Skip to content

4.1 Extensions

Thorin-Oakenpants edited this page Nov 9, 2024 · 188 revisions

🟩 FOREWORD

We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you stand out, and weaken site isolation. For those interested, here is an ongoing series on the basics of browser extension security by Wladimir Palant.

This list covers privacy and security related extensions only. While we believe these are the very best of the best, this can be subjective depending on your needs. We are also not saying you have to use all these extensions.


🟪 RECOMMENDED

note: images have been edited for simplicity


🟪 OPTIONAL


🟪 TOOLS

These extensions will not mask or alter any data sent or received, but may be useful depending on your needs

  • Behave | github
    • Monitors and warns if a web page; performs DNS Rebinding attacks to Private IPs, accesses Private IPs, does Port Scans
  • mozlz4-edit | github
    • Inspect and/or edit *.lz4, *.mozlz4, *.jsonlz4, *.baklz4 and *.json files within FF
  • CRX Viewer | github
  • Compare-UserJS
    • Not an extension, but a tool to compare user.js files and output the diffs in detailed breakdown - thanks claustromaniac 🐈

🟪 DON'T BOTHER

  • uMatrix
    • ⚠️ No longer maintained, the last release was Sept 2019 except for a one-off patch to fix a vulnerability
    • Everything uMatrix did can be covered by prefs or other extensions: use uBlock Origin for any content blocking.
  • NoScript
    • Redundant with uBlock Origin
  • Ghostery, Disconnect, Privacy Badger, etc
  • Neat URL, ClearURLs
    • Redundant with uBlock Origin's removeparam and added lists. Any potential extra coverage provided by additional extensions is going to be minimal
  • HTTPS Everywhere
  • CSS Exfil Protection
    • Practically zero threat and if the platform's CSS was compromised, you'd have bigger problems to worry about
  • LocalCDN, Decentraleyes
    • Third parties are already partitioned if you use Total Cookie Protection (dFPI)
    • Replacing some version specific scripts on CDNs with local versions is not a comprehensive solution and is a form of enumerating badness. While it may work with some scripts that are included it doesn’t help with most other third party connections
    • CDN extensions don't really improve privacy as far as sharing your IP address is concerned and their usage is fingerprintable as this Tor Project developer points out. They are the wrong tool for the job and are not a substitute for a good VPN or Tor Browser. Its worth noting the resources for Decentraleyes are over six years out of date and would not likely be used anyway
  • Cookie extensions
    • ❗️Sanitizing in-session is a false sense of privacy. They do nothing for IP tracking. Even Tor Browser does not sanitize in-session e.g. when you request a new circuit. A new ID requires both full sanitizing and a new IP. The same applies to Firefox
    • ❗️Cookie extensions can lack APIs or implementation of them to properly sanitize: e.g.
      • ⚠️ [last checked Nov 2024], Cookie Auto Delete even instructs it's users to disable Total Cookie Protection - ⚠️ DO NOT DO THIS ⚠️
      • As of Firefox 86, strict mode is not supported at this time due to missing APIs to handle the Total Cookie Protection [... followed by instructions]

  • Anti-Fingerprinting Extensions
    • Redundant with either
      • RFP (resistfingeprinting) - see this
      • FPP (fingerprintingProtection) - enabled with ETP Strict (FF119) and subtly randomizes canvas (FF120)
    • Most extensions cannot protect what they claim:
      • It's impossible (engine, OS, version)
      • It's not a lie (the sites expect and use a valid value)
      • It's dumb (randomizing is not very usable, and/or successfully spoofing is the same as setting that)
      • It's equivalency
      • It has too many methods (fonts: at least a dozen methods and counting)
      • ... and more
    • Web Extensions lack APIs to properly protect metrics (without breaking basic functionality)
    • Web Extensions are detectable, and often uniquely fingerprintable, when they touch the DOM (and sometimes when they don't)