The most comprehensive Firefox user.js has been updated

We released a first version of a user.js file for Firefox that concentrated on privacy and security settings back in 2015.

It was the most comprehensive undertaking of its kind back then, and was made possible by Ghacks regular Pants who spend months researching entries and putting them in context.

Firefox, unlike the majority of non-Firefox browsers out there, comes with an extensive under-the-hood section of preferences that users can control.

A large part of those are for privacy and security features which you can control. While it makes sense to keep some in default state, you may benefit with better security or privacy by modifying others.

The most comprehensive Firefox user.js has been updated

ghacks user.js version 0.10

The update introduces a massive list of changes to the list. Some preferences have been removed by Mozilla, others added or changed.

Check out the updated Ghacks user.js version 0.11 list here

Without further ado, lets here it from the girl who created the list: Pants

It's been over a year since I started my own user.js, over ten months since I shared it here at ghacks and the overwhelming support and feedback led to Martin kindly publishing it, and a whopping six months since the last update was published.

That was version 0.8. I don't think a day has gone by in all that time where I haven't researched or read something or tinkered with Firefox or edited my user.js. Some days I have spent up to 10 hours on it. I am by no means an expert (despite over a year of reading), and some of the really technical stuff, especially new tech, just flies over my head (I do not have the time to invest in everything), but I have gone to great lengths to research, cite, understand and justify any settings - this includes debunking / disregarding / correcting / setting-the-record-straight on dozens of preferences that are incorrectly described across the web. Don't believe everything you read.

While this list is unique, it has been compiled from hundreds of sources and from my own research. But without the help of those sources, and indeed Mozilla for building the preferences in, we could not have done it. So with that in mind, I would like to specifically thank the following:

  • pyllyukko, CHEF-KOCH, fmarier (especially for his insights into safebrowsing - see the new revamped 0410 section) and the many contributors and followers at https://github.com/pyllyukko/user.js . These guys are awesome.
  • the ghacks community and commentators for suggestions, information, and for pushing this list to even greater heights. Guys such as Just me, Conker, earthling, & Rockin' Jerry. They put me through the wringer. Thanks guys (and gals!).
  • Martin for putting up with me and hosting the list and writing the articles.
  • and last but not least, Bob. Thanks Bob.

I would also like to share with you, thanks to fmarier (Francois Marier, a Firefox Security Engineer), what I consider to be great news (its old news, but why don't these things get more attention?

I only found out a few days ago). Don't get me wrong, I love Firefox and know it to be the best browser in terms of "power users" and the ability to tweak and protect privacy. And I'm excited for e10s.

Read also:  Here is the first mockup screenshot of Firefox 57's new design

But I have also at times bemoaned Mozilla's urgency to get on with patching some privacy/fingerprinting issues (just one example being the resource://URI's leak, the Proof of Concept has been around for over three years). So it came as some surprise for Francois to link me to this ( https://wiki.mozilla.org/Security/Tor_Uplift/Tracking ).

I have long wished for some of the work that the TBB (Tor Browser Bundle) has built, to be incorporated into the firefox core. Looks like somewhere, someone, got busy; contacts were made, people got excited, and stuff is happening, fast. These guys are working hard and making great strides.

Look at the completed bugs (blocking SSL session IDs, spoofing various screen/window measurements, permissions caching ). Look at the assigned ones (white-listing fonts, blocking plugin enumeration and mime types (again), reducing precision timing attacks with random microseconds, disabling MathML ).

Look at the ones still left to be assigned, which will almost certainly be addressed (isolating favicons, isolating DOM, canvas fingerprinting, disabling SVG). This is AWESOME!!!! And a lot of the hard work has already been done by TBB. Thanks TBB.

I also find this comment very interesting. What's your take on it?

"Our primary goal is to un-fork the Tor Browser." - Dave Huseby

So here at last, I present to you the ghacks user.js version TEN. Yup, that's right, v.10. There is no version nine. I posted a number of different version nine betas in the wild and I would like to signify this release with a new number.

I will attempt to list some things in the changelog, but quite frankly, there is just way too much (I did a file compare and its over half the lines - I will not be listing that).

So just treat this as a whole new experience to explore things. I have created new sections (such as hardware fingerprinting), revamped sections (such as safebrowsing), made a very very few number changes (sorry if that upsets anyone), moved a few things around, corrected some data type errors, and of course added tons of new stuff, more information and sources.

All items were checked in a vanilla FF, to see if they existed in about:config - anything not shown, was then searched for in the MXR and DXR current release, and inspected. This led to items being moved to deprecated, and for a lot of items to be confirmed as hidden prefs. Anything that is a hidden pref has been marked as such - currently there are 12 - just search for "(hidden pref)".

Lastly, please remember that this is my user.js as it is today. I do not expect or want anyone to just run with it. You should know what you are doing. That said, I have kept the warning list at the top up to date, but I will never catch everything for everybody. This list is meant to be a TEMPLATE, please treat it as such.

Check out the updated Ghacks user.js version 0.11 list here

Summary
Article Name
The most comprehensive Firefox user.js has been updated
Description
The Ghacks user.js list covering the majority of privacy and security configuration options for the Firefox web browser has been updated.
Author
Publisher
Ghacks Technology News
Logo
Advertisement
Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to The most comprehensive Firefox user.js has been updated

  1. T J July 3, 2016 at 12:21 pm #

    Pants, thank you for all your hard work on the user.js.

    Martin, thanks for hosting it.

  2. elixir July 3, 2016 at 1:02 pm #

    thank you

  3. harushi July 3, 2016 at 1:29 pm #

    Why don't you name it version 1.0 instead?

    • Pants July 3, 2016 at 1:38 pm #

      Because then I couldn't emulate my idol Microsoft

  4. Tom Hawack July 3, 2016 at 1:38 pm #

    Many thanks pants, and Martin for support and hosting.
    Downloaded the Ghacks user.js version 0.10 of course and got myself a coffee to ad to the pleasure of discovering the new version.

  5. Sophist July 3, 2016 at 2:24 pm #

    Much appreciation to Pants & Martin. Thank you for this article.

  6. oz July 3, 2016 at 2:31 pm #

    Thank you for all your time and effort with this project, Pants... the user.js file has become one of the most important files on my computer! :)

    Thanks for hosting it, Martin.

  7. George P. Burdell July 3, 2016 at 2:39 pm #

    Pants is a girl?

    All these years I was picturing an old man!

    • Tom Hawack July 3, 2016 at 4:14 pm #

      I was picturing a rocker! And male. After all Scots wear skirts and girls wear pants, as well.
      What is more interesting is why, how we picture someone from his comments only.

      • LimboSlam July 3, 2016 at 7:15 pm #

        Hahha! Yeah I always thought of Pants as a middle age geek (no offense).

      • T J July 3, 2016 at 8:33 pm #

        @Tom Hawack

        "Scots wear skirts". (Kilts) Do they wear pants under them ! :-)

      • Tom Hawack July 3, 2016 at 10:36 pm #

        @T J, I've been told panties sometimes, but only in very special night-clubs :)

    • Jason July 3, 2016 at 9:22 pm #

      "Yup, that's right, v.10. There is no version nine."

      Pants, are you pulling a Microsoft on us? Well done.

    • Jason July 3, 2016 at 9:25 pm #

      I'm very glad to make this discovery, because these tech forums are always dominated by the boys. Pants is a freakin' awesome contributor.

    • Pants July 4, 2016 at 6:05 am #

      Well, that little social engineering experiment worked well. You all blindly accepted Martin's word as the truth. Does it really matter, guys (and ladies!!)? Maybe I forced Martin to innocently reveal I'm a girl. Maybe he genuinely believes I am a girl. Maybe we collaborated together to punk you all. Anyway, it's a moot point .. I am in fact, actually, a lizard. Or am I...? I'll leave you with some of quotes

      "You can lead a whore to culture, but you can't make her think" - Dot Parker
      "Humans are stupid, and there is nothing I can do about it" - Pants
      "I drink, and I know things. That's what I do." - Tyrion Lanister

      And don't go asking Martin to confirm or deny, because the seeds of doubt have been sown.

      #Pantsgate :)

  8. Ben July 3, 2016 at 3:12 pm #

    Thank you. This is - as always - a really helpful list. So many settings that it wouldn't even cross my mind to look at.

    And now a question. I change the config for a small amount of things. However, I often think that just the fact that I've changed or disabled a setting is what makes me more unique.

    For example the battery API, dom.battery.enabled
    "it is still another metric for fingerprinting [do you have a battery or not] used to raise entropy"

    I would say an even bigger metric to raise entropy is having the battery API disabled. You will narrow someone down a huge amount if you find a disabled battery API... What am i missing?

    • Pants July 4, 2016 at 5:24 am #

      Starting here ( https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3921206 ) is a discussion between Edison and myself (it's about nine comments long in total).

      My view is that you will never defeat fingerprinting (and it depends on who you are trying to defeat) except through OpSec. You can certainly make it harder, especially within small subsets (eg TBB).

      You raise a valid point. Things such as spoofing all my screen/window info the same (2630) makes me part of a very small subset. Spoofing my buildID (2627) does the same, but also helps hide my FF version. Turning on DNT headers (1602) is worse than with them off, BUT in a small subset, may be better. In the subset of all the people who tinker with privacy/fingerprinting - maybe having the battery API disabled is better than allowing it. Every time you change settings, you run the risk of raising entropy. It's a game we will never win, there are too many variables - unless someone builds the ultimate browser and a critical number of users buy into it. FF is the only one that can do this, I believe.

      Most fingerprinting items in the js are the same as TBB (If it's good enough for them...), which is why I am so excited about the Tor Uplift. Ideally, somewhere down the track, Mozilla might build in a "TBB privacy switch", or someone builds an addon that sets all the prefs same as TBB, and thousands of people start using it. We have to start somewhere. And I have stayed away from things like UA strings (read the comments in the link above), because (most) humans are stupid, and we can't fix stupid :)

  9. Charlie July 3, 2016 at 11:09 pm #

    Yes, the "Comprehensive" Firefox user.js is great.... as is the "Lite" version --- but maybe an "Ultra-Lite" version would benefit even more Firefox users.

    Can the config list be distilled down (prioritized) to a "Top 5" list?

    Which config changes are so important for overall privacy/security that most all Firefox users concerned with privacy/security--- would implement them without hesitation ?

    ____________

    • Martin Brinkmann July 4, 2016 at 5:41 am #

      I don't think you can break it down easily. First, there is no "fits it all" privacy. Some dislike cookies more than anything else, others may want to protect their location, block all outbound connections, or disable interaction with Google.

      Second, even if there would be such a thing where you could say, the majority benefits from this the most, you'd still end up with more than five entries. A lot more, but there is no such thing I believe.

    • Pants July 4, 2016 at 6:08 am #

      The "light" and "dark" html versions refer to the color scheme, not the contents

  10. Baba Vanga July 4, 2016 at 12:00 am #

    2018: User.js will be one of the most used addons.
    2020: Ghacks acquired by ALPHABET INC.
    2025: USer.js available on paid subscription only.
    2028: Pants is in the most rich people list @ 100 position.
    2032: Martin Brinkmann is CEO of ALPHABET: https://abc.xyz/

    - Baba Vanga

  11. Mountainking July 4, 2016 at 7:14 am #

    What does this do? Pardon my ignorance...

  12. Pants July 4, 2016 at 1:41 pm #

    Hmmm .. no one talking about the "un-forking" of TBB? Sup guys (and gals!!)?

    • gh July 4, 2016 at 5:34 pm #

      reads like they are just fussing over semantics -- use namespace privacy.* vs namespace iamyourfatherluke.*

      Maybe you are reading more into it? If the mozilla devs hope / expect to embrace-extend-extinguish TorBrowser, I doubt they'll be successful in accomplishing such a goal.

      • Pants July 4, 2016 at 6:58 pm #

        I'm not really reading it as the end of TBB. I think it's more to do with any core changes being the same for both, with the TBB simply switching on some prefs via the torbutton component. There were some pretty big complex changes affecting/using large amounts of code/library - timing, screen, fonts, locale-languages-os-timezone-etc - maybe they decided to not let the code get too divergent. I'm sure that's it - code syncing. TBB as a separate product will continue for sure - not only is it extra hardened and purposely set up with eg NoScript & HTTPS Everywhere, but they still have tor and the tor launcher to maintain, and their own tor settings etc in torbutton. Also its a separate brand and it's purpose is different to vanilla FF. I just thought some of the regular more knowledgeable ghacks readers might have made some comments about it.

  13. aDumbDrumb July 4, 2016 at 1:57 pm #

    um, hmm?
    two things
    1. http://configfox.sourceforge.net (is this your thing stolen and neatly packaged into a gui? You should look. )
    2. compare with ChromeEdit Plus (I use this)

    I have to be honest I am slightly confused on the operation of each, e.g. when the settings get applied and which profile directories and also memorizing which settings to actually set each time for consistancy and proven debuggedness. There's a few more problems I probably haven't mentioned. lol

    hack on amigos and amigas

    • Pants July 4, 2016 at 3:20 pm #

      Nothing is stolen, it is gratis and anyone can do what they like with it. They don't even have to give me credit. Those in the know, know to keep coming back to the source :) ConfigFox has its uses, but it also has bugs, and hasn't been updated for over 6 months. Besides some nice little extra tools, its just a basic text parser. And I personally think there are other issues with it, which I won't go into detail. I think it's been abandoned.

      • aDumbDrumb July 5, 2016 at 4:06 am #

        Awesome. I get what your saying.

        I didn't want much noise interfering with pale moon's primary controls ( a mess of quickjava and about:config hacks), so for my error prone self and so much to watch, I enjoyed havin check boxes to generate the file who may be shared to a target profile. Let there be no doubt, I can benefit from more practice using these tools; fear slowed me, as I didn't want to crush existing settings but I am over all that now with clones, backups and knowledge of where everything now lives happily. heh heh

        Then, as long as any edits do not leave syntax errors behind,
        It makes toggling features easier -imo

        On the other hand I maybe missing something. but I have not found that something yet.

        thanks for the nice stuff. The new info leaves me seriously not sure who made what.
        But thanks to EACH and ALL cause until July 3rd 2016 I was NOT using any user.js and I would rather have control than not.

        hack on amigos and amigas

  14. b July 4, 2016 at 3:27 pm #

    As for canvas printing: what about hiding recently closed tabs? is this possible via a manual configuration? I cant find a way to hide my tab history via FF settings. I have to close down FF completely to erase my history. Also, is it a good idea to hide my tab history in the first place or would it make me even more unique?

    • Pants July 4, 2016 at 3:50 pm #

      0809: totally handles your "TAB history".

      // 0809: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
      // This is a PER TAB session history. You still have a full history stored under all history
      // default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
      // use it as a means of referral (eg hotlinking), 4 or 6 may be more practical
      user_pref("browser.sessionhistory.max_entries", 4);

      If you are talking about your full history, you can do that manually (use Ctrl-Shift-Del to pop up the interface, or use the menu item History>Clear recent history...). Or you can use an addon.

    • Pants July 4, 2016 at 3:52 pm #

      "Also, is it a good idea to hide my tab history in the first place or would it make me even more unique?"

