Skip to content
This repository has been archived by the owner on Jun 24, 2022. It is now read-only.

Firefox addons redundant? #121

Closed
privacytoolsIO opened this issue Dec 18, 2016 · 46 comments
Closed

Firefox addons redundant? #121

privacytoolsIO opened this issue Dec 18, 2016 · 46 comments
Labels
🦊 Firefox Firefox & forks, about:config etc. ℹ️ help wanted ⚙️ web extensions Browser Extension related issues

Comments

@privacytoolsIO
Copy link
Contributor

Hi guys,

I've been removing several Firefox addons in the past weeks because they were redundant with each other. We should not recommend several Firefox addons that are doing the same job. I'm not sure about these four addons at the moment: uBlock, Decentraleyes, uMatrix and NoScript.

Please help me out. Should we remove some more?

Thanks

@Marc05
Copy link

Marc05 commented Dec 18, 2016

All of those addons have their own roles to play, and don't replace any other completely on their own. Perhaps it'd be more useful to suggest combinations of them, and give notes on what is gained and lost from different suggestions. As it seems to always be the case, it's going to really be down to the user and how active a role they want to play.

To start:
NoScript has some features other addons don't. It protects against HTTPS cookie hijacking, it has a more robust XSS filter, ABE, CSRF, and ClearClick which protects against Clickjacking / UI-redressing attacks independently from JavaScript and plugins blocking.

Decentraleyes does a job that after allowing the trusted resources, other addons will not do. That is, it emulates Content Delivery Networks (CDNs) locally by intercepting requests, finding the required resource and injecting it into the environment. This helps with privacy by ultimately reducing your browsing footprint.

My suggestion would be:

Must haves which also require little user input:

  • uBlock Origin
  • Decentraleyes
  • Privacy Settings
  • Self-Destructing Cookies
  • HTTPS Everywhere

Additional security that requires active user input (not all at simultaneously):

  • NoScript
  • uMatrix
  • RequestPolicy Continued

@ghost
Copy link

ghost commented Dec 18, 2016

Replace Disconnect with Privacy Badger. uBlock does what Disconnect does, but not what Privacy Badger does. Both uBlock and Disconnect use a shared list, whereas Privacy Badger learns what are trackers from your browsing.

@privacytoolsIO
Copy link
Contributor Author

@Shifterovich
I've removed Disconnect and Privacy Badger a while ago: https://www.privacytools.io/#addons

So uBlock + Privacy Badger is a good combo?

@ghost
Copy link

ghost commented Dec 30, 2016

@privacytoolsIO Please recommend Privacy Badger for Firefox and Firefox for Android.

https://addons.mozilla.org/en-US/android/addon/privacy-badger17/
"Works with Firefox for Android 48.0 - *, Firefox 50.0 and later"

@Marc05
Copy link

Marc05 commented Dec 30, 2016

Here's a combo that I think balances security and ease-of-use fairly well:

CanvasBlocker

  • Usability: Easy, Set and forget.
  • Purpose: Prevent user fingerprinting by changing the results of the Javascript <canvas> API.
  • Additional configuration:
    -- Block mode: fake readout API
    -- Show notifications: unchecked

Decentraleyes

  • Usability: Easy, Set and forget.
  • Purpose: Emulate predefined CDN resources locally to reduce browsing footprint.

HTTPS Everywhere

  • Usability: Easy, Set and forget.
  • Purpose: Forces the use of HTTPS for websites from a ruleset.
  • Additional configuration:
    -- Submit and check certificaties signed by non-standard root CAs: checked

NoScript

  • Usability: High maintenance
  • Purpose: Prevent scripts from running by default, and many other security benefits.
  • Additional configuration: Ideally, the whitelist should be kept minimal, only adding highly frequented websites.
    -- Enable Automatic Secure Cookies Management: checked
    -- Forbit META redirections inside elements: checked
    -- Enable ABE: checked
    -- Status bar label: unchecked (Use toolbar button instead to increase screen real-estate)

