Firefox adblockers without telemetry?

In this security conscious, telemetry- centric thread, does anyone know of an adblocker for Firefox that absolutely does not spy on you?

 

uBlock Origin, Mozilla's disconnect integration should keep your privacy safe and sound.

 

I ask because of a tech article I read suggested all extensions are suspect. A few years ago the finding that WOT was tracking and sharing data was alarming.

How does Mozilla's disconnect integration prevent intrusion and protect file integrity?

Thanks

 

IDK if we can be certain of any extension, or software, unless we watch the datastream and look for data on our travels being reported.

Here's a few extensions I use, can't gurantee if they are tight enough on security, but so far nothing odd has happened

ublock Origin seems to be the one that gives the best results and performance, and it was broken off due to the purest reasons, so I tend to hope for the best.

I also use ScriptSafe instead of noScript, it's a user preference thing, either are ok.

Ghostery is still useful as well. Some sites block adblockers, but between ublock Origin, Scriptsafe and Ghostery at least one - sometimes two - can remain active and I can access the site.

 

Like hmscott mentions, I too am a fan of Raymond Hill's work. But this latest version of FF v66 has my profiles/extensions/add-ons, et, all messed up. I think gorhill is awaiting approval for more memory (simply put, for his uBO and uMatrix add-ons). The IndexedDB conversion threw alot of things out of wack... I may go strictly w/ Waterfox or Palemoon if things don't improve soon.

To your question, a guy like Martin Brinkman doesn't use add-ons bc he doesn't want to give any control to a 3rd party. When using add-ons you have to be careful who you trust bc you're giving carte blanche access to your Browser to any add-on Dev. Ghostery used to have a bad rap, or so I thought for selling data to 3rd parties? Personally, I trust gorhill and uBO (his work, including uMatrix, is some of my favorite stuff ever). You can trust an add-on like uBO more than you can trust Microsoft (imho).

*Devs gain cred for their trustworthy add-ons. Safety in numbers -go with a widely used highly rated add-on, typically. uBO advanced features are extraordinary (and fun to play with on sites with lazy devs).

 

I'm not sure what's messed up for you, how it got there, or what you've tried to mitigate it, but eventually I had to do a complete from scratch rebuild of my FF profiles.

I started by backing up all of my extensions, history, bookmarks, and data, then deleting (moving to another folder tree for safety) all of the hidden folders related to FF throughout Windows.

Continuing by uninstalling FF and reinstalling a version I thought was stable yet new enough to have all I needed.

After that was done I continued by building several Profiles of gradual complexity - leaving 1 or 2 Profiles as stable Profiles with one clean and one with minimal load of extensions - security / privacy only.

Then progressing back and forth between 2 Profiles, adding extensions and software until one reached the pinnacle of everything I wanted running.

Then I backed up the final profile in several ways, cloning the final "perfect" Profile a couple of times as active and physically backed up copies, so I could restore them and move quickly to reconstruct a working full Profile. Basically setting the ground work for a quicker way of doing what I had just done from scratch.

There are also Chuck Baker tools in FF to use to backup or enable/disable extension lists, and to restore them in new FF installs - makes it easy to transfer a profile from one machine to another. I mostly only use FEBE, but the other tools (CLEO and OPIE) have been helpful in some situations too.
http://softwarebychuck.com/

I forgot to mention 2 other add-on's I use that might be of interest: Privacy Badger and Nightly Tester Tools.

For Chrome I do something similar. Chrome addon's sometimes come with rev-trackers, and are impossible to clean out without deleting the profile and starting from scratch.

I also do this for other browsers, as these days some sites just won't render correctly the same in every browser. Especially logged in with a profile to a site, sometimes you want to look at it from a non-logged in viewpoint, so another browser that doesn't support login to that site helps.

 

I use Refresh FF feature to keep only bookmarks and other stuffs. I only refreshed it once every 3 years on Linux PCs because some options were creating more issues than fix. Refresh did the trick, I am thinking upgrading from 52.x to 60.xx over the course of 3 years is hard on its db and codebase.

 

Pretty much everything is out of whack on FF v66.03. The theme changes randomly, settings are implemented for add-ons, upon reboot they need to be re-implemented. Id reverted back to v65, but then some of my extensions began behaving strangely (likely bc these extensions were updated for FF v66 overhaul?).

