Skip to content


Hardening Tor Browser (or Firefox) a bit more

Tor Browser (I’ll later refer to it as “TBB”, short for Tor Browser Bundle) comes with lots of privacy / anti-tracking tweaks out of the box. But you can add even more. And make search a bit more convenient, too. Tor Browser is basically a very patched and tweaked Firefox and, for a few years now, there’s been an ongoing effort at Mozilla to uplift some Tor Browser patches into Firefox (ticket 1260929 on Bugzilla). So, many of the tweaks used in Tor Browser can be used in normal Firefox too.

Customizing (fully) the search engine

First, the search engine. Contrary to, say, Vivaldi, Firefox doesn’t provide a way for end-users to easily edit the search engines. This is particularly a problem in Tor Browser, because I want to use Duckduckgo via their .onion URL and without JavaScript, something which just can’t be done via the easy but locked-down process of adding a search engine. Search engines can (and usually do) provide an OpenSearch XML file, which you can then use to add it to your list of search engines in Firefox. Duckduckgo provides such a file in 2 versions: one with JS, and one without it, but neither support their .onion URL (the versions served via the onion URL still point to the non-onion domain).

Gladly, I found a website (Mycroft Project) where you can submit or create a custom OpenSearch file, and then “install” it. And even better, many contributors regularly submit OpenSearch files, so you’ll most likely find the one you want, without the need to create it yourself. For instance, files for Duckduckgo’s .onion URL, with HTTPS and with no JS, can be found here.

Privacy/security-related about:config parameters

Next, the detailed settings. The Firefox Privacy Task Force provides a list of settings that can be modified, via about:config, to enhance privacy (and also security, for instance webgl.disabled = true to disable WebGL). So, for Firefox, you can start with those. As for Tor Browser, I believe all these settings are already set to the most private value in Tor Browser, so if you’re using TBB I don’t think you’ll find more than an interesting read there.

I recently found a GitHub repository, user.js, which goes into a lot more details, to a point that it goes farther than Tor Browser, meaning it will be interesting no matter if you use just Fx or TBB. For instance, they disable the keyword.enabled setting, which can accidentally leak what you type in the address bar to your default search engine and which isn’t disabled in TBB by default, and they empty the breakpad.reportURL, used to send crash reports to Mozilla. If you’re using TBB, you might be particularly interested in ticket #367, which focuses on the differences between this user.js and the TBB default settings.

Posted in Firefox, privacy, security, Tor.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA