The Gentle Art of Firefox Tuning (and Taming)

By Rick Moen

Linux users tend, I've noticed, to complain about suckiness on the Web itself, and in their own Web browsers — browser bloat, sites going all-Flash, brain damage inherent in AJAX-oriented "Web 2.0" sites[1], and death-by-JavaScript nightmares. However, the fact is: We've come a long way.

In the bad old days, the best we had was the crufty and proprietary Netscape Communicator 4.x kitchen sink^W^W"communications suite" into which Netscape Navigator 3.x, a decent browser for its day, had somehow vanished. That was dispiriting, because an increasing number of complex Web pages (many of them Front Page-generated) segfaulted the browser immediately, and Netscape Communications, Inc. wasn't fixing it.

Following that was a chaotic period: Mozilla emerged in 1998, with Galeon as a popular variant, and Konqueror as an independent alternative from the KDE/Qt camp. Mozilla developers made two key decisions, the first being the move in October 1998 to write an entirely new rendering engine, which turned out to be a huge success. The rendering engine is now named Gecko (formerly Raptor, then NGLayout), and produced the first stunningly good, modern, world-class browsers, the Mozilla 0.9.x series, starting May 7, 2001. I personally found this to be the first time it was truly feasible to run 100% open source software without feeling like a bit of a hermit. So, I consider May 7, 2001 to be open source's Independence Day.

The second turning point was in 2003, with the equally difficult decision that Mozilla's feature creep needed fixing by ditching the "Mozilla Application Suite" kitchen-sink approach and making the browser separate again: The Mozilla Project thus produced Firefox (initially called "Phoenix") as a standalone browser based on a new cross-platform front-end / runtime engine called XULRunner (replacing the short-lived Gecko Runtime Environment). At the same time, Galeon faltered and underwent a further schism that produced the GNOME-centric, sparsely featured Epiphany browser, and the XULRunner runtime's abilities inspired Conkeror (a light browser written mostly in JavaScript), SeaMonkey (a revival of the Communicator kitchen-sink suite), and Mobile Firefox (formerly Fennec, formerly Minimo).

Anyway, defying naysayers' expectations, Firefox's winning feature has turned out to be its extensions interface, usable by add-on code written in XULRunner's XUL scripting language. At some cost in browser code bloat[2] when you use it extensively, that interface has permitted development of some essential add-ons, with resulting functionality unmatched by any other Web browser on any OS. In this article, I detail several extensions to tighten up Firefox's somewhat leaky protection of your personal privacy, and protect you from Web annoyances. (For reasons I've detailed elsewhere, you should if possible get software from distro packages rather than "upstream" non-distro software authors, except in very exceptional circumstances. So, even though I give direct download links for three Firefox extensions, below, please don't use those unless you first strike out with your Linux distribution's own packages.[3]) I also outline a number of modifications every Firefox user should consider making to the default configuration, again with similar advantages in user privacy and tightening of security defaults. For each such change, I will cite the rationale, so you can adjust your paranoia to suit.

The "Rich Computing Experience"[4] and Its Discontents

Here begins the (arguable) mild-paranoia portion of our proceedings: Have you ever noticed how eager Web-oriented companies are to help you? You suddenly discover that your software goes out and talks across the Internet to support some "service" you weren't aware you wanted, involving some commercial enterprise with whom you have no business relations. There's hazy information about this-or-that information being piped out to that firm; you're a bit unclear on the extent of it — but you're told it's all perfectly fine, because there's a privacy policy.

There's a saying in the Cluetrain Manifesto, written in part by longtime Linux pundit Doc Searls, that "Markets are conversations." That is, it's a negotiated exchange: You give something; you get something. Sometimes you give information, and, oddly enough, Linux people seem to often miss the key point: information has value, even yours. In a market conversation, you're supposed to be able to judge for yourself whether you want what's being offered, and if you want to donate the cost thereof (such as some of your data). If you have no use for what's being offered, you can and should turn off the "service" -- and that's what this article will cover (or at least let you decide what "services" to participate in, instead of letting others decide for you).