Privacy Settings

  • Usability: Reading required. Set and forget.
  • Purpose: Provides a GUI for behind-the-scenes security related Firefox settings.
  • Configuration: Hovering over the settings provides a description for each.
  • network.websocket.enabled OFF
    network.http.sendSecureXSiteReferrer ON
    network.proxy.type 5
    dom.event.clipboardevents.enabled OFF
    dom.storage.enabled ON
    dom.indexedDB.enabled ON
    dom.battery.enabled OFF
    dom.enable_user_timing OFF
    dom.enable_resource_timing OFF
    dom.netinfo.enabled OFF
    layout.css.visited_links_enabled ON
    browser.safebrowsing.enabled OFF
    browser.safebrowsing.downloads.remote.enabled OFF
    browser.safebrowsing.malware.enabled OFF
    browser.send_pings OFF
    beacon.enabled OFF
    privacy.donottrackheader.enabled
    privacy.trackingprotection.enabled ON
    dom.enable_performance OFF
    datareporting.healthreport.service.enabled OFF
    datareporting.healthreport.uploadEnabled OFF
    toolkit.telemetry.enabled OFF
    toolkit.telemetry.unified OFF
    media.peerconnection.enabled ON (see uBlock Origin advanced settings)
    media.peerconnection.ice.default_address_only ON
    media.eme.enabled ON
    media.gmp-eme-adobe.enabled ON
    webgl.disabled OFF
    geo.enabled OFF
    camera.control.face_detection.enabled ON
    device.sensors.enabled OFF
    security.tls.unrestricted_rc4_fallback OFF
    security.tls.insecure_fallback_hosts.use_static_list OFF
    security.ssl.require_safe_negotiation ON
    security.ssl.treat_unsafe_negotiation_as_broken OFF

Self-Destructing Cookies

  • Usability: Easy. Light maintenance.
  • Purpose: Delete cookies on exit for any website not in the whitelist.
  • Configuration: Keep network.cookie.lifetimePolicy = 0. As with NoScript, whitelist should be kept minimal.
    -- Strict Cookie Access Policy: checked

uBlock Origin

  • Usability: Reading required. High maintenance.
  • Purpose: Block ads, and improve security.
  • Configuration: Read the dynamic filtering guide. Block 3rd-party resources by default, and add local noop rules (second column, middle/gray selection) for highly frequented websites.
    -- I am an advacned user: checked
    -- suspendTabsUntilReady: true
    -- Prevent WebRTC from leaking local IP addresses: checked (does not disable WebRTC functionality)
    -- 3rd-party: Blocked globally

@ghost
Copy link

ghost commented Dec 30, 2016

@Marc05 Also, Random Agent Spoofer.

@ghost
Copy link

ghost commented Dec 30, 2016

#99 I'll write something about CanvasBlocker vs Canvas Defender.

@Marc05
Copy link

Marc05 commented Dec 31, 2016

Using CanvasBlocker to generate a new hash on every API call is best in any situation as far as I can tell. The tracker essentially has two options: Assume it's random, hence useless; or derive a new identity with the hash. Both of which are better than providing a legitimate hash, since best case is there's an extremely common hash, which would provide a higher amount of identifying bits of information.

@ghost
Copy link

ghost commented Dec 31, 2016

Some people prefer Canvas Defender. I agree that Canvas Blocker is better than Canvas Defender, but we should mention Canvas Defender too, as neither is a perfect solution.

@Marc05
Copy link

Marc05 commented Dec 31, 2016

The only time I can think of someone needing that is to allow sites to track for a certain period of time, then resetting when done. In that situation, one could just whitelist the website, and remove it after.

@ghost
Copy link

ghost commented Dec 31, 2016

Would reveal one's native fingerprint. Disabling Canvas Blocker, enabling Canvas Defender, and generating a new hash for such session is optimal.

@Marc05
Copy link

Marc05 commented Dec 31, 2016

True... though I'd only go as far as an asterisk.

