[WeAreGoingIn]

The first plugin I install on a freshly installed system with Firefox is uBO. After that I harden the browser by changing stuff in about:config.

Chrome has never been an option for us with privacy in focus.

The guys behind uBO should get some price or something.

[ctnb]

I don't see anyone mentioning the ability to store about:config settings in a user.js file.

Unless you have some reason not to use it, it's much easier than changing about:config on each computer, you just copy over the user.js file.

Here's a hardened option (no affiliation): https://github.com/pyllyukko/user.js

And a relaxed version: https://github.com/pyllyukko/user.js/tree/relaxed

[edoceo]

You can (and should) give them money if you find value. Do it, feels good.

[kotajacob]

I'm not sure who you have been giving money to, but Gorhill notoriously does not accept donations as he does not want this project to have money be a goal what-so-ever and does not want to feel like he needs to work on ublock origin. That said he strongly encourages donating to the ublock origin lists as without them ubo would be nothing.

See here: https://github.com/gorhill/uBlock/wiki/Why-don't-you-accept-...

[zeta0134]

I would absolutely love to, but does the author even accept donations? I just combed through my about page and the Github README and didn't see anything related. I was kinda hoping he had a Patreon. Am I blind, or is it just not there?

[wickedwiesel]

He writes in his FAQ [1]:

> I don't want the administrative workload coming with donations. I don't want the project to become in need of funding in any way: no dedicated home page + no forum = no cost = no need for funding. I want to be free to move onto something else if ever I get tired working on these projects (no donations = no expectations).

> Have a thought for the maintainers of the various lists. These lists are everything. This can't be emphasized enough.

[1] - https://github.com/gorhill/uBlock/wiki/Why-don't-you-accept-...

[preommr]

Dude could still do a monthly patreon and cancel it if he didn't want to work on it anymore

[Tsubasachan]

The maintainer of Ublock Origin does not want to make money from this. He does not want Ublock to turn into Adblock Plus.

If there is no money involved the project cannot be bribed by ad tech. The only acceptable ads are the ones the user white lists.

[elcomet]

The point is to make money from the users, not from advertising companies, which is the opposite of adblock. He could still refuse ads by ad tech, I don't see how donations by users would force him.

[majewsky]

I wouldn't do that if I were him because I don't know how to explain that income to the IRS (or rather, the Finanzamt, since I'm German).

[wgerard]

In general, the IRS rarely cares about how you're generating income more that you just remember to pay taxes on it appropriately.

[plemer]

Is that income uniquely difficult to explain?

[11235813213455]

https://github.com/gorhill/uBlock/wiki/Why-don't-you-accept-...

[_emacsomancer_]

What sorts of things do you change in about:config?

[WeAreGoingIn]

Thanks for asking.

Many stuff is disabled by default, but it’s a moving target. There are some tutorials online to read.

It depends on what the browser is used for. Some hardening breaks certain sites.

Some stuff to look at:

- dns-prefetch - geo - cookie - dom (disable, breaks sites) - browser.cache.disk - clipboard.events - media.peerconnection - healthreport - spoofRefererHeader

Chrome doesn’t remove history when closed is a big issue.

[nhebb]

I search config for "autoplay" and disable everything related. It's not a privacy issue - just annoyance avoidance.

[karrotwaltz]

I've got this list in my favs, I think it was posted on HN a while ago:

https://gist.github.com/0XDE57/fbd302cef7693e62c769

I had some problems with sendRefererHeader, so it can definitely break some websites

[lorenzhs]

See, there are some good ideas in that list, but then it gets to disabling Safe Browsing without any explanation. There's a lot of false information around about what Safe Browsing sends to whom, and you should make sure you know what you're doing when disabling it.

Also, the DNS cache size explanation is a bit backwards. "Number of cached DNS entries. Lower number = More requests but less data stored." Where do you think that data is stored? Bigger cache size means fewer requests that inform a third-party (your DNS server) of which sites you're visiting. (Information leaks from the speed of resolving a query might be a concern, but I'm not sure how doable this is from a webpage.)

And then it disables all caches (including in-memory) for... what reason, exactly? You can configure firefox to clear all your browser data when you close it.

But then they force-enable WebGL, which enables quite a few tracking techniques. This list is weird.

I guess all I want to say is don't blindly apply settings from this list. The author traded a lot of convenience, speed, and security for some perceived privacy.

[vonseel]

> don't blindly apply settings from this list

I am not a security expert, but I tend to agree with this. I took a look at the script and noticed a few of the things you pointed out, and I have had horrible experiences running random scripts I found on Github before from claimed-to-be "experts", so I'll stick with the defaults (and UBlock).