The Essential Extensions

NoScript: The name is slightly misleading: This marvelous extension makes JavaScript, Java, Flash, and a variety of other possibly noxious and security-risking "rich content" be selectively disabled (and initially disabled 100% by default), with you being able to enable on a site-by-site basis, via context menu, which types of scripting you really want to execute. More and more, those scripts are some variety of what are euphemistically called "Web metrics", i.e., data mining attempts to spy on you and track your actions and movements as you navigate the Web. NoScript makes all of that just not work, letting you run only the JavaScript, Flash, etc. that you really want. As a side-benefit, this extension (like many of the others cited) in effect makes the Web significantly faster by reducing the amount of junk code your browser is obliged to process. Available from: http://noscript.net/

Adblock Plus ("ABP"): This extension does further filtering, making a variety of noxious banner ads and other advertising elements just not be fetched at all. Highly recommended, though some people prefer the preceding "Adblock" extension, instead. Privacy implication? Naturally, additional data mining gets disposed of, into the bargain. Available from: http://adblockplus.org/en/

ABP's effectiveness can be substantially enhanced through adding subscriptions to maintained ABP blocklists. I've found that a combination of EasyList and EasyPrivacy is effective and reliable, and recommend them. (EasyList is currently an ABP default.) Since these are just URL-pattern-matching blocklists, subscriptions are not as security-sensitive as are Firefox extensions themselves, but you should still be selective about which ones to adopt.

CustomizeGoogle[*]: This extension largely defangs Google search engine lookup of its major advertising and data-mining features, makes your Google preferences persistent for a change, adds links to optionally check alternative search engines' results on the same queries, anonymises the Google userid string sent when you perform a Google Web search (greatly reducing the ability of Google's data mining to link up what subjects you search for with who you are), etc. Be aware that you'll want to go through CustomizeGoogle's preferences carefully, as most of its improvements are disabled by default. Available from: http://www.customizegoogle.com/

For the record, I like the Google, Inc. company very much, even after its 2007 purchase of notorious spying-on-customers firm DoubleClick, Inc., which served as a gentle reminder that the parent firm's core business, really, intrinsically revolves around data mining/collection and targeted advertising. What I (like, I assume, LG readers) really want is to use its services only at my option, not anyone else's, and to negotiate what I'm giving them, the Mozilla Corporation, and other business partners, rather than having it taken behind my back. For example, Ubuntu's first alpha release of 10.04 "Karmic Koala" included what Jon Corbet at LWN.net called "Ubuntu's multisearch surprise": a custom Firefox search bar that gratuitously sent users to a Google "search partner" page to better (and silently, without disclosure) collect money-making data about what you and I are up to. (This feature was removed following complaints, but the point is that we the users were neither informed nor asked about whether we wanted to be monitored a bit more closely to make this "service" possible.)

User Agent Switcher: This extension doesn't technically concern security and privacy, exactly, but is both useful in itself and as a way to make a statement to Web-publishing companies about standards. It turns out that many sites query your browser about its "User Agent" string, and then decide on the basis of the browser's answer whether to send it a Web page or not — and what Web page to send. User Agent Switcher lets you pick dynamically which of several popular Web browsers you want Firefox to claim to be, or you can write your own. I usually have mine send "W3C standards are important. Stop f---ing obsessing over user-agent already", for reasons my friend Karsten M. Self has cited:

In the finest Alice's Restaurant tradition, if one person does this, they may think he's sick, and they'll deny him the Web page. If two people do it, in harmony, well, they're free speech fairies, and they won't serve them either. If three people do it, three, can you imagine, three people setting their user-agent strings to "Stop f---ing obsessing over user-agent...". They may think it's an organization. And can you imagine fifty people a day? Friends, they may think it's a movement. And that's what it is... If this string shows up in enough Web server logs, the message will be felt.

