What configuration of adblock, privacy, antitracking, etc. is the best, easiest & safest? On W7P64 & almost always using Firefox 64bit latest Final. Sometimes Vivaldi so if specific to each please let me know. Right now I have uBlock Origin, HTTPS Everywhere, IDN Safe & NoScript. Other real-time security monitoring by BitDefender IS 2018 with BitDefender Traffic Light. I got to add that a lot of the time NoScript is a BIG pain in the ***. Sometimes I have click Temporarily Allow 4 times & let the page reload each of the 4 times before specific sites will load correctly. Was reading about Ghostery (Wilders) going Open Source. Would Ghostery be a good replacement for 1 or more of the above programs? Thanks.
There's no best, you have to find the balance which suit you of course. But Ghostery, as a blacklist-based anti-tracking, can't replace any of them. As I maintain my own blacklist, I can safely say new tracking often slip through all major blacklists. So default deny is way to go if you want to approach to safest side. Noscript can be used seamlessly if you properly set it up and trained well, but after a long journey from Noscript + Requestpolicy, through HTTP Swithboard/uMatrix, to Policeman, I finally settled down to uBlock dynamic mode as these days I like simple solution. I use it as medium blocking mode: i.e. default deny 3rd party frame & script only. This allows any 1st party components as well as 3rd party image + CSS so you don't need to toggle as many as default Noscript. Some web bugs may slip through, but then static filters can catch them. I globally allowed major CDNs (e.g. cdn.jsdelivr.net), APIs (e.g. maps.googleapis.com), embedded videos (e.g. players.brightcove.net) while creating per-site rules (e.g. allow cbsistatic.com on www.cnet.com). There are some publicly available rules (one is on the uBO's website itself) but they're outdated, and often meant for default deny all 3rd party so too permissive for medium blocking mode, thus you need to train it by yourself.
I used to have 10+ firefox addons including the triforce of ABP, NoScript and Requestpolicy. I've since cut that down to 2, uBlock Origin and uMatrix are the only addons I currently use. I love the control uMatrix gives although I understand it's not for everyone. I probably have stricter uMatrix settings than most people but I still find it less annoying than I did NoScript and RequestPolicy. I've thought about running uBlock Origins dynamic mode but I like the uMatrix interface too much
I try to containerise things in different profiles using Firejail. The add-ons and their configuration depends on what I'm using the containers for. I am also running adblock and malware blocks centrally in the router (using a Squidguard subscription), so unless I'm going out on a VPN, that aspect's already covered. I use NoScript for its XSS protection. HTTPS Everywhere is fairly universal, as is uBO in advanced mode. I don't think I have a very solid privacy foundation (perhaps no-one does....), and I tend to use a revert-to-snapshot VM or Firejail reversion for stuff where I don't want traces to persist - and I don't trust the broswers or add-ons to do this. I'm playing with a range of privacy ad-ons in one container, but am not really comfortable there without full reversion as well. Issues with fingerprinting etc. are hard to solve, even with VMs, although I do use a different base OS system for that with reversion.
One thing I missed was Ghostery uses ML to block new tracking. I quickly searched the source code of the extension tho I don't fully understand javascript, but couldn't find what kind of ML they use. If anyone can tell, it'll be very appreciated. Anyway from the source code, it seems it still heavily rely on black & white list. That is expected, as I know how ML works to some extent. But one benefit it can provide while can't be achieved by even default deny is sanitizing. Often, you have to whitelist some ads or tracking for a site to work properly. E.g. If you want to play some movies on huffingtonpost.ca, you have to allow "z.on.aol.com/advertisers/advertisers.txt?adunit=preroll&adId=*" (As of now, it is also blocked in Easylist so you need to whitelist it if you want to watch). Ghostery MAY sanitize these parameters to minimize privacy exposure while keeping the site to work. But it's all depends on the algorithm (it won't sanitize in every case), and often sanitizing still break the site. I once tried this sanitizing approach with CSFire, but finally gave up. As to Noscript XSS protection, I think it is not worth much, not because modern browser already have similar XSS protection, but because as long as you follow these practices you're 99% safe while I occasionally got FPs from NS XSS auditor. 1. Use the latest browser 2. log off after you use the service, and don't surf the web while you're logging in. You should use sub browser or sub profile for that. (anyway using 2+ browser is good for many reasons.) 3. Do not enable auto-login of password manager. I do not recommend auto-filling too. 4. Adopt default deny scripts and never allow (noop included) script for your important site as 3rd party. They also prevent most CSRF. Especially if you block all requests to your LAN (thx @summerheat !), it completely covers ABE on Noscript (default setting) too. There're still some features not covered such as click-jacking prevention, secure cookie, and HTTPS enforcer (same as HTTPS EW) but the last 2 require you to manually add rules, while click-jacking prevention is already implemented in Flash and browsers. I once have used random agent spoofer etc, but ditched not because they sometimes caused trouble, but because I started to think they won't make much sense against fingerprinting. As deBoetie said, compartmentalization is way to go if you really wanna mitigate fingerprinting.
@142395 : Good post Two additonal aspects, though: 1. The protection against CSRF provided by Noscript can also be achived by adding respective rules to uMatrix or uBlock Origin. 2. Another thing which considerably enhances privacy and security in Firefox is containers (infos here and here). I'm using this feature through the add-on Temporary Containers which is the best way how to use it, IMHO. I'm even using it in combination with First Party Isolation. Works great and makes add-ons like Cookie Autodelete superfluous.
Thx for both. I'll edit previous post to include that CSRF mitigation. I didn't know the addon, only remember there was similar addon which enabled per tab sandbox. Anyway it's very interesting.
What is the difference between Temporary Containers add-on and the one made by Mozilla called Firefox Multi-Account Containers , also is there a similar add on (or a feature/flags you can enable) for Chrome?
The latter allows you to define specific containers (the default ones are Personal, Work, Banking, Shopping) and assign specific sites to them so that they are always opened in that container. Temporary Containers goes one step further: It basically opens every tab in its own container which is deleted - including the respective cookies, cache, storage - after 15 minutes by default once that tab is closed (that's why they are called "temporary"). I use it in combination with the setting browser.tabs.loadBookmarksInTabs=true which means that every bookmark is opened in its own tab and, hence, in its own isolated temporary container. This enhances privacy and security considerably. The only downside is that if you open many of your bookmarks in a row you'll eventually have many open tabs so you have to close them manually if there are too many of them. However, I still have to evaluate if that setting makes really sense as I have also First Party Isolation enabled which means that tracking ends at the domain level. Hence, opening all bookmarks in their own tabs and own temporary containers might not offer a real benefit. No, as containers are not supported in Chrome.
I once enabled 1st party isolation but it sometimes caused trouble. Even just blocking 3rd party cookie causes trouble in a few sites, such as payment process (official Office365 purchase in my country was an example) and some videos, but in this case you can whitelist these cookies. I'm not sure if such whitelisting is possible for 1st party isolation. It seems that addons for container is more usable.
I don't think it is. However, you might want to use the add-on First Party Isolation. Just click its icon to disable FPI temporarily - but don't forget to enable it again thereafter
Note, that I've changed that setting. Hence, the problem that too many tabs will be opened does not exist any more as Temporary Containers now creates a new container within the same tab if you open a new bookmark.
Thx, but I will rather use container. I hope finally Mozilla implement this as default function of Firefox so we don't need these addon anymore.
