Hardening Firefox ;Thoughts on this article

Is this a big deal? Does google collect user info this way?

Google SafeBrowsing list is cached, so when you visit a site, it is looked at cache, not at Google. But the list is refreshed from time to time and here Firefox access Google directly, while Brave does it through proxy, without revealing your IP. Also Google claims they do not collect full IPs, but only part of it, so you can not be tracked easily. I do not use SafeBrowsing, as I think it is useless for me.

Fear mongering. The safe browsing implementation of FF is quite privacy respecting. Also if the author had a bit of browser knowledge, he would know that “Chrome” is a general browser term, and not just used for “Google Chrome”. See Chrome - MDN Web Docs Glossary: Definitions of Web-related terms | MDN

7 Likes

If your browser has a privacy respecting implementation, you should use it. Nobody is immune to making mistakes, falling for fishing or mistyping a website address.

1 Like

I think this interesting. I always remove anything related to google/microsoft/meta. Also I recommend NoScript extension for any websites that you don’t trust.

Arkenfox wiki
This is the best guide for hardening.
Reading the above wiki is a must.

2 Likes

The author of that article is misguided and misinformed.

So long as Google SafeBrowsing is accessed in a privacy respecting way (which Firefox & Brave both do) SafeBrowsing is a feature not a problem. You are free to disable it if you want. But it won’t meaningfully improve your privacy, and will reduce your security.

5 Likes

Google will have at least your IP. It’s not good if you want as much privacy as possible

First of all, it depends on your threat model. Secondly, Just having your IP doesn’t help google much at all. Also a VPN would fix any concerns about the IP anyway.

1 Like

I think it’s better to subscribe to blocklist like this it will block malicious links faster and will not reveal anything to google

Pretty sure it can’t compete with Google’s Safe browsing.

1 Like

Data Source and Analysis

Generated every 6 hours from PhishTank, OpenPhish,
Cert.pl, PhishFindR, Urlscan.io and Phishunt.ioreports.
Each domain is analyzed to eliminate false positives,
through the Whitelist of Anudeep and the Alexa Rank.

From their website

It doesn’t help protect against bad downloads though.
As mentioned previously, the safesearch is cached for the most part, it isn’t really an issue: Is Google Safe Browsing Service Potentially Bad For Privacy? | Firefox Support Forum | Mozilla Support

Also see: How does built-in Phishing and Malware Protection work? | Firefox Help

I have no issues with that blocklist. But Blocklists and SafeBrowsing are not mutually exclusive. Its up to you whether you use SafeBrowsing or not, but I still don’t understand what specifically you fear will be “revealed to Google” with a privacy-preserving implementation of SafeBrowsing. (my recollection is that even privacy projects towards the extreme end of the spectrum (like Arkenfox) leave most SafeBrowsing stuff enabled).

If not revealing your IP to Google ever, in any context is part of your threat model, you’d need to be using Tor or a VPN permanently anyways, and/or possibly blocking all known Google domains and IPs, regardless of whether you use SafeBrowsing or not (Google is present on a large majority of websites). And if that is not part of your threat model, I’m not sure what value disabling SB would provide.

edit: with that said, I do think it would be nice if Mozilla implemented SB in such a way that the connection was proxied. Even if there is no PII shared.

Further Reading

It would be too slow (and privacy-invasive) to contact a trusted server every time the browser wants to establish a connection with a web server. Instead, Firefox downloads a list of bad URLs every 30 minutes from the server (browser.safebrowsing.provider.google.updateURL) and does a lookup against its local database before displaying a page to the user.

Privacy

One of the most persistent misunderstandings about Safe Browsing is the idea that the browser needs to send all visited URLs to Google in order to verify whether or not they are safe.

While this was an option in version 1 of the Safe Browsing protocol (as disclosed in their privacy policy at the time), support for this “enhanced mode” was removed in Firefox 3 and the version 1 server was decommissioned in late 2011 in favor of version 2 of the Safe Browsing API which doesn’t offer this type of real-time lookup.

Google explicitly states that the information collected as part of operating the Safe Browsing service “is only used to flag malicious activity and is never used anywhere else at Google” and that “Safe Browsing requests won’t be associated with your Google Account”. In addition, Firefox adds a few privacy protections:

  • Query string parameters are stripped from URLs we check as part of the download protection feature.
  • Cookies set by the Safe Browsing servers to protect the service from abuse are stored in a separate cookie jar so that they are not mixed with regular browsing/session cookies.
  • When requesting complete hashes for a 32-bit prefix, Firefox throws in a number of extra “noise” entries to obfuscate the original URL further.

On balance, we believe that most users will want to keep Safe Browsing enabled, but we also make it easy for users with particular needs to turn it off.


I highly doubt that (but I could be wrong).

4 Likes

Here, too → Firefox — Spyware Watchdog

Version tested: 52.5.0

Seriously?

3 Likes

Mostly still same, but now also one needs to opt out of ads, disabling firefox suggest.

1 Like

Telemetry remains present in the current version, so what?

Well, I tell you what.
You’re not doing anyone a favor linking an extremely obsolete “guide” from a random unknown dubious source. Here at PG we try to be as accurate as possible and avoiding FUD. And that is possible only if the points you make are supported by evidence that can be validated.
Now a 3 years old obscure blog post is simply not a good source of information.

I feel that a lot of new people are joining the forum lately and they start posting as they never read the site and like be on reddit.

PG has already recommendation settings for Firefox and for hardening it which follow valid criteria and up to date information.

If you think something isn’t correct or should be changed you’ve to raise better and well backed points.

7 Likes

Agreed, furthermore, labelling Firefox as being “spyware” is unproductive and incorrect

2 Likes