@jawz101
Copy link

jawz101 commented Jan 10, 2017

minimally and without much breakage:

NoScript
General
set to Temporarily Allow Top Level sites by default, base 2nd level names
reload current tab only

Notifications (Personal Preference)
uncheck both show messages about blocked scripts and ABE to avoid annoying bar and to just use the icon to trust/untrust stuff

Privacy Settings - set to Privacy (compatible) and Security
https://addons.mozilla.org/en-US/android/addon/privacy-settings/
under advanced settings some of it is personal preferences, other things cause a little breakage with single-signon sometimes

No Resource URI Leak
https://addons.mozilla.org/en-US/android/addon/no-resource-uri-leak/

UBlock and Privacy Badger are both ok but for privacy essentially redundant to NoScript except cosmetic filters can clean up pages but you're blocking the essentials with Noscript and Privacy Settings changes.

The only thing I left out is referrer control, some of the fingerprinting stuff, and random user agent stuff because they act a little goofy. There's a bunch of back and forth whether over-blocking fingerprinting in itself makes you unique. Random user agent junk makes webpages look wonky sometimes and I'd rather not fool with it.

As for Self-Destructing Cookies, simply going into Firefox and unchecking allowing 3rd party cookies does most of the job already.

Regardless, I still can't Disqus to log in without turning off like half the privacy controls out there.

@Atavic
Copy link

Atavic commented Feb 13, 2017

@Marc05 Some Firefox addons listed are redundant, as NoScript and uBlock.

Noscript + Adblock Plus was an unrivalled combo, until uBlock Origin made its appearance, substituting both and dropping the acceptable ads. With various Filter Lists available it works great, while uMatrix has no lists at all and is light on resources.

Privacy Badger is primarily a privacy tool, not an ad blocker.

https://www.eff.org/privacybadger

@woctezuma
Copy link
Contributor

woctezuma commented Mar 4, 2017

Privacy Badger has a cookie blocking functionality. I don't know about NoScript. However, I know about uMatrix and I think the cookie functionality of PB is redundant with the one of uMatrix.

Apart from this functionality, the only appeal of PB is the list-less feature, which is pretty dubious anyway (no need for discover the wheel again, people have been maintaining great blocking lists for more than 10 years).

Regarding HTTPS Everywhere, I prefer to use Smart HTTPS:
https://addons.mozilla.org/en-US/firefox/addon/smart-https/
Reasons are:

  • HTTPS Everywhere uses too much memory for its purpose,
  • HTTPS Everywhere relies on a list of websites, which I have found to be missing some websites that I use.
    I prefer to rely on a list-less extension such as Smart HTTPS since the list misses https websites and the EFF extension does not even try to connect to them with a secure connection.
    The only caveat is not to forget to check "Enable in Incognito Mode".

@Marc05
When you wrote "3rd-party: Blocked globally" for uBlock origin, I think you referred to an old version because I don't see this option in my setup, but I see it mentioned at Decentraleyes with uBlock and uMatrix

@woctezuma
Copy link
Contributor

woctezuma commented Mar 5, 2017

@Marc05
I was curious so I compared your recommended settings for Privacy Settings vs the settings Privacy (Compatible) & Security. I am dumping the differences here in case someone wants to copy your settings faster: basically, one has to choose the settings Privacy (Compatible) & Security and then toggle these accordingly.

Browser
dom.event.clipboardevents.enabled OFF
browser.safebrowsing.enabled OFF
browser.safebrowsing.downloads.remote.enabled OFF
browser.safebrowsing.malware.enabled OFF

Media
media.eme.enabled ON
media.gmp-eme-adobe.enabled ON
webgl.disabled OFF

Devices
camera.control.face_detection.enabled ON

Encryption
security.ssl.require_safe_negotiation ON
security.ssl.treat_unsafe_negotiation_as_broken OFF

The Browser change dom.event.clipboardevents.enabled improves privacy.
The other Browser changes are up to the user's preferences to trade security vs privacy.

The Media changes decrease both security and privacy.

The Devices change decreases privacy.

The Encryption changes break a website such as the Humble Store: https://www.humblebundle.com/store/

@Marc05
Copy link

Marc05 commented Mar 6, 2017

@woctezuma
Thanks for doing that. I was curious about it before, but never did it.

Disabling clipboard events, e.g. dom.event.clipboardevents.enabled OFF, breaks Google Docs copy/paste functionality. Personally, turn it on temporarily whenever required.