      (tab) history has nothing to do with fingerprinting - its internal but can be abused for tracking

      • b July 4, 2016 at 9:31 pm #

        thanks, Pants
        appreciate

  15. Scott July 5, 2016 at 12:55 am #

    Thank you for sharing

  16. DH July 5, 2016 at 1:42 am #

    Is there an easy way to confirm "merging" of these user.js prefs?

  17. Steve Hare July 5, 2016 at 2:34 am #

    Does this new list get merged into configfox or is that a totally separate deal? Thanks.

    • Pants July 5, 2016 at 6:25 am #

      I have nothing to do with ConfigFox, please don't ever associate me with me it :)

      Leandro used PART of my original list (and credits it on the configfox website) as the basis for his starting list. Of course, besides the bugs, (debatable) default methodology, and seemingly being abandoned, ConfigFox will only ever be as good as the information that is used in it. You are free to configure this js or any parts of it to be ConfigFox compliant, just follow the rules as laid out by Leandro.

  18. PazzinThru July 5, 2016 at 4:10 am #

    WOW, what an awesome job! THANK YOU so much Pants!

  19. Marius July 6, 2016 at 9:23 pm #

    Since I switched to version 0.10 gives me error every time I try to log on facebook "A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue" Does anyone know why?

    • Pants July 7, 2016 at 7:19 am #

      I have a FB account (purely for following heaps of artists/bands) and I have no such issues. I just logged out and then logged in again. Maybe it's an extension problem? To troubleshoot them, try disabling them one by one until you find the culprit. Other than that, not sure really.

      • Marius July 7, 2016 at 8:10 am #

        The same error without extension

      • Marius July 7, 2016 at 8:23 am #

        There are problems and when I try to make updates to ublock origin if exchange user.js everything is OK returns to version 0.10 and try to make updates locks

  20. Ron July 6, 2016 at 10:56 pm #

    Tried this out and works in almost every site. But for some reason, on Twitter it broke some of the buttons in settings and reply, etc. So I switched away from using this until I get that resolved. What sections governs such things?

    Thanks

    • Pants July 7, 2016 at 7:31 am #

      Ron, I have set up a twitter account and am following three people. I can't seem to find anything breaking under the "Settings" section, everything seems to work. Can you be more specific?

      I just tweeted (I said, "It's great to be a girl #Pantsgate"). Seems to work alright. Search works.

      What do you mean by reply (I'm not a twitter nerd). Is that when you click the single arrow? EILIYM (explain it like I'm your mom). I'll troubleshoot/debug anything you tell me to - twitter is pretty important to loads of people. Can't have it breaking... well not breaking due to me, that is.

  21. Ron July 7, 2016 at 7:59 am #

    Pants, thanks for your diligence. It is much appreciated.
    To clarify, after logging into twitter, I click my profile picture to go into "Profile & Settings" - Scrolling down, under "Content" I click any of the settings to toggle on/off. With the user.js in place, this clicking does not work - no checkmark is placed in an empty box and no checkmark is cleared in a filled box. This occurs even if I restart with add-ons disabled. Only by renaming the user.js file and restoring the previous prefs.js file does the behavior work as expected even with add-ins enabled.

    Reply, is as you say, the single arrow in a tweet. It should open a box to type in for the reply. With user.js in place, no box opens and so no replies can be made. Again, restarting with add-ins disabled doesn't change this. Only not using the user.js works to restore the desired behavior.

    I use FF 47.0 running under Ubuntu 16.04, if that helps. If it works for you, but not for me, I am at a loss as to what other setting could be affecting this.

    Is there a way of activating the user.js section by section to see which is doing this?
    Thanks again.

    • Pants July 7, 2016 at 9:10 am #

      OK. I get the same behavior with the checkboxes in settings (will investigate when sober - might be a few days). As for replying, I am able to do that as in it will open a reply dialogue box ready to go (haven't actually done any replies .. maybe I should pick some celeb and test tweeting TummyBanana at them). But your problem is the dialog (overlay) won't even show. I'm thinking this might be 2 separate problems. If anything I think it would be in the2400 or 2600 section. Until I get sober try a few things for me if you have time.

      • Ron July 7, 2016 at 4:14 pm #

        Tinkering, I disabled the following (by inserting a "/" at the beginning of the line)
        Doing so made the settings checkboxes work, and am now ably to reply. How critical are these settings?

        So no need to sober up too soon.

        Thanks for pointing me in the right direction!

        changes follow
        /user_pref("dom.webnotifications.enabled", false);
        /user_pref("dom.webnotifications.serviceworker.enabled", false);

        /user_pref("dom.push.enabled", false);
        /user_pref("dom.push.connection.enabled", false);
        /user_pref("dom.push.serverURL", "");
        /user_pref("dom.push.udp.wakeupEnabled", false);
        /user_pref("dom.push.userAgentID", "");

      • Pants July 8, 2016 at 12:01 am #

        I just reset all of 2430 + 2431 in about:config, commented them out in the user.js and restarted FF, and I still have the same behaviour. Checkboxes still don't change, and I haven't had an issues with reply like you did. Glad you seem to have it worked out, but I think we're on the wrong track - not doubting anything you say, but it seems weird. Needs more cowbell. Have made some notes.

        PS: They're not critical entries - just more of a privacy concern. Webnotifications (2430) can be be set on a per site preference, btw. I suspect more sites will start using webnotifications and push in future, and it may come down to needing an extension in the long run to control it.

      • Ron July 8, 2016 at 3:52 pm #

        Hmm. I haven't been doing anything to reset about:config in between shifting between using the old prefs,js and the user,js. So it could very well be that a setting is carrying over. I chose those to comment out because I figured twitter was pushing info. And I just realized I neglected to tell you another symptom - that I wasn't getting any update or notification from twitter regarding new tweets. After the change, now I am.

        I'll not tinker further as it's working as desired. Unless you'd like me to test it further, I'll leave it as is.

        Thanks for looking into this.

  22. Tom Hawack July 27, 2016 at 10:54 am #

    I hope there will still be someone, Pants mainly, to read this :

    Concerns the hidden setting security.ssl.disable_session_identifiers (boolean)
    user.js [ghacks]-0.10.js proposes to unhide this setting's default value (false) by switching it to true :

    ---
    // 1212: disable SSL session tracking (36+)
    // SSL session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
    // Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
    // this disables sending SSL3 Session IDs and TLS Session Tickets to prevent session tracking
    // WARNING: This will slow down TLS connections (personally I don't notice it at all)
    // https://tools.ietf.org/html/rfc5077
    // https://bugzilla.mozilla.org/show_bug.cgi?id=967977
    user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)
    ---

    Now : I visited https://www.howsmyssl.com/ and discovered that the site rates my "Session Ticket Support" as 'Improvable" when the above setting is active (("security.ssl.disable_session_identifiers", true) but indicates otherwise "Good".

    The site explains its choice at https://www.howsmyssl.com/s/about.html#session-ticket-support

    I only wish to know why this setting may be considered as a wrong choice. As I understand it there are pros and cons whatever the setting ('false' by hidden default or 'true' by user's choice).

    Thanks.

    • Anonymous July 31, 2016 at 8:04 am #

      The ONLY reason to disable ssl session ids is to stop potential tracking (all done server side). If you go to JoDonym there is a ssl session id shown, redo the test, it will change if you have this set to true (i.e disabled). I would say that the reason "session ticket support" is stated as improvable on the howsmyssl site is the fact that you have it off, so clearly, cogito ergo sum, it's improvable (in terms of having it or not). Also, constantly asking for a new session id with every request will slow things down, hence it too would be an improvement in terms of efficiency. From a security standpoint, I don't think there are any downsides/upsides to having it on or off.

