Title: Firefox hardening with Arkenfox | |
Author: Solène | |
Date: 24 September 2023 | |
Tags: firefox security privacy | |
Description: In this article, you will learn how to use the project | |
Arkenfox to make Firefox more secure and harder to track. | |
# Introduction | |
Dear Firefox users, what if I told you it's possible to harden Firefox | |
by changing a lot of settings? Something really boring to explain and | |
hard to reproduce on every computer. Fortunately, someone did the job | |
of automating all of that under the name Arkenfox. | |
Arkenfox design is simple, it's a Firefox configuration file (more | |
precisely a `user.js` file), that you have to drop in your profile | |
directory to override many Firefox defaults with a lot of curated | |
settings to harden privacy and security. Cherry on cake, it features | |
an updater and a way to override some of its values with a user defined | |
file. | |
This makes Arkenfox easy to use on any system (including Windows), but | |
also easy to tweak or distribute across multiple computers. | |
Arkenfox user.js GitHub project page | |
Arkenfox user.js Documentation | |
# Setup | |
The official documentation contains more information, but basically the | |
steps are the following: | |
1. find your Firefox profile directory: open `about:support` and search | |
for an entry name profile directory | |
2. download latest Arkenfox user.js release archive | |
2. if the profile is not new, there is an extra step to clean it using | |
`scratchpad-scripts/arkenfox-cleanup.js` which contains instructions at | |
the top of the file | |
3. save the file `user.js` in the profile directory | |
4. add `update.sh` to the profile directory, so you can update | |
`user.js` easily later | |
5. create `user-overrides.js` in the profile directory if you want to | |
override some settings and keep them, the updater is required for the | |
override | |
# Configuration | |
Basically, Arkenfox disables a lot of persistency such as cache | |
storage, cookies, history. But it also enforces a canvas of fixed size | |
to render the content, reset the preferred languages to English only | |
(that defines which language is used to display a multilingual website) | |
and many more changes. | |
You may want to override some settings because you don't like them. In | |
the project's Wiki, you can find all Arkenfox overrides, with the | |
explanation of its new value, and which value you may want to use in | |
your own override. | |
Arkenfox user.js Wiki about common overrides | |
For instance, if you want to re-enable the cache storage, add the | |
following code to the file `user-overrides.js`. | |
```javascript | |
user_pref("browser.cache.disk.enable", true); | |
user_pref("privacy.clearOnShutdown.cache", false); | |
``` | |
Now, run the updater script, that will verify that Arkenfox user.js | |
file is the latest version, and will append your override to it. | |
# Tips | |
By default, cookies aren't saved, so if you don't want to log in every | |
time you restart Firefox, you have to specifically allow cookies for | |
each website. | |
The easiest method I found is to press `Ctrl+I`, visit the Permissions | |
tab, and uncheck the "Default permissions" relative to cookies. You | |
could also do it by visiting Firefox settings, and search for an | |
exception button in which you can enter a list of domains where cookies | |
shouldn't be cleared on shutdown. | |
By default, entering text in the address bar won't trigger a search | |
anymore, so instead of using Ctrl+L to type in the bar, you can use | |
Ctrl+K to type for a search. | |
# Extensions | |
Arkenfox wiki recommends to use uBlock Origin and Skip redirect | |
extensions only, with some details. I agree they both work well and do | |
the job. | |
It's possible to harden uBlock Origin by disabling 3rd party scripts / | |
frames by default, and giving you the opportunity to allow per domain / | |
globally some sources, this is called the blocking mode. I found it to | |
be way more usable than NoScript.js. | |
uBlock Origin blocking mode documentation | |
# Conclusion | |
I found that Arkenfox was a bit hard to use at first because I didn't | |
fully understand the scope of its changes, but it didn't break any | |
website even if it disables a lot of Firefox features that aren't | |
really needed. | |
This reduces Firefox attack surface, and it's always a welcome | |
improvement. | |
# Going further | |
Arkenfox user.js isn't the only set of Firefox settings around, there | |
is also Betterfox (thanks prx!) which provides different profiles, even | |
one for performance. I didn't try any of these profiles yet, Arkenfox | |
and Betterfox are parallel projects and not forks, it's actually | |
complicated to compare which one would be better. | |
Betterfox Github project page |