The media. settings would prevent some DRM content from playing on websites if disabled; and webgl functionality can be kept safely if using the setting of uBlock Origin.

Disabling the face detection feature seems to be pointless, given that camera permission would have to be given in the first place, and recognizing a face mid-stream wouldn't really add anything without the specifics of the picture. And if you have the picture, local face recognition doesn't really matter.

As for ssl negotiation, I should have kept that as OFF, given that many major sites are still using outdated versions.

@neoatomic
Copy link

Just a quick note, when you set dom.enable_user_timing to off the Gosthery's info screen/panel isn't working anymore. (just blank, no info anymore)
So you need to leave it to "on" if you use Gosthery.

@3371-Alpha
Copy link

Not sure if this list is updated any more but I found some addons that seam to improve security a bit.

Nano Defender: https://jspenguin2017.github.io/uBlockProtector/
an Anti-Ad Block Defuser which means you don't have to turn off uBlock on certain site anymore. Designed for Nano Adblocker, which is based on uBlock, so it requires some workarounds for vanilla uBlock compatibility.

Pure URL: https://addons.mozilla.org/en-US/firefox/addon/pure-url/
removes url garbage, such a google analytics and such.

Unshorten.link: https://addons.mozilla.org/en-US/firefox/addon/unshorten-link/
unshortens shortened url link (yes those annoying things). This one is made by a for profit organization, unfortunately, but I've yet to find a better alternative.

P.S. are Canvas Blocker and Defender relevant at all for security? I saw them mentioned above in this thread.

@woctezuma
Copy link
Contributor

woctezuma commented Jun 4, 2018

I tried Pure URL and I was not too convinced. There were URL which were not stripped, and others which were stripped too much. I'm more satisfied with Neat URL: https://addons.mozilla.org/firefox/addon/neat-url/

As for Canvas, it is just for tracking. No relevance for security.

@nam1962
Copy link

nam1962 commented Oct 24, 2018

Hi, I use very similar recommendations on my tutos, do you think there will be redundancy between the new FF 63 anti tracking tool and decentraleyes or privacy badger ?

@ghost ghost changed the title Firefox addons redundant? uBlock, Decentraleyes, uMatrix and NoScript Firefox addons redundant? Oct 24, 2018
@ghost
Copy link

ghost commented Oct 24, 2018

@kewde @beardog108

do you think there will be redundancy between the new FF 63 anti tracking tool and decentraleyes or privacy badger ?

@beerisgood
Copy link

The FF internal anti tracking is a joke compared to uBlock Origin. Also you don't need Privacy Badger
Decentraleyes isn't the same like a ad- or tracking blocker. It replace librarys, you should read again what exactly it is.

@ghost
Copy link

ghost commented Oct 24, 2018

Disconnect uses the same lists as uBlock. Privacy Badger blocks what it thinks are unnecessary tracking requests. Decentraleyes replaces CDN libraries with local cache, I think.

So uBlock + Privacy Badger + Decentraleyes is a good combination.

@ghost
Copy link

ghost commented Jan 28, 2019

If you have uMatrix, you do not need NoScript. However by default uMatrix does not block all first party scripts.

Currently I am using:

  • Cookie AutoDelete
  • Decentraleyes
  • HTTPS Everywhere
  • Redirect AMP to HTML
  • uBlock Origin
  • uMatrix

I posted about this on Reddit

Why not use both? Their features overlap. They complement each other.

Using both at the same time is a complete waste of time. There's nothing that can be done with NoScript that cannot be done with uMatrix. I looked at this in the past.

uMatrix automatically allows all fist party scripts,while blocking the rest.

If you want it that way, or you can How to block 1st party scripts everywhere by default.

If you permit a script on one site, you have to enable the script on each site that uses it. And example is googlegettagservices.

Not if you How to create rules which apply everywhere, on all web sites.

Others have mentioned uMatrix has better documentation and UI. uMatrix also has some unique features such as Ruleset recipes and umatrix hosts files (they show up as dark red for bad hosts).

The uMatrix logger is really handy to determine what is happening.

