What firefox add-ons do you use?

Ublock Origin
HTTPS Everywhere
Everything recommended on Privacy Toolks
CC Search
Privacy Possum
Privacy Redirect
Activate Nitterify
IPFS Companion ( I use it for web free web hosting )

The only reason I use MetaMask is for SingularityNet, but otherwise I would be skeptical until it has been thoroughly tested.

DuckDuckGo Privacy Essentials
Bypass Paywalls
Fraidycat
Three Different Night Mode Plugins

Accidentally put HTTP Everywhere. Not I’d rather a plugin not enforce HTTP everywhere.

1 Like

@infosechandbook

Do you think you think it is necessary to use Privacy Possum with uBlock Origin (Enhanced Easy mode)

1 Like

As always, this depends on your threat model. Some of the things blocked by Privacy Possum should also be blocked by the current Firefox in Strict Mode (Enhanced Tracking Protection). For example, FF can natively block 3rd party cookies.

If you look at https://github.com/cowlicks/privacypossum, there seems to be some fallback mechanisms in Privacy Possum. For instance, if Privacy Possum blocks the Referer header and errors occur, then the Referer header will be added back. A website that tries to track you could expose this to always enforce headers.

In general, you should try to reduce the amount of browser extensions to a very small number. Each browser extension can introduce new security vulnerabilities and some browser extensions spied on users in the past.

2 Likes

169 enabled at the time of writing. Without listing them, I’ll mention a few that might be of interest here. At least one should be familiar to most privacy-conscious users of Firefox.

Adigly

My 2018 review:

The highlights allow me to more easily ignore advertisements.

That’s surely not what the developer intended :slight_smile: however the extension does have this effect. The highlights are not offensively bright. Easier to perceive the part of the page that does not include advertising.

AdIntuition

Don’t be turned off by the Ad part of the name. This extension allows people to see where sponsored links are not properly disclosed.

From Idea: Mozilla OpenWPM Extension : firefox

Mozilla took over a project called OpenWPM from Princeton, which, despite what one may think the name sounds like, is not something similar to but slightly different from a VPN. Instead:

OpenWPM, our open-source software for conducting automated Web Privacy Measurements on a scale of thousands to millions of websites. It is useful to researchers, journalists, regulators, privacy advocates, and anyone with an interest in online privacy.

Posted by me last year: AdIntuition – making it easier to discover undisclosed affiliations and commissions : firefox

  • includes examples of good players, and a questionable player.

Certainly Something (Certificate Viewer)

… advanced digital certificate viewer for with an easy-to-use interface that works on both desktop and mobile devices.

Chrome Store Foxified

ClearURLs

Recommended by Firefox staff.

Finitimus

… find the publish date for articles and other Internet content, …

HTTPZ

Whilst the description is not well-worded, it is a fine extension.

Comparable to things such as HTTPS Everywhere.

Latest on AMO

… a list of the latest add-ons published on addons.mozilla.org in the Firefox sidebar.

Developer: Jorge Villalobos (Product Manager for AMO; member of the team that manages the site and the add-on review process). Nice guy, very considerate … he produced and published this extension almost immediately after a GitHub comment by me re: minor loss of functionality when AMO was redesigned.

Malwarebytes Browser Guard

Not officially supported on FreeBSD (which I use) or Linux, but it seems to work perfectly on these platforms. It’s a great extension.

Catches much more than can be caught by the four malware-oriented lists that are available in uBlock Origin. And so on.

Does not require Malwarebytes Premium (there’s no such product for FreeBSD or Linux).

Newsit: Hacker News and Reddit Links

If there’s Hacker News or Reddit discussion of a page, this extension will help to find it.

Official Media Bias Fact Check Icon

… color-coded icon denoting the bias of the page you are currently viewing, according to Media Bias/Fact Check. …

Open With

Simplifies use of multiple browsers. Whilst browsing with Firefox: open a link – or the current page – in Brave Browser or Falkon or surf or Tor Browser or whatever.

Side note: hoping to add support for Open With as an extension to Brave Browser. Pull request drafted.

YouTube Playback Speed Control


More to follow …

2 Likes

Hahahahaha. You’re crazy, man.

1 Like

Bitwarden. I don’t need any more. I use the strict configuration and I also use a VPN outside. What’s the point of having so many extensions?

1 Like

I think some people get addicted to Add-ons :brain:

2 Likes

I’m knee-deep.

I don’t often perform Google searches that generate advertisements, here’s a recent shot of Adigly helping me to avoid them (the highlighting decreases legibility – it’s a turn-off):

1 Like

I mostly use Tor (I don’t use Google or Gmail so I don’t live on an Internet infested by captchas), but when I’m on Firefox I install:

HTTPS Everywhere
Privacy Badger
NoScript

I trust the EFF not to collect data or write shady software. I also change my default about:config along the lines similar to that mentioned on the privacytools.io browser section (which is also one reason I <3 Firefox) :slight_smile:

1 Like

I found an add-on that seems to be very obscure, one that protects you against CSS extraction attacks, very simple addon, and does not seem to slow down firefox at all. I have been using it for about a month now, and it’s just nice to know that i’m just a little bit more protected.