      * I'm not 100% sure, but I think with the pref enabled (i.e ssl session ids disabled), then they aren't used at all. I'd like Mozilla to build in a delay, of say 5 seconds (limited per tab/per process etc?) because I am having issues with one HTTPS content heavy site - although I'm not entirely convinced this is the sole cause (and they use it over TOR in TBB). Other than that, I haven't noticed any impact, but I am only one person.

      • Tom Hawack July 31, 2016 at 9:31 am #

        OK, Anonymous, thanks for sharing your approach and experience.

        I have this setting enabled (session ids disabled) as I see as you do only advantages when the only con could be TLS connections slowdown, which I haven't experienced (either) or if it occurs not significantly for me to notice it.

        I was surprised by howsmyssl considering this setting as "improvable" and your explanation, Anonymous, may very well be the right one : a site considering that a non default setting is as such improvable. But when you read what this site states concerning session ids enabled :

        "[...]However, the session ticket key living on all of the website's computers means there is a secret that could be leaked to an attacker. Worse, it undermines the security of ephemeral key cipher suites."

        you may wonder where the coherence of their scoring relies.

        I do and will maintain :
        user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)

        Thanks Anonymous, thanks Pants.

      • Pants July 31, 2016 at 11:30 pm #

        That was me Pants - I have been doing some weird crafty sneaky things with cookies (don't ask) and can no longer auto enter my nick - sometimes I forget to manually enter it

      • Tom Hawack August 1, 2016 at 10:34 am #

        @Pants & Anonymous, Associated : I admit that when, above, I thanked you both the formulation was the best I could find to blend doubt and certitude :)

  23. Niku August 1, 2016 at 1:38 pm #

    With or without extension gives me error on facebook Why?

    • Tom Hawack August 1, 2016 at 2:21 pm #

      Because Facebook itself is an error :)

  24. alin August 8, 2016 at 12:44 pm #

    There are problems when trying to make updates to the origin ublock

    • Tom Hawack August 8, 2016 at 1:15 pm #

      Could you be explicit? Ghacks user.js version 0.10, even if it is free of issues with the quasi totality of its settings adds nevertheless a complete explanation of settings' meanings and possible issues when applicable, and in most cases if not with all when a setting may appear problematic it is preceded by //

      I believe that as always when the aim is to fine tune thinner is the grain more the user has to provide a minimum of effort to understand what he's doing, or about to do. There is no set-it-blindly-and-forget-it when it comes to fine tuning.

      I use this Ghacks user.js version 0.10 list together with uBlock Origin and 70 other extensions and have encountered no issue up to now, be it with uBlock Origin be it with another extension, be it with Firefox's general stability : on the contrary, nothing but better browsing.

      Please do detail your issue because with so little information nothing can be understood and therefor no help possible.

      Generally speaking I cannot establish a relation between Ghacks user.js version 0.10 settings and problems updating uBlock Origin, filters updates I guess you mean by "updates" ...

      • alin August 8, 2016 at 1:36 pm #

        When I try to do manual update locks

      • Pants August 8, 2016 at 4:05 pm #

        Tom: "I use this Ghacks user.js version 0.10 list together with uBlock Origin and 70 other extensions"

        Me: "I use this Ghacks user.js version 0.10 list together with uBlock Origin and 66 other extensions" and like Tom I have zero issues with updating extensions (or with Facebook as 2 others have mentioned). I really do go to great pains to make sure I don't include entries that blindly trash users' experiences.

        To me, there is nothing in the user.js that will break manually updating extensions or browser. If you are FF48, make sure your extension is signed. i.e, if you are using a beta release of uBlock Origin, then you need to get back to the stable release from AMO - just install over the top.

  25. alin August 8, 2016 at 6:00 pm #

    Use FF48 and origin ublock stable version without user.js ublock origin are updated when add user.js update locks Sorry do not speak and write English very well are in Romania

    • Pants August 8, 2016 at 7:13 pm #

      What exactly happens? Please state what you do and what happens, step by step. for example:

      1. There must be an update available for ublock origin (eg you are on 1.8.2, you go to Extensions, click "Check for updates", and under "Available updates" there is an upgrade for version 1.8.4)
      2. You click on update
      3. WHAT happens next? Do you get a message at all?

      Or are you talking about updating ublock origin's 3rd party filters
      1. Go to chrome://ublock0/content/dashboard.html#3p-filters.html
      2. Click on "update now"
      3. WHAT happens? What does the ublock origin logger say?

      Have you tracked what is happening with wireshark, or fiddler .. or even FoxMeter (firefox addon) to see what GET requests are being stopped?

      I'm willing to try and help troubleshoot it for you via comments. I will assume you know how to roll back the user.js between testing that some setting in the user.js is causing this (I am NOT convinced at all) - i.e restoring a prefs.js and disabling the user.js, or restoring/copy-pasting profile folders while FF is closed

      • Anonymous August 8, 2016 at 8:18 pm #

        I did capture video link and let hope the admin to approve comment where I put the link to download video'll tell sure the error is only user.js If I invite you in my computer with TeamViewer to see with your eyes as you say it is real ublock origin version is 1.8.4 everything is updated daily fresh operating system recently installed In version 0.8 user.js everything went perfectly

      • Anonymous August 8, 2016 at 8:21 pm #

        error occurs only when you try to update the filters do not update ends remain blocked

      • Pants August 8, 2016 at 9:57 pm #

        I've asked Martin for the video link in the comment that is awaiting moderation.

        If you want to email Martin ( [email protected] ) and get him to pass your email address to me, we can sort this out for you.

  26. alin August 8, 2016 at 8:27 pm #

    error occurs only when you try to update the filters do not update ends remain blocked We shot Desktop https://1drv.ms/u/s!ApeAQvKh2N2EgkSgeOUnZK6QyUg2

  27. Alin August 9, 2016 at 9:03 am #

    Thank you all for the kindness you manifest

    • Pants August 9, 2016 at 9:25 am #

      You're welcome and I understand English is hard for you, but you are passionate about these issues. So Am I. Still awaiting Martin to connect us...

      • Martin Brinkmann August 9, 2016 at 9:31 am #

        I did email you the video link already, maybe it landed in spam? It is also live as a comment.

      • alin August 9, 2016 at 9:47 am #

        I sent my email address

  28. Tom Hawack August 9, 2016 at 9:36 am #

    Just had a look at the video. Indeed the problem is updating uBlockO's 3-rd party filters. But the video doesn't prove a relationship with 'Ghacks user.js version 0.10'. It's not because this list has been installed before uBlockO that it means this user.js is the culprit. As I see it the browser pains to access those 3rd-party filters servers.

    Have you tried cleaning the cache? Changing DNS servers? Frankly I doubt any of the settings included in 'Ghacks user.js' have anything to do with this. Just a first impression.

    • alin August 9, 2016 at 9:44 am #

      I cleaned the cache I tried everything that was possible are updated only if I stop user.js

      • Tom Hawack August 9, 2016 at 9:56 am #

        It's definitely not the 'Ghacks user.js version 0.10' modifications which are the culprit :

        I have a slightly modified 'Ghacks user.js version 0.10' because I've tailored some settings included in the user.js, so I've backuped my Firefox data folder, then installed the exact, complete 'Ghacks user.js version 0.10' (to user.js of course) and restarted Firefox, went to uBlockO 3-rd party filters and the update ran correctly.

        Obviously the problem is elsewhere. Investigating. We have big thoughts here, alin, no doubt we'll find the solution.

        By the way, I had to disable uBlockO for 1drv for the time being of downloading the file... Microsoft is often problematic but that's another topic ...

