [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) - * Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about + - Redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam) +* HTTPS Everywhere + - Scheduled for [deprecation](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) and redundant with [HTTPS-Only Mode](https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/) +* CSS Exfil Protection + - Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about * Decentraleyes, LocalCDN - * Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI - * Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesn’t help with most other third party connections - * CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely be used anyway + - Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI + - Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesn’t help with most other third party connections + - CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely be used anyway * Cookie extensions - * ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy + - ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy * see [1340511](https://bugzilla.mozilla.org/1340511) for progress on this * FF77+ [1551301](https://bugzilla.mozilla.org/1551301) IDB [1632990](https://bugzilla.mozilla.org/1632990) Service Workers cache * FF78+ [1636784](https://bugzilla.mozilla.org/1636784) cache