Website: https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

1 Like

I use different addons for different browsers and for different browser profiles if I use my browser that way.

Almost allways .
Nano adblocker.
Nano defender.
Https Everywhere.
Privacy Badger.
Decentraleyes (there is a fork of it which is slightly more expansive in what it does however I FORGOT THE NAME).
xbrowsersync.
[for those that might not know, the afformentioned is an end to end encrypted bookmarking database, here is the https://www.xbrowsersync.org/]
Some kind of addon that filters all those tracking tags off behind my back.
Sometimes nextcloud notes is hooked up in there.
Almost allways a tampermonkey addon or well the similar sounding ones.


for different profiles Ill also have
-augmented steam
-some make reddit like old-reddit addon project.
-some vaguely unknown addon that can screenshot in browser and auto upload it to your weeb.safu stronghold.

2 Likes

also I of course forget loads.
but bitwarden I allways install for sure as well.

1 Like

Read here :wink:

1 Like

– Adblock+ or uBlock Origin, depending on the computer
– NoScript, configured for maximum security
– HTTPS Everywhere
– IPvFoo or SixOrNot to see if I’m connecting over IPv6 (not always)

I’d like to find good, configurable referer and user-agent spoofing add-ons.

2 Likes

This changed to uBlock Origin only since FF 76.0+ comes with an HTTPS-only mode (go to about:config, change “dom.security.https_only_mode” to True). So there is no need for HTTPS Everywhere.

However, the HTTPS-only mode blocks non-HTTPS connections (as expected), so some websites could show strange behavior as there is no fallback to HTTP. For instance, the local live preview of Hugo doesn’t update itself since it uses WebSocket that is blocked when HTTPS-only is enabled.

2 Likes

well, currently https only mode is still experimental, which is why we currently still recommend keep https everywhere installed.

2 Likes

AdBlock Plus allows acceptable ads and I actually used to use it years ago until I noticed it wasn’t blocking ads anymore.

NoScript was once said to be harmful and malicious, and it’s content blocking is inferior to uMatrix (the addon that can replace all adblockers and NoScript).

If your VPN has IPv6 leak protection then this isn’t necessary. You could always set “network.dns.disableIPv6” to “true” in about:config, but disabling IPv6 is best done systemwide.

For referers, just use the about:config tweaks provided by PrivacyTools, some of which involve referers. For user-agents, use “general.useragent.override” or maybe try this addon.

You should also consider installing LocalCDN (fork of Decentraleyes with more active development)

1 Like

From what I understand…

  • The less add-ons you have, the better you stand when it comes to browser fingerprinting: so you should aim to minimize your number of installed add-ons.

  • Adblock Plus is inferior to uBlock Origin, because AB+ doesn’t block all ads.

Having uMatrix installed means:

  • You don’t need Privacy Badger, because trackers can be blocked in uM just as well as in Privacy Badger by having all scripts disabled by default.

  • You don’t need NoScript, because uMatrix can also block all JavaScript by default.

  • You don’t need Cookie AutoDelete, because uMatrix gives you the option of having all cookies disabled by default. You can manually allow cookies for specific sites of your choosing.

So, in line with fingerprinting recommendations, should people be removing the above three add-ons in favor of uMatrix?

1 Like

Yes they should remove the three in favor of uMatrix, and if you had to keep a cookies addon, Site Bleacher is probably the least bad.

If you disable javascript, they can’t even know what addons you’ve installed. Of course, this will cause the entire internet to break, which is why you should use uMatrix to block all third-party cookies, and all Javascript and XHR by default, and enable when needed.

1 Like

In my opinion, it is more about “the fewer add-ons you use, the better you stand when it comes to security.”

Every add-on in your web browser can potentially introduce new security vulnerabilities, extract personal data/PII, or mess with your configuration. There were already phishing attacks on add-on developers to break into their accounts and replace benign add-ons with malicious ones (e.g., 1, 2). Then, the end user’s web browser automatically downloads the malicious add-on. Who checks the code of the locally-installed add-ons? Who realizes that these add-ons were updated? There were also widely-used add-ons that spied on their users (e.g., 3), or were malicious in general (e.g., 4).

Regarding blocking JavaScript/Cookies:
While some websites use JS and Cookies to track people (among other tracking techniques), there are also many websites that rely on JS and Cookies. So disabling both can result in a completely unusable internet for you. Another question here is: If a website needs JS and Cookies, how do you allow only the relevant scripts and cookies? Do you repeatedly click “allow JS” until the website works as intended, or do you actually check each and every script before allowing it? I assume, most people simply allow some scripts until the website works. They don’t really know whether they allow JS used for tracking.

If you want to avoid web browser fingerprinting, use the Tor Browser. There are hundreds of possibilities to track users, and it is very likely that you forget to block one when you start to install arbitrary add-ons. Moreover, you don’t know how other people configured these add-ons in most cases. So even if you and other people use exactly the same web browser and add-ons, your fingerprint may be different due to differing configuration.

3 Likes