Given the attack surface of addons, I’ve downsized my addon usage.
I’ve replaced HTTPS-Everywhere with the built-in HTTPS-first/only modes in FF and Chromium.
In FF, I use userContent.css instead of Stylus.
I use uBlock Origin’s url-rewriting filters in place of redirection addons.
In Chromium, you can choose to have an addon only be enabled on certain sites. I do this with Stylus and Dark Background Light Text.
EDIT: more information:
I have a shell script that uses regex to “clean” urls in the clipboard and remove tracking params instead of the CleanURLs addon, since this is most useful when sharing links with others. I’ve gotten in the habit of previewing URL content before navigation (e.g. with a mouseover or by pasting into the URL bar) as well. If I want to navigate to a messy url, I just copy it and enter a keybind to clean the copied URL.
I use multiple browsers and profiles.
Normal browsers: Firefox with Cookie Autodelete, uBO, Stylus, Dark Background and Light Text; Chromium with uBO and Stylus. Stylus is only selective enabled.
For security-sensitive non-anonymous stuff, I run Chromium with flags to disable JIT and to disable JS by default, in a bubblewrap sandbox. This browser profile has no addons.
For peak anonymity (e.g. when using one of my anon alts), I run the Tor Browser in a Whonix VM. For quick anonymity I just use the regular Tor Browser Bundle in a bubblewrap sandbox. In an act of mercy towards my weak 2013 Haswell laptop’s battery, I no longer run Qubes. The Tor Browser should not ever be used with custom addons if you want anonymity.
Because the Tor browser should never run with addons and because I use a browser profile that has none, I don’t want addons to be a “crutch” that I depend on too much.
I do global hostname-blocking at the DNS level, so I can live without an adblocker. DNS blocking doesn’t do fine-grained subpage-blocking, conditional blocks, cosmetic filtering, redirects, etc. so a more complete solution is still worthwhile.
I also try to avoid injecting content into webpages with JS enabled, since that is extremely fingerprintable and opens a can of (in)security worms.
Some addons that I do not recommend at all:
Canvas Fingerprinting Defender: injects JS into pages, which is very fingerprintable and can trigger a CSP report if you don’t disable those. CSP reports can identify you even if you disable JS execution.
Anything that you can do without an addon, TBH. They do weaken the browser security model.
Given the attack surface of addons, I’ve downsized my addon usage.
That’s pretty good advice :)
The more you can do with the tools you already have installed, the less additional code you have to run which could cause more bugs and security holes.
Given the attack surface of addons, I’ve downsized my addon usage.
I’ve replaced HTTPS-Everywhere with the built-in HTTPS-first/only modes in FF and Chromium.
In FF, I use userContent.css instead of Stylus.
I use uBlock Origin’s url-rewriting filters in place of redirection addons.
In Chromium, you can choose to have an addon only be enabled on certain sites. I do this with Stylus and Dark Background Light Text.
EDIT: more information:
I use multiple browsers and profiles.
Normal browsers: Firefox with Cookie Autodelete, uBO, Stylus, Dark Background and Light Text; Chromium with uBO and Stylus. Stylus is only selective enabled.
For security-sensitive non-anonymous stuff, I run Chromium with flags to disable JIT and to disable JS by default, in a bubblewrap sandbox. This browser profile has no addons.
For peak anonymity (e.g. when using one of my anon alts), I run the Tor Browser in a Whonix VM. For quick anonymity I just use the regular Tor Browser Bundle in a bubblewrap sandbox. In an act of mercy towards my weak 2013 Haswell laptop’s battery, I no longer run Qubes. The Tor Browser should not ever be used with custom addons if you want anonymity.
Because the Tor browser should never run with addons and because I use a browser profile that has none, I don’t want addons to be a “crutch” that I depend on too much.
I do global hostname-blocking at the DNS level, so I can live without an adblocker. DNS blocking doesn’t do fine-grained subpage-blocking, conditional blocks, cosmetic filtering, redirects, etc. so a more complete solution is still worthwhile.
I also try to avoid injecting content into webpages with JS enabled, since that is extremely fingerprintable and opens a can of (in)security worms.
Some addons that I do not recommend at all:
Canvas Fingerprinting Defender: injects JS into pages, which is very fingerprintable and can trigger a CSP report if you don’t disable those. CSP reports can identify you even if you disable JS execution.
Anything that you can do without an addon, TBH. They do weaken the browser security model.
Didn’t realize you can redirect using ubo… How do you do that? :)
Check out the
removeparamandredirectdirectives in the static filter syntax docs.That’s pretty good advice :)
The more you can do with the tools you already have installed, the less additional code you have to run which could cause more bugs and security holes.