NoScript is also terrible at handling subdomains. When you enable List full addresses in the permissions popup (https://www.noscript.net), you get a mess. An example of that with NoScript. Which is a lot easier in uMatrix. I only needed JavaScript on cdn-au.piano.io not buy-au.piano.io or experience-au.piano.io. Additionally NoScript gave me no way to control XHR content on experience-au.piano.io which I needed for the text in the article to load.

It is clearly something that was an afterthought. uMatrix's UI handles subdomains and whitelisting parts of domains a LOT more efficiently.

Also, uMatrix is available for Chrome, where as NoScript never got ported (you'd have to use an alternative like ScriptSafe). Raymond Hill (gorhill) has done an excellent job.

I did use NoScript for many years, but I think uMatrix is better, particularly after you realize it's power.

Edit:

uMatrix is available for Chrome,

For the moment.

Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently

I like this How many ad blocks could an ad slinger block if an ad slinger could block blocks?

@beerisgood
Copy link

@tya99 instead of blocking cookies better use container

@ghost
Copy link

ghost commented Feb 6, 2019

@tya99 instead of blocking cookies better use container

I have done a bit of research and I think you might be right. I was having a look at https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Extensions looking to see how I could improve things. I do think that page might be outdated.

It would appear currently I wasn't protecting against cache related tracking with HTTP ETags. Using this website https://lucb1e.com/rp/cookielesscookies/ I was able to test it. That recommended extensions page mentions ETag Stoppa however it does say:

Keep in mind that ETags are only one of the known tracking vectors related to the cache. I am aware of at least three other less straightforward methods to exploit the cache for tracking. If you are absolutely serious about your privacy, do not rely on this extension. Instead, disable the cache and/or use another extension like Temporary Containers in automatic mode.

Additionally it seems there's some types of cookies that cannot be deleted through the WebExtension API:

❗ APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy. Check here

It appears for many of those APIs they do exist now. As it says in that link on the Cookie-AutoDelete FAQ "(API available, but none to clean by host)" so this must mean it was added at some point.

So I am thinking Temporary Containers might be the way to go instead of Cookie AutoDelete in the global container.

I was also thinking of installing ClearURLs. I think it might be better than NeatURLs, more maintained and mature. I really hate those tracking parameters.

I noticed they recommend Violentmonkey. I was surprised about that after reading Discussion: Greasemonkey, Tampermonkey, Violentmonkey, which one is best for a privacy conscious person?.

I have been using Greasemonkey without any issues. I use it with

I also noticed CSS Exfil Protection. I'm not sure if anything I've got currently can satisfy this but I don't think so. According to the developer's test site my browser was vulnerable.

In the past I had been using privacy.resistFingerprinting = true for canvas protection. I'm not sure this is the greatest idea. When setting that to true the test site says my uniqueness is "× False (Tor Browser signature)". I can't imagine there'd be many people with that signature that are not coming from a Tor exit node.

Perhaps I should install something like CanvasBlocker. When using that with the Block mode "fake" it said Uniqueness 100% (0 of 358283 user agents have the same signature).

Come to think of it the only non-privacy related addon I use is Tree Style Tab and Markdown Here. The internet is such a cesspool of tracking and advertising these days.

@beerisgood
Copy link

Resist fingerprinting is fine and recommend in gHacks user.js
Also better solution then canvas blocker add-on and don't forget that this simple setting don't just change canvas. It change a lot!

@ghost
Copy link

ghost commented Feb 7, 2019

Resist fingerprinting is fine and recommend in gHacks user.js
Also better solution then canvas blocker add-on and don't forget that this simple setting don't just change canvas. It change a lot!

I might just do that then. I like to avoid addons if I can help it. On mobile Android it seems Temporary Container isn't supported because of tabs.create API on Android does not support cookieStoreId.

I guess there I will go with ETag Stoppa instead. I find browser.cache.offline.enable = false a little inconvenient.

I'm not currently using https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js I am however just using most of the tweaks from https://www.privacytools.io/#about_config

@ghost
Copy link

ghost commented Feb 8, 2019

@beerisgood

@tya99 instead of blocking cookies better use container

There's a nice writeup about that here https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21

@stoically points out that in that post that:

Also with localStorage support enabled you make fingerprinting easier, because CAD needs to set a cookie for the domains you visit and CAD can’t clear indexebDB storage at all. If you want to see it yourself try filling your indexedDB and localStorage with 5kb on this site. Now close the tab (and click Clean depending on your settings), open the site again and you’ll see that the indexedDB storage is still there.