Available from: http://chrispederick.com/work/user-agent-switcher/

I list a number of other extensions that might be worth considering on my personal pages.

[ I can also recommend the Web Developer toolbar extension. Even if you're not a Web developer, the tool can help you to deactivate obnoxious style sheets and layouts. In addition, you can instantly clear all cookies and HTTP authentications for the site you are viewing (by using the menu item Miscellaneous/Clear Private Data/...). -- René ]

Configuration of the Browser Itself

Edit: Preferences: Content: Select Advanced for "Enable JavaScript" and deselect all. Reason: There's no legitimate need for JavaScript to fool with those aspects of your browser. Then uncheck Java, unless you actually ever use Java applets in your Web browser. (You can always re-enable if you ever need it.)

Edit: Preferences: Privacy: Uncheck "Accept third-party cookies." Reason: I've only seen one site where such were essential to the site's functionality, and even then it was clearly also being used for data mining. Enable "Always clear my private data when I close Firefox". Click "Settings" and check all items. Reason: When you ask to delete private data, it should actually happen. Disable "Remember what I enter in forms and the search bar". Reason: Your prior forms data is often security-sensitive. Consider disabling "Keep my history for n days" and "Remember what I've downloaded". Reason: You don't get much benefit from keeping this private data around persistently, so why log it?

Edit: Preferences: Security: Visit "Exceptions" to "Warn me when sites try to install add-ons" and remove all. Reason: You should know. Disable "Tell me if the site I'm visiting is a suspected attack site" and "Tell me if the site I'm visiting is a suspected forgery". Reason: Eliminate periodic visits to an anti-phishing, anti-malware nanny site. Really, can't you tell EBay and your bank from fakes, and can't you deal with malware by just not running it? "Remember passwords for sites": If you leave this enabled, remember that Firefox will leave them in a central data store that is only moderately obscured, and then only if you set a "master password". Don't forget, too, that even the list of sites to "Never Save" passwords for, which isn't obscured at all, can be very revealing. The cautious will disable this feature entirely — or, at minimum, avoid saving passwords for any site that is security-sensitive.

Edit: Preferences: Advanced On General tab, enable "Warn me when Web sites try to redirect or reload the page". Reason: You'll want to know about skulduggery. On Update tab, disable "Automatically check for updates to: Installed Add-ons" and "Automatically check for updates to: Search Engines", and select "When updates to Firefox are found: Ask me what I want to do". Reason: You really want those to happen when and if you choose.

Now we head over to URL "about:config". You'll see the condescending "This might void your warranty!" warning. Select the cutesy "I'll be careful, I promise!" button and uncheck "Show this warning next time". Reason: It's your darned browser config. Hypothetically if you totally screw up, at worst you can close Firefox, delete ~/.mozilla/firefox/ (after saving your bookmarks.html), and try again.

Set "browser.urlbar.matchOnlyTyped = true": This disables the Firefox 3.x "Awesome Bar" that suggests searches in the Search box based on what it learns from watching your bookmarks and history, which is not (in my opinion) all that useful, and leaves information on your browsing habits lying around.

Set "browser.tabs.tabMinWidth = 60" and "browser.tabs.tabMaxWidth = 60": Reduce tab width by about 40%. Reason: They're too wide.

Set "bidi.support = 0": Reason: Unless you're going to do data input in Arabic, Hebrew, Urdu, or Farsi, you won't need bidirectional support for text areas. Why risk triggering bugs?

Set "browser.ssl_override_behavior = 2" and "browser.xul.error_pages.expert_bad_cert = true": This reverts Firefox's handling of untrusted SSL certificates to the 2.x behaviour. Reason: The untrusted-SSL dialogues in Firefox 3.x are supremely annoying, "Do you want to add an exception?" prompt and all.

Set "network.prefetch-next = false": Disables link prefetching of pages Firefox thinks you might want next. Reason: Saves needless waste of bandwidth and avoids sending out yet more information about your browsing.