[idoubtit]

> don't blindly apply settings from this list.

Unfortunately, there is no real documentation of the various about:config parameters. So one has to trust doubtful sources on what settings would be useful, or spend many hours reading the source code of Firefox.

I don't understand why each setting is not documented on the about:config page. It would bind the documentation to the release, providing the info suitable for the FF version. I can't see any drawback, except that developers would have to provide a small description of every setting they introduce, which I hope they already do somewhere.

Here is my own frustrating experience with about:config. I sometimes hit Ctrl-q when I meant Ctrl-w. So instead of closing a tab in FF, I close the application and loose my input on some pages. I tried to restore the (previously default) behavior of asking for confirmation before quitting. I had 2 settings in "about:config" named "browser.warnOnQuit" and "browser.showQuitWarning". Only the former one is documented in the mozillaZine wiki. It seems the latter was the old name of this setting, which FF updates never migrated.

So I changed the config, and nothing happened. After several variations, I headed for the source code of FF, and saw this setting was ignored when "restoring sessions" was active. There is no way to ask for confirmation in modern FF.

[nathancahill]

This was just fixed in the latest release.

[kekebo]

Cached DNS queries / speed to resolve can indeed be exploited, as shown here: https://www.chaoswebs.net/timebleed/

There are efforts to prevent this in the future but for now disabling or limiting DNS cache seems the only viable option.

[Tsubasachan]

Safe browsing would not be bad if it were just a warning. Unfortunately the concept of personal responsibillity is absent from Firefox. I remember a time when you could click "I know what I am doing take me to the site anyway".

[WalterGR]

it can definitely break some websites.

That makes sense. Checking the Referer header is a quick and dirty way to implement cross-site request forgery (CSRF) protection.

[unicornporn]

Not as extensive, but certainly more user friendly option:

https://ffprofile.com/

[koheripbal]

As a smb sysadmin for a GSuite based company, I've forced it as an extension to Chrome, so whenever any employee logs into Chrome, it automatically adds it.

[nurettin]

curious, is this your job description "smb sysadmin"? sounds awfully specific for a job.

[sethhochberg]

I expect it was meant as in "small and midsized business" rather than Samba :)

[mamcx]

One thing that block my migration to firefox is the zoom thing. In chrome I can zoom pages and it stick (I need bigger fonts everywhere). Can't replicate the same with safari or firefox.

[kovach]

In Firefox the zoom levels are saved per website. It has had that feature for a long time. Or do you want to zoom once and have it zoomed on all websites you visit?

[mamcx]

Yes, I wanna a option for all

[thirdsun]

There's a minimum font size setting which works globally for every site in Firefox' preferences under Fonts & Colors ==> "Advanced..."

As expected it will increase any font that doesn't meet your minimum size.

If you're fine with per-site settings, just use the zoom option.

[pdimitar]

Yeah, this is a major pain in the butt for me as well. I want to only use Safari and Firefox but they really should finally pay attention to this pretty intuitive feature.

[ERD0L]

this isn't true on safari. On preferences > web sites > zoom, you can see the zoom level that you choose for each sites

[mamcx]

Oh! this is new? Because it look like it work well!

[KozmoNau7]

Same here, the very first thing I do on a new FF is install uBO, switch to advanced mode and default-deny 3rd party scripts and frames. Then I noop sites only as needed:

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-de...

[tnsittpsif]

What does your workflow look like in terms of Firefox? What all sites do you visit where UBO doesn't mess it up too much to not have any work done?

Just curious. I am on a similar boat but sometimes find some sites to be unreadable after having UBO and some other privacy adjustments through about:config.

Thanks!

[shrikant]

I'm not parent commenter, but other than the occasional misconfigured internal work LAN webpage, I've had zero to little problems with UBO.

Is there an example of a site that is unreadable after a default install of UBO for you? I'd be curious to check it out..

[konart]

>UBO doesn't mess it

Never had this issue. Even in Slack, where UBO blocks 778 elements atm.

[superkuh]

It's just fine on actual websites. The only things it breaks are the single page app monstrosities (and the occasional crappy newspaper site) that I don't use anyway. It's very rare that I have to disable uBlock for anything.

On the otherhand I also run NoScript temp-whitelist only so all sites that rely on javascript are broken by default for me until I figure out which CDN/etc to temp whitelist.

[catacombs]

> Chrome has never been an option for us with privacy in focus.

You can use ungoogled-chrome.

[johnchristopher]

What about chromium? (just found out today that there are APK for it :).