What is the latest FF version you have on a working profile? (anyone please answer?) Thanks for that Chuck Baker Tools mention -I'll look into it for sure.

I do many of the suggestions you mention HM. Reddit is blowing up with people noting problems with FF v66. Id cultivated some awesome profiles user.js, add-ons and rules over the years. First version to break me this badly in FF v66. Like Vasudev mentioned, I may have to Refresh FF and start over. Id probably completely uninstall, clean registry, et, then rebuild FF from scratch.

I use a semi-hardened github/ghacks inspired user.js, then mix-up add-ons like uMatrix, uBO, Privacy Badger, https Everywhere, Canvas Blocker, Chameleon, Decentraleyes, NeatURL (I try to keep Add-Ons to 4 or less per Profile). uMatrix and uBO are musts.

 

Am using the latest esr, 60.6.1, all well.

 

Do you do updates using 3rd party SW or FF itself? I think your FF profile/seup file is compromised. I ran into fake FF installer myself and they are hard to differentiate beside their signed certificate with SHA2. Always check hashes or download from reputable sources.

 

(but a heads-up for any reader who is thinking of updating to FF v66. (I want a secure browser, so I want updates, but unfortunately FF is tightening privacy controls -updates are kinda like Win10 Pro, can be delayed, but Moz is always calling your Network checking , as updates can't be turned-off on versions 64+?). So telemetry themed post

No 3rd party updates Vasudev, I like your thought though. Well, exception being Dev uBO and uMatrix add-ons are through github. Last time I DL FF was Authentic Moz. v52.0 -which I also ran through VT and Metadefender (upates via FF ever since). There's a lot of potential problems for anyone using non-vanilla user.js on v66. For eg; extensions.web extensions.ExtensionStorageIDB.migrated.CanvasBlocker @ kkapsner .de;true (they all read true, but haven't seamlessly migrated).
*So anyone who has a tweaked user.js/prefs.js, beware updating to v66

Also, check this about uBO and need for more memory...
https://www.ghacks.net/2019/03/27/why-ublock-origin-requests-to-store-unlimited-data-in-firefox/
All those side-channel & variant exploits posted w/in this forum have me spooked and updating my browser!
I'm gonna rebuild from scratch (uggh)

 

Use addons from Mozilla store, they ask Raymond to tweak it a bit to edge out perf. issues and similar issues.
I'm okay with uBO using high disk storage. Not to mention I'm using good number of extra lists which increased the size from 2MB to 8MB in disk. RAM usage no difference, I feel 200MB is saved thanks to new uBO permission. Do a monthly purge of uBO lists and fetch fresh list for best performance.

 

Hey Vas! I think moving to v60.0 might be a good move for you.
First, thanks to whomever for creating a new thread (I know we were getting off topic for the Win10/7 telemetry thread).
So yeah, the update to FF v60.00 might be a good move for you. That's the version I wound-up using for a clean-build, from ground-up. I wanted to go with quantum v64+, but I ran every every version through VT found here,
https://ftp.mozilla.org/pub/firefox/releases/
(not that VT feedback is tech dogma, but v 60.0 -as another user mentioned was working well, received the best feedback -any version post 60 had more than its share of haters and downvotes).

Shortly after v60.0 (maybe at quantum v64, or v65 -FF updates can't be turned-off, only deflected to install at user's choice -meaning lots of phoning home by Moz, which none of us like -constantly removing user/appdata/local/temp/mozupgrade was getting old!).

*All add-ons working smooth on v60.0. (FYI, I think Tor current Tor version is 62.0, if you'd want to go with a more widely used, Tor Version fingerprint -generally speaking, ofc, as Tor has its other 'tells').

Read the github/ghacks commits and master/user.js. Part of my problem must have been using some antiquated, or deprecated 'hidden pref' -guessing my general.user (override) settings to spoof FF version 52.0 (Tor vers), spoof win;32, spoof build, et.