  29. alin August 9, 2016 at 10:18 am #

    A friend build a custom Windows nlite and stopped DNS Client service I noticed that I started DNS service now and everything is fine now Thank you all for your kindness

    • Tom Hawack August 9, 2016 at 10:48 am #

      Great if the problem vanished yet may be pointed out that Firefox doesn't rely on Windows DNS Client service.
      For the sake of a fast HOSTS file integration and deployment I've disabled Windows' DNS Client service since always so when you state that starting the service solved your problem I am stunned. But I'm not an expert, to put it mildly. The case is cold :)

      • Pants August 9, 2016 at 9:42 pm #

        Well... seems like having a beer session and sleeping did the trick. Have woken up a solution. Thanks Tom for doing some investigating. Alin, good to know you sorted it out. This reminds me of a practical test I did way way way back when dinosaurs roamed the earth - Network Engineering: issue with email or some program ... could not connect, error XYZ .. blah blah ... most of the others checked program settings and so on .. I went straight to the back of the computer and checked the ethernet cable, and it had been pulled out. There's a story/message in there somewhere... :)

      • Tom Hawack August 9, 2016 at 10:52 pm #

        There, there is a story/message, and not only there I guess. Life is a mass of stories, ours. Messages often appear even when never sent once bridges are established between different stories. Memory is necessary but not sufficient when a trans-disciplinary approach appears as the magical link-maker : from there on life delivers non-obvious messages. That's why I believe that being interested in many topics is far more a brain-opener than being very skilled but focusing on a limited number of topics. Life has no barriers, the barriers are those we create in order to organize our thoughts. Transgression is essential in this optic. As a French philosopher (Bergson) wrote, "We express ourselves in two dimensions but we think in three". Consequently limiting our scopes and searching for excellency in a small number of tied disciplines helps to map the 2D but prevents the 3D ... imagination is unlimited and participates to intelligence when memory alone integrates to skills only. Nowadays companies require hyper-efficient employees which makes them good soldiers but awful thinkers.

        I think I've slipped. I've continued, touched by the "story/message" concept, my thoughts nurtured by a book I'm reading at this time, "Le Septième Sens" ("The Seventh Sense") by Rupert Sheldrake. Fascinating.

  30. Tom Hawack August 10, 2016 at 3:40 pm #

    It appears your issue with uBlock Origin (uBO) is obviously not related to 'Ghacks user.js version 0.10' so what could be interesting for you is to expose that issue on uBO's Github page dedicated to issues with uBO :

    https://github.com/uBlockOrigin/uAssets/issues

    You'll need to have a Github account. Gorhill, the developer of uBO is very helpful and replies quasi immediately to questions and issues regarding uBO.

    Good luck.

    • Alin August 10, 2016 at 6:13 pm #

      It sees the problem and screen recorder is user.js is A new movie in which I showed how it clear that the problem is user.js

    • Alin August 10, 2016 at 6:16 pm #

      How do you explain that only when errors occur user.js add?

    • Tom Hawack August 10, 2016 at 6:39 pm #

      I don't know, Alin, I cannot explain. What I know for having tested it without any modification as mentioned in a previous post here, is that 'Ghacks user.js version 0.10' is not, cannot be the cause of your issue with uBO.

      1- Have you modified in any way the 'Ghacks user.js version 0.10' (-> user.js) ?
      2- Have you had previously to the 'Ghacks user.js version 0.10' another user.js file? remember that a user.js file will modify only settings it contains : if a previous user.js made any modification not handled by 'Ghacks user.js version 0.10' the latter will not, of course, correct them.
      3- Are you using latest uBO 1.8.4?
      4- Your Firefox may be messed up. Have you tried creating a new profile? This can be done by creating a new link to Firefox followed by -ProfileManager (...firefox.exe -ProfileManager). Then install uBO and see how things work at that point.

      From there on, frankly, I strongly encourage you to visit the uBO page I mentioned above.

      I cannot understand the issue you encounter with uBO, I'm not psychic and you provide far too little information (a video doesn't say more than it can). I'd have to have your computer in front of me to help OR start an in-depth checklist which would take time if ever successful.

      Sorry, cannot do much more.

  31. Alin August 10, 2016 at 6:52 pm #

    for the new clip's link above and you will receive respuns all questions user.js We did not change anything, we've created a new profile where there is error only if you add user.js Look at the new screen capture above link

    • Tom Hawack August 10, 2016 at 7:01 pm #

      Alin, I had a look on the first clip that I had downloaded (not the second) and I just noticed that at 3:05/5 minutes your Firefox title shows "uBlocko - Dashboard - Mozilla Firefox (Not responding)' : that already is not normal. I'm afraid there's something buggy in your Firefox profile.

      You state ; " we've created a new profile where there is error only if you add user.js"

      This means there's a bug somewhere, It cannot be the Ghacks user.js. I've tested it, it's impossible. never heard of anyone encountering that issue. There's a bug somewhere, but it is NOT Ghacks' user.js.

    • Tom Hawack August 10, 2016 at 8:12 pm #

      Pants, I had downloaded the video (the 1st) and if you wish to access it I've uploaded it to a civilized place :
      https://mon-partage.fr/f/WhfZHD7d/

      It's in French and "Télécharger" means of course "Download" :)

  32. Pants August 10, 2016 at 6:56 pm #

    Alin

    - Go download a portable FF48 from here: http://portableapps.com/news/2016-08-02--firefox-portable-48.0-released
    - Unpack it
    - Open it, load a web page, close it. (Can you open a web page?)
    - Add the ghacks user.js file to the portable profile
    - Open FF (the portable one), load a different web page - can you open a webpage?
    - Go to AMO and install uBlock Origin
    - in uBlock Origin options, update the filters

    Did any of that work?
    - If it did, then the problem is NOT the user,js
    - If it didn't, then the problem is either your system, as I and Tom can do all of this (and you have already said that after fixing your DNS that it did work, unless your English has been misinterpreted). Or you haven't understood all of the settings (I assume you can see webpages or else you would have told us, since that's a bigger issue).

    Suggestions (but you seem to load webpages right?, so not sure on these)

    // 3019: bypass all (external) proxy(s) settings, connect directly to the internet
    // This can be found under Options>Advanced>Network>Connection Settings
    // It is advised to set this via Options where many other settings may apply
    // 0=no proxy, 4=auto-detect, 5=use system proxy (default), 1=manual proxy settings
    // WARNING: Disable this preference if it's not what you need!
    user_pref("network.proxy.type", 0);

    // 1210 disable or limit SHA-1
    security.pki.sha1_enforcement_level - set to 0 (allow) if you use antivirus that monitors your web traffic

    Are you using a privoxy? a proxy? a VPN?

    At the end of the day you will need to capture your system traffic to narrow down the culprit. At the very least use the uBlock Origin logger. As Tom said, we can't work without information. Be precise and exact.

    • Alin August 10, 2016 at 7:13 pm #

      Not using proxy, vpn I have the latest version of origin ublock 1.84 firefox 48.0 Look new screen capture

      • Tom Hawack August 10, 2016 at 7:46 pm #

        First test I had done was only to replace my modified Ghacks user.js by the original one and as i had mentioned there had been no issues with uBO

        Now I went further. I created a new Firefox profile, copied original GHacks user.js in the profile, started FF, installed uBO 1.8.4, ran uBO and updated correctly the 3rd-party filters.

        I've noticed one thing nevertheless which has nothing to do with the GHacks user.js : if you call uBO Dashboard (from the uBO icon, top title) and if uBO is disabled (the big on/off logo) then FF seems to hang a bit (Not responding) :

        Alin, don't take it bad but is uBO enabled, is the big blue logo blue and not grayed out?
        May be worthless but this story is starting to deeply trigger my curiosity ...