Set "xpinstall.enabled = false": Globally prevents Firefox from checking for updates to Firefox and installed extensions. Reason: This really should happen on your schedule, not Firefox's.

Set "permissions.default.image = 3": This control specifies which images (picture elements) to get, where 1 = all regardless of origin (default), 2 = block all, 3 = fetch only from the site you're browsing. Reason: Images from third-party sites are banner ads or Web bugs, 99% of the time. Note that the ability to block third-party images used to be part of regular Mozilla/Firefox preferences, but was banished to "about:config" as part of a general dummying down.

Set "network.dns.disableIPv6 = true": Prevents Firefox from attempting IPv6 lookups. Reason: At the moment, for most people, there's no point to this function, and it wastes network traffic trying IPv6 before falling back to regular IPv4. If the world changes, you can toggle this setting back.

Set "extensions.blocklist.enabled" to disabled: Stops Firefox from repeatedly polling a remote site for a malware blacklist. Reason: Wasted traffic, and usual logic about malware applies.

Set the three "browser.contentHandlers.types.[012].uri" items to blank: Stops Firefox from repeatedly polling Bloglines, My Yahoo, and Google for RSS feeds that you don't necessarily care about at all. Reason: Wasted network traffic.

Set "plugin.default_plugin_disabled = false": This prevents Firefox's libnullplugin.so from popping up annoying dialogues suggesting you go hunting for plugins/extensions every time you encounter a file on the Web with an unfamiliar MIME type. Reason: Stops Firefox's repetitive suggestions (in a yellow bar at the top of the page) that you install yet more plugins/extensions.

Set "geo.enabled" to disabled: This is yet another Google service that they swear up and down is absolutely not a privacy violation, and they have a privacy policy, etc. In this case, it's "location-aware browsing", where, on "location-aware Web sites", Google will estimate your latitude/longitude and provide enhanced services such as lo! there's a pizza restaurant on the next block. Reason: Obvious, I imagine. Disabling that key makes the feature go away entirely.

Other Ideas

We've already lightly touched on a favourite tinfoil-hat obsession: browser cookies. Like many other browser features, cookies have a fine legitimate purpose, that of offering a persistent-data store for what's normally a stateless protocol (HTTP), e.g., for session data. Of course, the feature was abused about a millisecond after its invention, but the aforementioned unchecking of "Accept third-party cookies" in my view controls such abuse well enough.

What's often neither understood nor controlled are Flash cookies, which Adobe calls "Local Shared Objects", a hidden datastore, holding up to 100kB per domain, maintained by the local Adobe (ex-Macromedia) Flash interpreter under your ~/.macromedia tree, in files with .sol filename extensions. What data? Anything and everything, but mostly the usual obnoxious per-user tracking, except with 25 times the storage and effectively no scrutiny. Bad? You bet. Researchers have found that companies have taken to using Flash cookies not only to track users but also to re-create, behind the user's back, regular browser cookies he or she has deliberately deleted -- invisibly to browser privacy controls and outside their reach. It should also be noticed that data in Flash cookies are also queryable by any other Flash-enabled application.

The standard recommendation to control Flash cookies (which, of course, are far less of an issue with NoScript and Adblock Plus than without them) is another Firefox extension, BetterPrivacy — but I would like to specifically disrecommend that solution, because BetterPrivacy is proprietary software. Can you imagine going to all the trouble of running an open-source browser on an open-source OS, and then throwing in a "hey, trust me" proprietary module from someone you don't even know?

A new, genuinely open source alternative is Greg Yardley's Objection, which seems worth looking into. Alternatively, it seems almost as easy to write a dirt-simple weekly cronjob to delete unwanted Flash cookies by filename. (E.g., you might want to keep certain domains' cookies, that seem to hold only innocuous Flash-related settings such as Flash games' settings and some sites' login data, and lop off the rest.)