*Ghacks, master/user.js (Section 4700 if you used overrides -no longer recommended)

Spoiler: ghacks sec4700

[SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING) This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need to use RFP (4500) or an extension, in which case they become POINTLESS. (a) Many of the components that make up your UA can be derived by other means. And when those values differ, you provide more bits and raise entropy. Examples of leaks include navigator objects, date locale/formats, iframes, headers, tcp/ip attributes, feature detection, and **many** more. ALL values below intentionally left blank - use RFP, or get a vetted, tested extension and mimic RFP values to *lower* entropy, or randomize to *raise* it"

Github/Ghacks for quick reference;
https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js
*Read section 4700 if like me, you used old user override
and commits (today privacy.resistFingerprinting;true <<best bet vs. general.overrides)
https://github.com/ghacksuserjs/ghacks-user.js/commits/master

Thanks for your time! Hope this may help someone. Id like to try latest greatest FF version, but their about:config prefs are getting sneakier and too time consuming to tweak (imho), plus its still buggy (at least that's the rub on FF's Reddit page). Thanks again

Hey again Vasudev. Do you run uMatrix and uBO in combination? You mentioned the monthly purge, which brought it to mind.

Give them a try in combonation if you don't already. Wow, super fast, uMatrix as your primary blocker, with uBO filter lists taking care of the remainder. XHR,CSS, Scripts, and others , uMatrix is the workhorse -uBO is like your back-up. *Note, if you run both, make sure you uncheck Filter Lists in uBO that are being used as your FilterLists (Assets) in uMatrix (you don't want to double check and DanPollock hosts list on uMatrix and uBO for eg. -gorhill mentioned it can cause bugs). Run both uMatrix and uBO in combo... super fast, lightweight, privacy minded, the only way to browse (plus uMatrix logger is great for the toolbox).

 

Some of the ghacks tweaks breaks whatsapp web and similar apps so I disabled resistfingerprinting.
I did not use uMatrix and uBO. I always prefer Less is more because uBO blocks whats needed because too much blocking will have bad user experience on low end machine's performance, so I keep it balanced.

 

Yeah, I like less is more too (I used to only use uBO and old NoScripts -prior to UI change in Quantum). Im a convert to using both -man, when you get uMatrix and uBO working in harmony, it's fast, not bad w/ page breaks, and uMatrix helps w/ CSS and XHR. Id probably choose uMatrix over uBO if I had to use just one. Here's a screengrab (half the stuff you'll see on the uMatrix side could have been blocked, but it was harmless).

You know your stuff Vasudev, no doubt!! So I'm not saying how to sail your ship, but I gotta say uMatrix is pretty sweet running w/ uBO (non-advanced uBO settings -basically just using uBO's extra filter lists).

*Oh yeah, you're 100% correct sir! Definite page breaks w/ the resist fingerprinting set True (but the GMT stamp and Screen Size are cool for privacy nuts).
Be well!
R.M.

Spoiler: uMatrix/uBO Combo

 

Does it slow down when I have 20+ tabs running on FF? I'm seeing slight UI stutters when I opened the detailed log in uMatrix?

 

16GB of RAM you have would likely circumvent any UI stutter.
What's your setting for dom.ipc.processCount; ? I'll beef that up to 4-6 (newer FF's default is set at 7, I think?). w/ your 16GB of DDR4 and your processor Id say "4" is a good number of processes, maybe even try 6? *No duplicate filters on uMatrix and uBO (use all the main "Assets" for uMatrix, but make sure to uncheck duplicates on uBO). I uncheck any uBO filter list that is already on uMatrix default Asset lists, then check all additional filters on uBO (except languages -unless needed). Make sure your uBO settings are Basic, out of box, nothing global, et. Hope that may help! Thanks for giving it a go, I think you'll see the upside once you get it wired! Fire off any config questions you may have if I can be of any additional help. Peace

 

For daily usage I use a old PC with Linux with 6GB RAM. I used stock settings on uMatrix so duplicated blocklist were present. When I check uMatrix log I saw only twitter and nbr site and all other google analytics,FB etc.. were already blocked, I think disconnect extension in FF is doing most of the work. Let me test it out and cpu/memory usage as well.

 

Disconnect could be the culprit. I like it, but gave up on it not long ago. When tweaking options, try disabling Disconnect? I'll use uMatrix, uBO, CookieAutoDelete, Privacy Badger, and HTTPS Everwhere (only), for most my profiles. Low on memory, good return on speed and privacy. Good luck! Linux w/ 6GB of RAM should be enough to give those uMatrix/uBO tweaks a good try. I do think you'll like their combined use -esp. w/ all the newer CSS exploits Ive been reading about in past weeks.

 

I use disconnect integrated in FF. Disconnect as an external extension is a nightmare and broke all website even in basic mode. FF's disconnect integration didn't break anything.