      • Tom Hawack August 10, 2016 at 7:53 pm #

        I don't know what Pants thinks about this, but I was wondering if two settings included in the user.js file couldn't be implicated in one way or another :

        // 2421: in addition to 2420 above, these settings will help harden JS against exploits
        // such as CVE-2015-0817. They will reduce the performance of Javascript slightly.
        // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
        // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
        user_pref("javascript.options.ion", false);
        user_pref("javascript.options.baselinejit", false);

        @Alin : if you still encounter the uBO 3rd-party update issue, open about:config and search for
        javascript.options.ion
        javascript.options.baselinejit

        When found, right-click on each and choose "Reset" ...

        Just trying to scope the cause ...

    • Alin August 10, 2016 at 7:50 pm #

      same story with the portable version

  33. alin August 10, 2016 at 8:08 pm #

    I loaded screen capture on google drive https://drive.google.com/open?id=0B2nIJ9FTG1ajd2RJcHp1TTRta2s

  34. Anonymous August 10, 2016 at 8:30 pm #

    to download screen capture disable canvas blocker add-on

  35. alin August 10, 2016 at 8:32 pm #

    I reset
    javascript.options.ion
    javascript.options.baselinejit
    the error persists

    • Tom Hawack August 10, 2016 at 8:45 pm #

      alin, do you have ...

      - a HOSTS file?
      - an anti-virus, anti-maware, a system-wide whatever protection?

      What Firefox? 32/64-BIT, what platform? Windows, Linux, mac?

      Also:
      In uBO 3rd-party filters, those which are checked and supposed to be updated :
      Right-click one one of them and select 'Copy Link Location
      Paste that into a notepad, and remove part of the url until "url="
      You now have the original link of the form https://
      Go to the urlbar and paste that url, hit 'Return"
      -> Does the link work? Do you get the page?

      • Tom Hawack August 10, 2016 at 8:49 pm #

        Forget that (what I wrote after "Also:") ... won't work for the default 3rd-pary filters.

        Man, I've seen problems but yours is tough.

      • Alin August 10, 2016 at 9:15 pm #

        have host file ,antivirus windows defender, windows firewall, firefox 32 BIT I'm not a child who has no idea are aged 39 years work on computers for 15 years

  36. alin August 10, 2016 at 8:34 pm #

    disable canvas blocker add-ons on google drive to download screen capture

  37. Pants August 11, 2016 at 9:18 am #

    Alin: "I'm not a child who has no idea are aged 39 years work on computers for 15 years" - no one said you were. Excuse the questions, we're trying to eliminate the obvious, and your answers are very lacking in detail.

    I think I've asked 4 or 5 times for logs. I can't do anything except make guesses which don't really help - its a waste of everyone's time. uBlock Origin log: https://www.ghacks.net/2015/07/01/ublock-origins-logger-highlights-the-extensions-activity/. Better yet use Fiddler or wireshark.

    We're pissing around here trying to work out what the cause of this is - is it a preference, is it uBlock Origin, is it Firefox, is it your system/OS settings, is it a 3rd party system utility etc?

    I know you think that the user.js is the problem, because its the only thing that changes - but whatever the user.js does, may simply be highlighting that you have an issue somewhere else or it's simply some weird conflict of some sort.

    Try enabling hardware acceleration: one other user had problems which were just weird as well. DO THIS by commenting out preference 2508 and setting it from Options>Advanced>General>Use hardware acceleration when available (your MUST do it from here as it will set other items depending on your OS/GPU etc)

    @Tom: watched the 1st video. The "FF not responding" bit had ended by the time update filters was clicked. But may be indicative of a wider issue - hence the hardware acceleration pref mentioned above.

    @Alin: If you really wanted to find the preference that causes this issue for you, then you would do the following.
    - Set up a clean portable FF and install uBlock Origin (do not update the filters)
    - Copy the profile folder a dozen times or more
    eg D:\Portable\FirefoxPortable\Data\profile
    D:\Portable\FirefoxPortable\Data\profile1
    D:\Portable\FirefoxPortable\Data\profile2
    - In your profile add a user.js which only contains sections 0100 thru to 1000 and test it. Depending on the result, you then repeat with a clean profile to narrow it down
    i.e You would close FF, delete the profile folder, rename profile1 to profile, add a user.js with the next narrow subset of preferences and repeat
    - Once you narrow down the section with the problem, then disable/rename the user.js and change them one by one via about:config (and maybe restart FF if needed)

    Sections I think may be conflicting:
    - (I have already said this and you haven't replied) you have AV, maybe it is a SSL cert issue, especially if your AV is acting as a MiTM - so section 1200 should be looked at
    - section 2400 (javascript) and 2500 (hardware - especially 2508) and 2600 (various and obscure things)

    Make sure that with each test you have a completely reset FF profile (i.e a clean one with just ublock origin installed).

    If you're convinced its not a 3rd party tool like AV, or your OS settings, or FF, or UBO, and want to ignore all those (you know I mean you could disable AV monitoring web traffic as a test that would take you 3 minutes), then ONLY YOU can test the preferences, because we can't replicate the problem.

    • Alin August 11, 2016 at 9:54 am #

      I tried everything that was possible unfortunately is poorly built user.js

      • Tom Hawack August 11, 2016 at 11:25 am #

        Alin, let's forget emotions and start all over from scratch, ok?

        1- A user.js file is not code, it cannot be "poorly built" but could include wrong settings or at least settings which aren't adequate for some configurations : this is what you believe.

        2- As an experienced user of computers you know that the state of mind that applies is logic and logic applied to experimentation : Pants comment above is logic and the steps he proposes are those of logic.

        3- I don't agree with your saying "I' tried everything..." when obviously you haven't. Have you tried to proceed accordingly to Pants detailed map?

        4- If you read again all we've talked about, if you test everything which has been mentioned, especially in Pants' last post, if you share here the results of your work and commitment to solving *your* problem, and if the uBO issue persists, then at least we will have advanced.

        Right now we are advancing as much as walking backwards on an escalator. It's up to you. You have the tools, we'll be here if you provide more than a "it doesn't work".

      • Pants August 11, 2016 at 11:35 am #

        "I tried everything that was possible"

        Clearly you haven't, or you would have found it. The information you have supplied is minimal at most - only by directly asking you are Tom and I able to narrow things down - and a lot of questions you seem to ignore. Your approach to trouble shooting it is lacking. Despite numerous requests for you to log things, you don't. Above is a methodology for you to half and half again and half again to quickly narrow down the culprit, but you just don't seem interested. Maybe it's because English is not your language, but you haven't taken most of Tom and my thoughts on board, and we bent over backwards for you.

        "is poorly built user.js"

        Well, you are welcome to your own opinion, but being ignorant is no excuse. I am sorry that you lack the skill and knowledge to troubleshoot this on your own. I tried, so did Tom, but you didn't exactly help yourself or let us help you to the full of out abilities.

        And lastly, as mentioned numerous times, in this article, on the original article, in the user.js itself, in comments .. it's a TEMPLATE (full of links and information). It's up to you to choose what you want to use. Calling it a poorly built template is a bit off - if you only applied yourself METHODICALLY you would be able to use 99% of it.

        Good luck. I hope you sort it out.

  38. alin August 11, 2016 at 12:32 pm #

    @ pants If you looked at video 2 you have seen that the problem is user js regarding English'll do everything possible to learn

    • Pants August 11, 2016 at 1:08 pm #

      I don't really care about a video - it just visually shows what you already describe and gives no other info (besides the fact that I can't even access it - and it has nothing to do with canvas - I have tried in IE, vanilla Chrome etc). You keep repeating yourself with general statements - these do nothing to advance fixing the problem. I have already said to capture traffic logs. I have already given you help to narrow down the culprit. Only YOU can do this because no-one else can replicate your issue. What more can I do? Nothing, short of remoting in and doing it all for you.