Also ghacks-user points out:

❗ APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy. Check here

@abuisman
Copy link

What I am missing in all lists are the performance implications of add-ons. Privacy badger, for example, adds, at least on my machine, a significant amount of time to page loads (think ~1s). This is in combination with uBlock Origin.

I'll try to see if I can get some dependable performance metrics sometime soon.

@beerisgood
Copy link

@abuisman try without privacy badger ;)

@abuisman
Copy link

@beerisgood that is what I did, how else do you think I found out about the difference? ;)

For now, I am using firefox’s built in ad blocking and new protections against crypto mining and I block all third party cookies. That last thing is what I used privacy badger most for anyway

@beerisgood
Copy link

Remember that the internal feature (disconnect list) only block few ads. You should use uBlock Origin instead.
Even the gHacks.js team recommend that way

@Atavic
Copy link

Atavic commented May 24, 2019

Also the internal disconnect list has whitelists (connections that will be always allowed).

@abuisman
Copy link

@beerisgood and @Atavic I meant instead of privacy badger. I also have ublock origin running with blocks for all third-party requests by default. I then allow them 1-by-1 to make websites work

@0xRustlang
Copy link

0xRustlang commented Jun 9, 2019

@beerisgood and @Atavic I meant instead of privacy badger. I also have ublock origin running with blocks for all third-party requests by default. I then allow them 1-by-1 to make websites work

Unlock origin and Firefox tweaks are good enough.
If you like you can use more filter lists in ublock for example:

https://github.com/notracking/hosts-blocklists
https://github.com/yourduskquibbles/webannoyances
https://gitlab.com/ZeroDot1/CoinBlockerLists
https://github.com/CHEF-KOCH/BarbBlock-filter-list
https://github.com/CHEF-KOCH/Audio-fingerprint-pages
https://v.firebog.net/hosts/static/w3kbl.txt

(Although webannoyance is not security list and is an annoyance filterlist and may you don't like them but it was great for me)

Also I think Firefox blocker is redundant with unlock and will lower speed of browser but its fingerprinting and cryptominer blocklists are good.

Also there are great lists in firebog.net and filterlists.com

Also these prefs are really good:

require safe negotiation (it breaks some websites that uses bad ssl config)
also you can go to https://www.ssllabs.com/ssltest/viewMyClient.html and https://browserleaks.com/ssl and go to about:config and disable any vulnerable ciphers for ex. 3DES, All SHA1 hashs, All CBCs and All those that don't have forward Secrecy

Also a good pref for security (in this case may be not privacy very much) is enabling trr.mode to 2 (you also should set bootstrap address to 1.1.1.1)
this will set your browser to use cloudflare's DNS over HTTPS when it is faster and is good because your ISP can't fool your browser to fake website IP.

Although the treat model in everyone differs for example I prefer some privacy downgrades for better protection against my ISP.

@beerisgood
Copy link

https://github.com/CHEF-KOCH/BarbBlock-filter-list
https://github.com/CHEF-KOCH/Audio-fingerprint-pages

I hightly not recommend that lists. They're outdated and just stealed work from other guys, without any notice about.
If you need lists, (you post it already) use Firebog.net

Also stay with https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

@0xRustlang
Copy link

0xRustlang commented Jun 10, 2019

Thanks

https://github.com/CHEF-KOCH/BarbBlock-filter-list
https://github.com/CHEF-KOCH/Audio-fingerprint-pages

I hightly not recommend that lists. They're outdated and just stealed work from other guys, without any notice about.
If you need lists, (you post it already) use Firebog.net

Agree, Thanks :)

Also stay with https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

Thanks, I downloaded it but was busy and coudn't look at it till now :D

What is your opinion about other outdated blocklists if they don't affect browsing?
Better than nothing or not worth?

Worth mentioning that Also what I noticed is that using lists with low amount of eyes in them can have potential to whitelist some trackers/... by their own.