Adobe Systems, Inc., themselves, offer a third alternative: Visiting a set of Adobe Web pages called Flash Settings Manager lets you view and control Flash Cookies via — guess what — a Flash-based control panel the company provides for that purpose. Use it if you like. Personally, I find the notion of using Adobe's help to control a privacy risk they created to be... unwise, on balance — although viewing its settings was enlightening and worthwhile.

There are plenty of aesthetic improvements one might also make to clean up Firefox's appearance, but those are obviously highly individual, so I'll omit my prejudices in that department. Suffice it to say that delving through all of the Edit: Preferences and the View menu will be well worth your time.

Acknowledgements: All of the above text is original, but many ideas about Firefox configuration were taken from bloggers Uwe Hermann and Wouter Verhelst and several anonymous commentators, to all of whom I'm grateful.


[1] IT columnist David Berlind defined "Web 2.0" as "When the Back button doesn't work".

[2]: Firefox bloat generally is a real concern. Starting around 2006, Jason Halme has shown starkly just how severe the bloat is, by releasing an optimally configured and compiled (but proprietary-licensed) variant called Swiftfox, which is markedly faster in launching and rendering, and also includes protection against buffer overflow attacks.

Probably inspired by Halme's work, developer "SticKK" has released a very similar variant under Firefox's original MPL 1.1 open-source licensing, called Swiftweasel, which is well worth considering instead of vanilla Firefox, and is packaged by common Linux distributions. It's fully compatible with Firefox extensions. (If you're a Mozilla Thunderbird user, "SticKK's" Swiftdove lends the same advantages to that program, too.)

[3]: For example, Debian and Ubuntu both offer maintained packages for Adblock, Adblock Plus, NoScript, and the Web Developer extension mentioned by René Pfeiffer. A package of User Agent Switcher is currently proposed. And even Fedora, not the most lavish of desktop distributions, at least packages NoScript. So, check your distribution-of-choice's package listings.

Linux and BSD users' ability to rely on their distribution package maintainers as gatekeepers against security problems, quality problems, and even against misbehaviour "upstream" (a term used to refer to original authors' source code that is selectively picked up and packaged, often with some tweaks, by Linux distributions) gives them a huge advantage that MS-Windows and MacOS users can only dream of. A decade-plus of experience suggests you're greatly safer when you rely on that gatekeeping function, and go outside that regime to "upstream" sources only with great caution if ever.

"Upstream sources" of what, you might ask? Firefox extensions would be one excellent example. Make no mistake: These are programs, and you need to be on-guard. Browse the listings at Mozilla Organization's https://addons.mozilla.org/ "portal" site skeptically, and you soon notice that the site says little about each entry's licensing, and instead rushes you towards the big "Download Now!" button. In fact, many extensions listed turn out, upon more-careful scrutiny, to be proprietary software that isn't audited by anyone you would have confidence in and never will be. In any situation where you find yourself casually expected to run code from nobody in particular -- a fair description of unaudited proprietary extensions from people you've never heard of -- your first reaction should be "No. Why on earth would I?" All of the extensions René and I have cited are genuine open source, and from people with established (generally good) reputations, notwithstanding which you should look among your distribution's packages for them first, before resorting to fetching "upstream" code from the authors' sites.

The advantage: The distribution package maintainer should be accepting code from upstream only when it's been checked for quality, made to comply with your Linux distribution's policies, not a buggy beta (not all new code from upstream is necessarily an improvement), read to (with luck) catch any unpleasant surprises, and verified to be signed by the real upstream coder to eliminate the possibility of trojaned (booby-trapped) substitute code inserted by malign parties in place of the author's real code. Plus, you will get subsequent updates semi-automatically in a rational fashion, with your regular package updates, as a harmonised part of your Linux distribution.