      Do you want me to create a user.js without sections 1200, 2400, 2500 and 2600 for you to test? You would have to assure me that you will use a clean vanilla profile to test it on. But then again, surely you can do this yourself? This backwards and forwards time consuming exercise is an exercise in futility. You already have all the tools to self-diagnose.

      Alin, what is your language? Do you have Signal (if so I can communicate thru Martin to share phone numbers and contact you regarding TeamViewer for a one off session). Quite frankly, I would like to remote in as you suggested earlier, just so I can stop the 46+ comments on it from growing. I would setup a portable FF and run various tests on clean profiles on subsets of the user.js until I find the section/prefs that cause the issue - seriously, it wouldn't take more than 15-20 minutes.

  39. subcero August 14, 2016 at 11:06 am #

    Can someone make an extension for dummies :) to allow enable and disable each setting including an explanation of the effects?

    I have found this https://addons.mozilla.org/es/firefox/addon/privacy-settings/
    http://firefox.add0n.com/privacy-settings.html
    but ghacks version has much more settings

    • Pants August 17, 2016 at 10:15 am #

      I toyed with the idea, but keeping it up to date (in time for each FF stable release) would be a PITA, and it would need to be (or should be) backward compatible. It also kind of defeats the purpose of forcing these settings on startup. Add to that there is some overlap with the options UI. It all seems like too much work.

      There is nothing hard about using the user.js. Almost every pref has an explanation and links for more info - and those that don't, are self-explanatory. All you have to do to turn items on or off is to comment/un-comment out the leading slashes before a preference. BUT, be aware that if you have already applied a change, un-commenting it out doesn't reset it, you need to do that in about:config.

  40. Mark August 25, 2016 at 3:59 am #

    @Pants
    Thanks for sharing your work. It's at the very least a good reference on the inner workings of Firefox.

    I've been going through a path similar to yours for 10 years now. At first I was indeed tweaking everything but over the years, I came to understand that in terms of ASSURANCE of privacy, this is all very voodoo.

    Here are the gist of the problem, as I came to understand it over the last decade:
    - You need to hide in a crowd to have good privacy, but the crowd has such a large fingerprint surface that you actually can't hide in there
    - You could STILL hide if you caught *everything* and faked it *in a way that really exists within the crowd*. But that's impossible, especially when you factor in that fingerprint surface is very much a perpetually moving target. The most recent illustration of this fact is the discovery that AudioContext API can be used in a way similar to Canvas fingerprinting. (Good study here: http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf )
    - Your IP address gives it all no matter what you do. It's obvious but not often mentioned that no matter how efficiently you juggle with fingerprints, if you don't solve the IP problem everything you do is useless.

    This is going to be long enough so I'll leave the core IP problem aside, but someone somewhere should address it thoroughly IMO.
    So, accounting for everything else, I ended up concluding that the only viable solution is to reduce your fingerprint surface as much as possible with as little tweaks as possible, so as to hide in the biggest possible crowd that has the smallest possible surface.

    Which means...installing a small set of popular add-ons. Yes, sharing your comprehensive user.js is also a way, but the crowd that accepts to browse in such conditions will never be big enough. Plus, depending on the technique you use to solve the IP issue you may still give out your country or even region, in which the crowd will be even smaller. Not to mention the chance is high that many people will only enable a subset of your tweaks, breaking the crowd down further.

    So, since according to me we seek the smallest amount of changes that lead to the greatest reduction of fingerprint surface, here are add-ons that do a very good job:

    - NoScript. Install one of the most popular add-ons on the web that just happens to disable JavaScript and make plugins click to activate, removing the two the biggest fingerprint vectors of all. Empty the default whitelist. We should ask author Giorgio Maone to make Canvas click to activate, like WebGL. I'm undecided on that, but perhaps it's worth ticking all checkboxes except the last 3 in the 3rd tab of NoScript's options. It's a tradeoff, changing default config does reduce your crowd further, but it may be compensated by a large enough reduction in fingerprint surface.

    - Adblock Plus (ideally µBlock Origin, but it needs to rise its user base as I'm not sure it can't be detected versus ABP). Removes ads and trackers all over the web, reducing your exposition. Not making network requests is the ultimate privacy move obviously, it works even you're stuck with a lame fixed IP. Building on that, µBlock Origin is better than ABP because it surfaces 3 useful privacy options for everyone to tick, and because if.

    - Remain some issues which I loosely ranked from most valuable to least in terms of surface reduction versus loss in crowd size:
    * Storage: Cookies, LSO, Local storage, Session storage (Cookie Controller)
    * Referrers (Disable or spoof through about:config or some obscure add-on)
    * ETags (Not sure. Clearing all data sometimes failed to delete them last time I checked, and disabling cache is too extreme and violently reduces your crowd)
    * Visited links color (about:config, or disable history and rely on bookmarks or Tab Groups instead)
    * Prefetching (about:config. Very arguable that it's worth it.)
    * Storage: IndexedDB. I never saw it being abused, at least with NoScript. Don't disable it. Instead check your profile storage folder every now and then and delete anything you find not chrome or dev tools related. You can't access your profile folder with Firefox for Android, so you may consider disabling IndexedDB through about:config. You stand out like crazy just by using Firefox for Android anyway. Your defense on mobile/tablet is to reduce network connections as much as possible using µBlock Origin. That will save you a lot of battery, data, RAM, and increase speed and security in the process.
    * Everything else probably does not reduce fingerprint surface enough to make up for the loss in crowd size, so I'm not mentioning it. Some of the things above are pretty questionable already anyway.

    The "Remain some issues" list is tricky because I don't know popular add-ons that handle them as their default config, except for Cookie Controller, kind of. If anyone knows, do share! :)

    Side note: Automatic connections can be disabled safely, since no connection is perfect protection. If you disable only some of it, make sure you only act on exposed UI if you don't want to stand out. But then again, it's Mozilla, and they get browser data, not browsing data, so it's not that bad if you stand out. ( Disable guide: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections )

    • Pants August 27, 2016 at 12:25 am #

      I don't know how to reply to this really. The user.js is limited to what preferences are made available by Mozilla. I have said before, and I'll say it again - you cannot defeat fingerprinting: there are too many holes. The ONLY way (excluding maybe TBB for some scenarios) is via multiple browser engines/makes/models/versions, multiple OS/VMs, multiple VPNs/proxies/etc, multiple accounts (bitcoin/email etc), multiple online personas/ids - with zero cross contamination including sites. OpSec is the word! It also depends on who you are trying to defeat (state actors, google, advertisers etc)

      Ignore IP: Assume you use a VPN(s)/TOR/etc
      Ignore DNS: Assume you use OpenDNS

      The best you can do is to limit the attack surface, And for some others, maybe spoof. I say "some" (like canvas) because unless you spoof you are indeed unique on that one metric. Others, such as spoofing your browser's UA to reflect a different vendor is just going to make you stand out. There are too many methods of working out your browser build.

