Configuring Mozilla Firefox for increased privacy:
Active content, Plugins and Extensions

Table of contents:
Mozilla Firefox is a very modular browser it support active content like Java and Javascript, ActiveX, 3rd party extensions and plugins. This gives a lot of flexibility, but at the same time increases risks of losing your privacy. Here we'll cover configuration options which help to reduce this risk.

Java and Javascript

Java and Javascript configuration Java and Javascript are languages fairly often used in the web environment. The trouble with them is that they can easily be used to obtain your personal or private data and send it back to the website.
 Usually you can disable Java, for the most of the time, since there aren't a lot of sites that require it. Javascript is more problematic since a lot of sites use it for navigation and other things.
Obiously the safest way would be to disable both, but that will cause problems with browsing. So one of the reasonable options is to leave Javascript enabled and use NoScript extension for Firefox (available at the Mozilla plugin's site).


Disable WebRTC in Firefox Web Real-Time Communication (WebRTC) API can be used by malicious websites to make your browser leak the local IP addresses. To fix this:
  1. type about:config in the address bar
  2. when list opens search for media.peerconnection.enabled
  3. set value to false

ActiveX and plug-ins

ActiveX plugins configuration ActiveX plugins (for an example adobe flash player, windows media video (wmv) player and others) are actually full fledged programs, they can potentially do anything they want with your computer. There are even reports of some Firefox extensions being used as a deployment for a trojan programs. The safest way would be to disable all of them completely. Sadly, yet again, this might not be an option. So the reasonable solution is to only allow the plugins you trust and really need.

As a personal opinion I suggest to disable flash plugins, they might be pretty, but the problem is there were multiple exploits found in the flash player. Which would mean that in case your system is unpatched, or there is an unknown vulnerability a simple flash banner could potentially compromise your whole system.

Phishing checkers etc.

Phishing checker configuration While the idea that browser checks site against online blacklists in-general is good and welcome addition. The problem is that to do so browser needs to submit the page address you are viewing to the checker's site (hopefully nothing else). Which is counterproductive if you want extra privacy. So it's a risk vs risk, it's up to you to choose which you want - disable suspected attack site and suspected forgery site checks or not.

3rd party extensions

1. Google toolbar

Lets take a look at probably the most popular toolbar. While the Google toolbar itself is fairly harmless, the problem with it is that it submits the site addresses you visit to the Google. They are supposedly using them to find new pages to index. But objectively that is a pretty large security problem. So it's better to disable it if you have it installed.

2. Firefox extensions

While Firefox has a marvelous extensions out there you have keep in mind additional risks associated with their usage. Main privacy problems with addons are:
  • Might be storing your browsing history.
  • In severe cases might be leaking it to some 3rd party.
  • Installations might be purposely infected by viruses or trojan programs - consider using only signed extensions.
  • Particular addons are sending information to 3rd party sites.
Some examples - if you use popular AdBlock Plus program and manually add some extra blocks then their addresses will be stored inside browser and might be an unpleasant surprise later.

Conclusions and suggestions

It is possible to reconfigure Firefox in a such way it leaves fairly minimal browsing traces on the user's system. The problem with it is that a browser configured in a such way is not very user friendly. Only solution to this in, my opinion, is to use two browsers - one configured in a secure manner, other one unsecure. So then by default you use the secure one, while switching to unsecure one for sites that refuse to work otherwise.

<< Back to Caching and Bookmarks