Other examples of third-party additions include Web apps enticingly offered as directly downloadable .tar.gz (or zip) archives, all manner of third-party .deb / .rpm packages, alleged screensavers, alleged Internet poker games, alleged video codecs, alleged desktop themes, alleged "birthday cards", alleged ancillary software, etc. You need to be on your guard: You might not be worried about the security of screensaver modules because they're just glorified wallpaper, but suppose one is published on a community site in .deb format (and you're on, say, Ubuntu). You need to install that with your software package installer, using sudo or root authority, right? Oops, bad idea, because that means you'll be running any included scripts with root authority, and how much did you trust the unknown person behind this screensaver? This scenario's already happened, and unwary novices shot themselves in the foot by installing trojaned software -- by trusting an alleged screensaver from nobody in particular who'd listed it on gnome-look.org.

It's important to realise that no security protections can protect a user who defeats his/her system's security by running untrustworthy software from nowhere in particular. If you go out of your way to fetch that metaphorical gun and aim it at your feet, the resulting hole in your pedal extremity is your responsibility. The best the Linux community can do is help train you to know when your danger alarms should be ringing loudly -- and going outside your system's packaged software regime to any source of third-party software is one of the chief signs of danger.

[4] My somewhat sarcastic reference to "rich computing experience" harks back to an encounter Microsoft Corporation had with the technical community: Specifically, Microsoft developer Bob Atkinson noticed in 1997 some critical discussion in RISKS Digest of his "Authenticode" algorithm for ensuring that ActiveX controls in Microsoft Internet Explorer are "safe" on account of being cryptographically signed with (what you hope is) an unrevoked, valid sender key. He reassured RISKS regulars that Microsoft wanted merely to ensure a "rich computing experience", that Microsoft had all the problems covered, and that everything would be fine. His logic and methods were then expertly but politely pureed over a ten-day period; the comments are popcorn-worthy, especially one fine summary by Peter Gutmann of New Zealand.

[*] Long after this article went to press, CustomizeGoogle was orphaned, but fortunately an excellent fork has taken its place, OptimizeGoogle, which accordingly I strongly recommend in its place. Available from: http://www.optimizegoogle.com/ However, as of July, OptimizeGoogle is being less-actively developed on account of shortage of developer resources. If things continue to change, I will attempt to keep up and note them here.


 

Rick is [2010: was] a member of The Answer Gang.


Bio picture Rick has run freely-redistributable Unixen since 1992, having been roped in by first 386BSD, then Linux. Having found that either one sucked less, he blew away his last non-Unix box (OS/2 Warp) in 1996. He specialises in clue acquisition and delivery (documentation & training), system administration, security, WAN/LAN design and administration, and support. He helped plan the LINC Expo (which evolved into the first LinuxWorld Conference and Expo, in San Jose), Windows Refund Day, and several other rabble-rousing Linux community events in the San Francisco Bay Area. He's written and edited for IDG/LinuxWorld, SSC, and the USENIX Association; and spoken at LinuxWorld Conference and Expo and numerous user groups.

His first computer was his dad's slide rule, followed by visitor access to a card-walloping IBM mainframe at Stanford (1969). A glutton for punishment, he then moved on (during high school, 1970s) to early HP timeshared systems, People's Computer Company's PDP8s, and various of those they'll-never-fly-Orville microcomputers at the storied Homebrew Computer Club -- then more Big Blue computing horrors at college alleviated by bits of primeval BSD during UC Berkeley summer sessions, and so on. He's thus better qualified than most, to know just how much better off we are now.

When not playing Silicon Valley dot-com roulette, he enjoys long-distance bicycling, helping run science fiction conventions, and concentrating on becoming an uncarved block.

Copyright © 2010, Rick Moen, rick@linuxmafia.com.

The article was first published in issue 171 of Linux Gazette, February 2010. This local copy corrects one minor error of fact about the BetterPrivacy extension, one small typo, a mangled footnote link, and the asterisked footnote about OptimizeGoogle replacing CustomizeGoogle. It is otherwise unchanged from the published text.