 |
Title: Firefox hardening with Arkenfox |
|
Author: Solène |
|
Date: 24 September 2023 |
|
Tags: firefox security privacy |
|
Description: In this article, you will learn how to use the project |
|
Arkenfox to make Firefox more secure and harder to track. |
|
|
|
# Introduction |
|
|
|
Dear Firefox users, what if I told you it's possible to harden Firefox |
|
by changing a lot of settings? Something really boring to explain and |
|
hard to reproduce on every computer. Fortunately, someone did the job |
|
of automating all of that under the name Arkenfox. |
|
|
|
Arkenfox design is simple, it's a Firefox configuration file (more |
|
precisely a `user.js` file), that you have to drop in your profile |
|
directory to override many Firefox defaults with a lot of curated |
|
settings to harden privacy and security. Cherry on cake, it features |
|
an updater and a way to override some of its values with a user defined |
|
file. |
|
|
|
This makes Arkenfox easy to use on any system (including Windows), but |
|
also easy to tweak or distribute across multiple computers. |
|
|
 |
Arkenfox user.js GitHub project page |
|
Arkenfox user.js Documentation |
|
|
|
# Setup |
|
|
|
The official documentation contains more information, but basically the |
|
steps are the following: |
|
|
|
1. find your Firefox profile directory: open `about:support` and search |
|
for an entry name profile directory |
|
2. download latest Arkenfox user.js release archive |
|
2. if the profile is not new, there is an extra step to clean it using |
|
`scratchpad-scripts/arkenfox-cleanup.js` which contains instructions at |
|
the top of the file |
|
3. save the file `user.js` in the profile directory |
|
4. add `update.sh` to the profile directory, so you can update |
|
`user.js` easily later |
|
5. create `user-overrides.js` in the profile directory if you want to |
|
override some settings and keep them, the updater is required for the |
|
override |
|
|
|
# Configuration |
|
|
|
Basically, Arkenfox disables a lot of persistency such as cache |
|
storage, cookies, history. But it also enforces a canvas of fixed size |
|
to render the content, reset the preferred languages to English only |
|
(that defines which language is used to display a multilingual website) |
|
and many more changes. |
|
|
|
You may want to override some settings because you don't like them. In |
|
the project's Wiki, you can find all Arkenfox overrides, with the |
|
explanation of its new value, and which value you may want to use in |
|
your own override. |
|
|
|
Arkenfox user.js Wiki about common overrides |
|
|
|
For instance, if you want to re-enable the cache storage, add the |
|
following code to the file `user-overrides.js`. |
|
|
|
```javascript |
|
user_pref("browser.cache.disk.enable", true); |
|
user_pref("privacy.clearOnShutdown.cache", false); |
|
``` |
|
|
|
Now, run the updater script, that will verify that Arkenfox user.js |
|
file is the latest version, and will append your override to it. |
|
|
|
# Tips |
|
|
|
By default, cookies aren't saved, so if you don't want to log in every |
|
time you restart Firefox, you have to specifically allow cookies for |
|
each website. |
|
|
|
The easiest method I found is to press `Ctrl+I`, visit the Permissions |
|
tab, and uncheck the "Default permissions" relative to cookies. You |
|
could also do it by visiting Firefox settings, and search for an |
|
exception button in which you can enter a list of domains where cookies |
|
shouldn't be cleared on shutdown. |
|
|
|
By default, entering text in the address bar won't trigger a search |
|
anymore, so instead of using Ctrl+L to type in the bar, you can use |
|
Ctrl+K to type for a search. |
|
|
|
# Extensions |
|
|
|
Arkenfox wiki recommends to use uBlock Origin and Skip redirect |
|
extensions only, with some details. I agree they both work well and do |
|
the job. |
|
|
|
It's possible to harden uBlock Origin by disabling 3rd party scripts / |
|
frames by default, and giving you the opportunity to allow per domain / |
|
globally some sources, this is called the blocking mode. I found it to |
|
be way more usable than NoScript.js. |
|
|
|
uBlock Origin blocking mode documentation |
|
|
|
# Conclusion |
|
|
|
I found that Arkenfox was a bit hard to use at first because I didn't |
|
fully understand the scope of its changes, but it didn't break any |
|
website even if it disables a lot of Firefox features that aren't |
|
really needed. |
|
|
|
This reduces Firefox attack surface, and it's always a welcome |
|
improvement. |
|
|
|
# Going further |
|
|
|
Arkenfox user.js isn't the only set of Firefox settings around, there |
|
is also Betterfox (thanks prx!) which provides different profiles, even |
|
one for performance. I didn't try any of these profiles yet, Arkenfox |
|
and Betterfox are parallel projects and not forks, it's actually |
|
complicated to compare which one would be better. |
|
|
|
Betterfox Github project page |