@3371-Alpha
Copy link

3371-Alpha commented Jul 22, 2019

I just want to give an update, there's a fork of ublock made by the same guy who made nano defender called nano adblocker. Apparently he called it so because he cleaned up the code making it lighter and faster, or so claimed. It does have the advantage though of requiring less configuration when used with nano defender, but mainly that's because it was designed to work with it. Also Raymond Hill (the guy who made ublock) has his own accessory addon for ublock/nano called ubo-scope and it measures your 3rd party exposure.

Also, I just want to say I tried to configure all these with waterfox and it didn't go so well as it's extension api is still based on firefox 57. I tried it due to some people voicing concerns of mozilla's recent choices with respect to privacy.

Lastly, privacytools.io has added canvasblocker to it's recommended list as of late, but there seem to be several alternatives to the https forcing, canvas fingerprinting protection, cookie purging/isolating and url decluttering/cleaning extensions available, such as smart https. Curious to know what you guys think would be the best combination of the four. Also the guy who made smart https also has fingerprint protection extensions for webgl and certain types of audio content; didn't even know those could be fingerprinted.

@Atavic
Copy link

Atavic commented Jul 22, 2019

If your browser is based on a previous version of Firefox, you can get a previous version of the addon that still works with FF 57.

@3371-Alpha
Copy link

If your browser is based on a previous version of Firefox, you can get a previous version of the addon that still works with FF 57.

That doesn't seam like a very good idea for security addons, like the ones discussed here. Older version could have security flaws, in addition some, like nano adblocker and defender as well as redirect amp to html, don't have compatible older versions period.

@0xRustlang
Copy link

0xRustlang commented Jul 24, 2019

Also, I just want to say I tried to configure all these with waterfox and it didn't go so well as it's extension api is still based on firefox 57. I tried it due to some people voicing concerns of mozilla's recent choices with respect to privacy.

I think we should adjust to Mozilla choices, they started to make Firefox more efficient so I think we should just wait for them to rise up more.

I believe that may be their choices be sometimes disappointing for paranoid users but some of them are really necessary.
For ex. people concern about telemetry but telemetry is exactly what made chrome this much fast.
The software vendors can't blindly develope their products, they should know problems. especially very low amount of people report bugs frequently.

or about old addons, I agree that some of them was great but Mozilla with this decision will waste lower time to compatibility fix and spend more resources for developing the core browser.

Lastly, privacytools.io has added canvasblocker to it's recommended list as of late, but there seem to be several alternatives to the https forcing, canvas fingerprinting protection, cookie purging/isolating and url decluttering/cleaning extensions available, such as smart https. Curious to know what you guys think would be the best combination of the four. Also the guy who made smart https also has fingerprint protection extensions for webgl and certain types of audio content; didn't even know those could be fingerprinted.

I think the first party isolation, prevent fingerprinting and clear data on exit options in Firefox is sufficient for that because every action you do for prevention, make your fingerprint more unique, so we should just use them to get lost in our crowd.

especially it has convas prevention built in, cookie, web storage and ... separation built in (first party isolation) plus many more.

@nitrohorse nitrohorse added the ⚙️ web extensions Browser Extension related issues label Aug 3, 2019
@jonaharagon
Copy link
Contributor

I'm closing this issue because I believe our extensions list is fairly comprehensive with no significant overlap of tasks.

@jasonbrown1965
Copy link

I'm closing this issue because I believe our extensions list is fairly comprehensive with no significant overlap of tasks.

It is getting rather long! But ... reading through, I see there is variation over time, as add-ons are improved, abandoned or new ones added. Is there a need for PT to do a regular review of such add-ons, say quarterly, or more realistically, annually?

And should this be raised as a separate issue?

@Mikaela
Copy link
Contributor

Mikaela commented Nov 26, 2019

I think you may be looking for https://github.com/privacytoolsIO/privacytools.io/issues/1328 or something listed there.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
🦊 Firefox Firefox & forks, about:config etc. ℹ️ help wanted ⚙️ web extensions Browser Extension related issues
Projects
None yet
Development

No branches or pull requests