      Ignore plugins: Flash/Java/Silverlight/Adobe (ewww... adobe ... vomit) etc - Assume all plugins disabled

      Things outside of the user.js (and you will notice I mention these things in the user.js, and indeed I have a section at the very end I am thinking about filling in) - some things are best handled by an extension

      Ad-blocking - see uBlock Origin
      Referrers - see uMatrix + User-Agent JS Fixer
      Dom storage (Indexed DB)/Cookies: best handled by an extension
      XSS: best handled by an extension
      JS: clearly if you don't allow JS to run, then they can't get much (they can still get some things though)
      ^^ these three (I use cookie controller, NoScript, uBlock Origin, uMatrix - and User-Agent JS Fixer to match the uMatrix referrer spoof for headers with the same in JS) in default deny all - well uMatrix is allow css+images and I have no setting for cookies, it's neutral since I have cookie controller), and then you slowly build up a few select rules and scopes. There is overlap, eg I allow a domain in NS, then allow it in uBlockO, then allow the script in uMatrix - maybe allow a domain XSS (eg twimgs for twitter etc). You can certainly stop an awful lot of potential privacy leaks. After a while, all your main 300/1000 sites work like a charm with MINIMUM scripts/xss (eg I do not care if avatars don't show in comments). Not that we can't do better of course.

      In a nutshell - blocking as much JS and XSS (and cookies) as possible will eliminate 95% of tracking .. speaking of cookies

      You mention cookies/dom storage (ranked as most "valuable" in your others list). I just don't get it. Out of 10's of thousands of sites, especially my main 500+ ones bookmarked/speed-dialed - only for about 10 sites do I need cookies or dom for them to work functionally (I make these first party session only) - that's excluding sites I log into - two examples are cracked.com (I do not log in or have an account), and cricinfo. This cookie business is over-rated. Just block em all, allow 0.1% if you have to, for a first party only and session-only if you want (or cookie killer I think it is, will kill the cookie when all tabs for that domain are closed).

      But what you can't do is eliminate it all. Including server side attacks. All you can do it limit it by reducing the attack surface. And that in and of itself, can raise entropy. Fingerprinting is a GAME. Until a significant number (tens of millions) buy into the exact same setup (and it would require other holes yet to be patched, such as system time/locale etc), then none of us are really getting there. And lets not mention new things such as Audio Fingerprinting and all the problems of HTML5. Even in a large set, if you were the only one to use a particular site, you would still stand out on that site. And as fast as we plug holes and find solutions, more holes will evolve.

      I think I'll leave it there... or we'll just go round in circles

  41. b August 30, 2016 at 9:55 pm #

    what do you think about Eben Moglen and The Freedom Box?

    • Pants September 2, 2016 at 12:01 am #

      I don't think anything about it, because I really know anything about it, sorry. Probably read about it fleetingly somewhere, just don't really remember it. Freedom Box rings a faint bell, but not Eben Moglen.

      https://en.wikipedia.org/wiki/Eben_Moglen

      Just had a quick skim of this (20 secs worth). EFF likes him, he can't be all that bad :) I like his perspectives, most of them. He talks about proprietary software being as silly as proprietary geometry - and looks, hes way smarter than me, and I'm not a philosopher, and according to Tom's best buddy John Krazinski (aka Leandro, who built a text parser called ConfigFox ), I'm also a FREAK (he likes ad hominem attacks apparently) so I may have misunderstood - I'm certainly not against proprietary software, if a company wants to keep it closed, good on them. What I am against is software patents, period, the whole lot. Software patents are as ludicrous as geometry patents like apple's rounded corners. reDICKulous!! On the other ideas I'm pretty much sold. Open source is vital, we do need to break down the "privileged owners of media, distribution channels, and software", yada yada yada. I look at what's happening with MS10 and how paradigms shift so fast and how most people think they can't make a difference, and I shudder. I'd love to see some massive upstarts and industry/innovators of open source free software become real disruptors (not just software). I dream of Linux getting 50% pc/dekstop/laptop share. Think of all that money spend on MS being saved an spent elsewhere. I'd love to see digital currency become mainstream and out of central banks' control. I'd love to see the top 300 people who own 10% of the worlds wealth get hammered and wealth distribution back to "normalcy" - middle classes are disappearing. I'd love to date ScarJo as well (in her Black Widow outfit - that's her in it, not me, I wouldn't fit), but some things are never gonna happen. *sigh*

  42. b September 2, 2016 at 11:04 am #

    thanks for your reply. I agree. to me privacy, transparency and decentralization is a political fight; but when it comes to strange tech acronyms I'm lost. wiki definitions helps me along the way but only on a small scale, so I keep my fingers off unless I understand it fairly. your blog is great and very useful. I changed some settings but again: only those that make sense to my tech-retarded brain. A major step was my shift to ubuntu 6 months ago. these days I'm taught how to become a superuser in order to be able to help others install. there's a great community where I live so I try to pay back.
    As for dating: I'd prefer Alex from "orange is the new black" !!!

  43. Zlatan September 10, 2016 at 4:07 pm #

    Thank you for keeping this updated! I've noticed something recently, my bitcoin web wallet's performance is really slow. Signing a transaction takes forever. Any thoughts here? Thanks in advance!

    • Pants September 11, 2016 at 9:14 pm #

      No definitive idea. Is there a major difference between browsers profiles - eg a vanilla portable FF and one with the user.js. One thing you could look at is (1212) SSL session tickets (it has to handshake each time, this actually triggers problems with google, bless their soul - not one off searches etc, but with too many searches in a row and with reCAPTCHA they always think I'm a robot, and recaptcha lasts like 5 minutes), maybe 2421 with a couple of javascript things.

      As explained above in this comment ( https://www.ghacks.net/2016/07/03/comprehensive-firefox-user-js/#comment-3954336 ), you could test with a vanilla FF - if it does lag, sweet. Then add the user js section by section (make sure to close ff and restart it) - or even better, guess the problem areas and load all but say sections: 1200 maybe (SSL stuff), 2400 (JS stuff), 2600 (misc). Can't really see it being anything else. When you identify the problem section, it's most likely to be an item added later rather than sooner.

      • Pants September 12, 2016 at 1:22 am #

        that should read "if it DOESN'T lag, sweet" (meaning it must be the user.js .. or an extension)

    • umed September 21, 2016 at 12:08 am #

      had a similar problem with another service. Found the 'javascript.options.baselinejit' had to be set to true

      • Pants September 22, 2016 at 10:47 am #

        Thanks for the info - that one seems to cause the odd problem.

  44. Guest October 6, 2016 at 3:04 pm #

    When replying on a ZetaBoards forum, if I click "Preview" which should show a preview of my reply, the page refreshes back to the previous one (which asks for you to submit your guest name). I accepted cookies (and DOM) on uMatrix and Cookie Controller and then put Firefox in Safe Mode and still experienced the issue. Do you know which section could be causing it?

    • Pants October 8, 2016 at 12:23 pm #

      No idea. You'll have to experiment yourself. Above in the comments are instructions how to test and narrow down the items (if indeed it is a user.js preference). You do this by getting a firefox portable, no extensions. Test if the problem still exists. Now copy your profile folder as a master copy, so you can reset. eg:

      c:/firefoxportable/data/profile
      c:/firefoxportable/data/profile-master
      ^^ If you need to reset, with FF closed, delete the "profile" folder and then copy the "profile-master" folder and rename it back to "profile"

      For each test you add in the user.js, but only add the first half and then retest ... each test will halve your suspects. Reset your profile if needed. As mentioned in the comments above somewhere ... a lot of sections are clearly not the culprit (eg, it won't be fonts, it won't be plugins, it won;t be shutdown or opening, it won't be ssl etc), so you are already well over half way there. In fact, if anything, I would say it's maybe something in 2400 or 2600 sections.

      Good luck, and let us know when/if you find out what it is.

  45. Pants March 22, 2017 at 12:31 am #

    NOTICE: I will no longer monitor any of the comments on the various ghacks user.js articles. If you have any suggestions or questions, use the official repo at github: https://github.com/ghacksuserjs/ghacks-user.js/issues

Leave a Reply