Updated 4.1 Extensions (markdown)

Thorin-Oakenpants 2021-11-27 03:47:27 +00:00
parent 8acd49f5d6
commit c4b18f09f0

@ -17,12 +17,12 @@ This list covers privacy and security related extensions only. While we believe
- `Screen API` and `Navigator API`: don't use with RFP
- `The rest`: good protection against naive scripts, detectable with advanced scripts
* [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor)
* Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
- Allows you to run [Rules](https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor) to modify modify the request header and response header, cancel a request and redirect a request. Be careful not to alter your passive fingerprint
* [Request Control](https://addons.mozilla.org/firefox/addon/requestcontrol/) | [GitHub](https://github.com/tumpio/requestcontrol) | [Manual](https://github.com/tumpio/requestcontrol/blob/master/_locales/en/manual.md) | [Testing links](https://github.com/tumpio/requestcontrol/wiki/Testing-links)
* [Redirector](https://addons.mozilla.org/firefox/addon/redirector/) <sup>✔ [Privacy](https://github.com/einaregilsson/Redirector/blob/master/privacy.md)</sup> | [GitHub](https://github.com/einaregilsson/Redirector)
* [Temporary Containers](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/) <sup>✔ Privacy (stated on AMO)</sup> | [GitHub](https://github.com/stoically/temporary-containers)
* This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot.
* Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki)
- This can achieve *almost* everything First Party Isolation (FPI) does without breaking cross-domain logins. And (with or without FPI), in a hardened TC setup, this can even isolate repeat visits to the same domain, which FPI alone cannot.
- Required reading: [1] [AMO description](https://addons.mozilla.org/firefox/addon/temporary-containers/) [2] [Article](https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21) [3] [TC's Wiki](https://github.com/stoically/temporary-containers/wiki)
---
### :small_orange_diamond: Extensions [Tools]
@ -31,16 +31,16 @@ These extensions will not mask or alter any data sent or received, but may be us
* [uBO-Scope](https://addons.mozilla.org/firefox/addon/ubo-scope/) | [GitHub](https://github.com/gorhill/uBO-Scope)
* [Behave](https://addons.mozilla.org/firefox/addon/behave/) | [GitHub](https://github.com/mindedsecurity/behave)
* monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans
- Monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans
* [True Sight](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/detect-cloudflare-plus/privacy/)</sup> | [GitHub](https://github.com/claustromaniac/detect-cloudflare-plus)
* Why would you want to detect CDNs? Read [this](https://github.com/claustromaniac/detect-cloudflare-PA/blob/master/README.md#motivation).
- Why would you want to detect CDNs? Read [this](https://github.com/claustromaniac/detect-cloudflare-PA/blob/master/README.md#motivation).
* [mozlz4-edit](https://addons.mozilla.org/firefox/addon/mozlz4-edit/) | [Github](https://github.com/serj-kzv/mozlz4-edit)
* inspect and/or edit `*.lz4`, `*.mozlz4`, `*.jsonlz4`, `*.baklz4` and `*.json` files within FF
- Inspect and/or edit `*.lz4`, `*.mozlz4`, `*.jsonlz4`, `*.baklz4` and `*.json` files within FF
* [CRX Viewer](https://addons.mozilla.org/firefox/addon/crxviewer/) | [GitHub](https://github.com/Rob--W/crxviewer)
* [Compare-UserJS](https://github.com/claustromaniac/Compare-UserJS)
* Not an extension, but an excellent tool to compare user.js files and output the diffs in detailed breakdown - by our very own incomparable [claustromaniac](https://github.com/claustromaniac) :cat2:
* [Enterprise Policy Generator](https://addons.mozilla.org/firefox/addon/enterprise-policy-generator/) | [GitHub](https://github.com/cadeyrn/enterprise-policy-generator)
* For ESR60+ and [Enterprise Policies](https://support.mozilla.org/en-US/products/firefox-enterprise/policies-enterprise)
- For ESR60+ and [Enterprise Policies](https://support.mozilla.org/en-US/products/firefox-enterprise/policies-enterprise)
* [Compare-UserJS](https://github.com/claustromaniac/Compare-UserJS)
- Not an extension, but an tool to compare user.js files and output the diffs in detailed breakdown - by our very own [claustromaniac](https://github.com/claustromaniac) :cat2:
---
@ -48,21 +48,21 @@ These extensions will not mask or alter any data sent or received, but may be us
* uMatrix
- ⚠️ No longer maintained, the last commit was April 2020 except for a [one-off patch](https://github.com/gorhill/uMatrix/releases/tag/1.4.2) to fix a [vulnerability](https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc)
- Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking.
* NoScript, Ghostery, Disconnect, Privacy Badger, etc
- Redundant with uBlock Origin
- Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work)
* Neat URL, ClearURLs
- Redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam)
* HTTPS Everywhere
- Scheduled for [deprecation](https://www.eff.org/deeplinks/2021/09/https-actually-everywhere) and redundant with [HTTPS-Only Mode](https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/)
* NoScript, Ghostery, Disconnect, Privacy Badger, etc
* redundant with uBlock Origin
* Note: Privacy Badger is easily [detected](https://adtechmadness.wordpress.com/2020/03/27/detecting-privacy-badgers-canvas-fp-detection/), and [no longer](https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better) uses [hueristics](https://www.eff.org/privacybadger/faq#How-does-Privacy-Badger-work)
* Neat URL, ClearURLs
* redundant with uBlock Origin's [`removeparam`](https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam)
* [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester)
* Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about
* CSS Exfil Protection
- Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about
* Decentraleyes, LocalCDN
* Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI
* Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesnt help with most other third party connections
* CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely be used anyway
- Third parties are already isolated if you use Total Cookie Protection (dFPI) or FPI
- Replacing scripts on CDNs with local versions is not a comprehensive solution and is a form of [enumerating badness](https://www.ranum.com/security/computer_security/editorials/dumb/). While it may work with some scripts that are included it doesnt help with most other third party connections
- CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer [points out](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22089#note_2639603). They are the [wrong tool](https://en.wikipedia.org/wiki/XY_problem) for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the [resources](https://git.synz.io/Synzvato/decentraleyes/-/tree/master/resources) for Decentraleyes are hugely out of date and would not be likely be used anyway
* Cookie extensions
* ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy
- ❗️ Functionality for extensions may be missing for clearing IndexedDB, Service Workers cache, or cache **by host**. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy
* see [1340511](https://bugzilla.mozilla.org/1340511) for progress on this
* FF77+ [1551301](https://bugzilla.mozilla.org/1551301) IDB [1632990](https://bugzilla.mozilla.org/1632990) Service Workers cache
* FF78+ [1636784](https://bugzilla.mozilla.org/1636784) cache