Perfect OpSEC - Become Invisible Online

This series is for educational purposes only. To get back to top-level table click here.

Clearnet Browser

You shouldn’t use the onion browser to view clearnet sites, so we need a separate browser for that.

You should use Firefox, and the following guide will make sure you’ve hardened it as much as you can.

Full credit for the following goes to /u/justno from dread.

  1. about:config

These changes are made in about:config and deal with things such as cookie isolation, disabling telemety, preventing urls from autoloading (less risk of contact with malicious websites) and more.

privacy.firstparty.isolate = true

privacy.resistFingerprinting = true

privacy.trackingprotection.enabled = true

browser.cache.offline.enable = false

browser.safebrowsing.malware.enabled = false [More privacy but less security. Decide if this one is right for you.]

browser.safebrowsing.phishing.enabled = false [Same as above]

browser.sessionstore.max_tabs_undo = 0

browser.urlbar.speculativeConnect.enabled = false

dom.battery.enabled = false [Prevents websites for seeing your battery level, less information for fingerprinting]

dom.event.clipboardevents.enabled = false

geo.enabled = false

security.ssl.enable_false_start = false

media.eme.enabled = false
-Disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc.DRM-controlled content that requires the Adobe Flash or Microsoft Silverlight NPAPI plugins will still play, if installed and enabled in Firefox.

media.gmp-widevinecdm.enabled = false
-Disables the Widevine Content Decryption Module provided by Google Inc., used for the playback of DRM-controlled HTML5 content.

media.navigator.enabled = false

network.cookie.cookieBehavior = 1
Disable cookies
0 = Accept all cookies by default
1 = Only accept from the originating site (block third-party cookies)
2 = Block all cookies by default

network.cookie.lifetimePolicy = 2
cookies are deleted at the end of the session
0 = Accept cookies normally
1 = Prompt for each cookie
2 = Accept for current session only
3 = Accept for N days

network.http.referer.trimmingPolicy = 2
Send only the scheme, host, and port in the Referer header
0 = Send the full URL in the Referer header
1 = Send the URL without its query string in the Referer header
2 = Send only the scheme, host, and port in the Referer header

network.http.referer.XOriginPolicy = 2
Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.)
0 = Send Referer in all cases
1 = Send Referer to same eTLD sites
2 = Send Referer only when the full hostnames match

network.http.referer.XOriginTrimmingPolicy = 2
0 = Send full url in Referer
1 = Send url without query string in Referer
2 = Only send scheme, host, and port in Referer

webgl.disabled = true
WebGL is a potential security risk.

browser.sessionstore.privacy_level = 2
0 = Store extra session data for any site. (Default starting with Firefox 4.)
1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
2 = Never store extra session data.

network.IDN_show_punycode = true

media.peerconnection.turn.disable = true

media.peerconnection.use_document_iceservers = false = false

media.peerconnection.identity.timeout = 1

media.webRTC - all options disabled, set media.webrtc.debug.aec_dump_max_size to 1

security.ssl3.rsa_des_ede3_sha = false

security.ssl.require_safe_negotiation = true

security.tls.enable_0rtt_data = false

browser.formfill.enable = false

browser.cache.disk.enable = false

browser.cache.disk_cache_ssl = false

browser.cache.memory.enable = false

browser.newtabpage.activity-stream.telemetry = false

browser.newtabpage.activity-stream.feeds.telemetry = false = false

toolkit.telemetry.archive.enabled = false

toolkit.telemetry.bhrping.enabled = false

toolkit.telemetry.firstshutdownping.enabled = false

toolkit.telemetry.newprofileping.enabled = false

toolkit.telemetry.unified = false

toolkit.telemetry.updateping.enabled = false

toolkit.telemetry.shutdownPingSender.enabled = false

network.http.sendRefererHeader = 0

dom.serviceWorkers.enabled = false

about:memory -> check anonymize box
  1. Firefox preferences

    Preferences -> Privacy & Security -> Enhanced Tracking Protection -> Strict

    Preferences -> Privacy & Security -> Remember history -> Never

    Preferences -> Privacy & Security -> Firefox Data Collection and Use -> make sure all of the boxes are unchecked

    Preferences -> General -> Network Settings -> Enable DNS over HTTPS [Do not do this if you filter DNS requests locally through your router or something else]

  2. Extensions
    Ublock Origin- great for blocking ads and malicious connections from malvertising. If you enable “I am an advanced user” then the addon can be used to block scripts as well. I highly recommend enabling this to block third party scripts and frames. An instructional video can be found here

    User Agent Switcher- Allows you to change your user agent string to something more generic. Only about 3% of internet users use Firefox with about 96% of the web are using Chrome. Make your hostname show a different browser and operating system to blend in a bit more.

    Cookie Auto Delete- Cookies follow you around the web, and some of them even mine crypto with your browser. One of the best ways to stop this is with Cookie Autodelete. Whenever you close a Tab all of the cookies from that tab will be deleted.

    Privacy Badger- blocks trackers from around the web

    Privacy Possum- Similar to Privacy Badger but blocks different types of content

If you want to block javascript entirely then go into about:config type “javascript.enabled” then double click for false. No point in using a dedicated extension for that. Keep in mind that this will break a lot of functionality in the web and you might want to save such extreme measures for the Tor browser as it is more sensitive.


$ cd content && tree