Archive old blog posts (#910)

This commit is contained in:
Daniel Nathan Gray 2022-04-05 13:04:34 +00:00 committed by GitHub
parent 5b1f1a14f3
commit f7a3eaa0cb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 0 additions and 381 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 81 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 113 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 104 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 66 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 34 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 138 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 268 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 245 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 463 KiB

View File

@ -1,79 +0,0 @@
---
title: 'Self-hosting a Shadowsocks VPN with Outline'
author: Jonah
template: overrides/blog.html
excerpt: Outline is a suite of open-source software developed for journalists to safely access their network and the internet while traveling in countries where their activities may be monitored or censored...
---
**Outline** is a suite of open-source software developed for journalists to safely access their network and the internet while traveling in countries where their activities may be monitored or censored. Despite this, the Outline platform is ideal for a wide range of users, especially less technical users, and users in censored countries like China who may have little to no knowledge about how VPNs or proxies work. Outline consists of two parts, the **Outline Manager** and **Outline Clients**. The Outline Manager is a tool you can use to easily setup remote Outline Servers on your own machines with very little technical skills. The Outline Clients in turn can connect to Outline Servers you configure, to keep your traffic secured.
Technically, Outline is not a true VPN. Rather it uses an open-source SOCKS5 proxy called Shadowsocks which is “[designed to protect your Internet traffic](https://shadowsocks.org/en/index.html)”. The Outline client applications however make use of the VPN capabilities of your operating system to send all your traffic through your Outline Server, with no need to configure each application to use the proxy. Thus for most users and most use-cases, theres no difference in functionality between using a normal VPN and an Outline server.
Shadowsocks has the benefit of being far more lightweight than OpenVPN, and it is much more optimized for mobile devices, as it does not require any keep-alive connections. It has existed since 2012 and it is widely used in China due to its censorship-resistant functionality: It is very difficult or impossible to detect and block Shadowsocks traffic automatically.
Please note that **like any VPN**, Outline/Shadowsocks cannot provide nearly the same degree of anonymity as projects like Tor. The primary use-case of Outline and VPNs in general is to keep your traffic hidden from malicious Internet Service Providers and nation-wide mass surveillance. Its a great solution for protecting your data on public wifi networks, but if you want to stay hidden from attackers targeting _you_, theres better tools for the job elsewhere.
Outline is developed by Jigsaw, which is a subsidiary of Alphabet Inc (Google). It is important to note that neither Jigsaw nor Google can see your internet traffic when using Outline, because you will be installing the actual Outline Server on your own machine, not Googles. Outline is completely open source and was audited in [2017](https://s3.amazonaws.com/outline-vpn/static_downloads/ros-report.pdf) by Radically Open Security and in [2018](https://s3.amazonaws.com/outline-vpn/static_downloads/cure53-report.pdf) by Cure53, and both security firms supported Jigsaws security claims. For more information on the data Jigsaw is able to collect when using Outline, see their [article on data collection](https://support.getoutline.org/s/article/Data-collection).
### Prerequisites
All you will need to complete this guide is a computer running Windows, macOS, or Linux. You will also need to know some basic commands: [How to SSH](https://www.howtogeek.com/311287/how-to-connect-to-an-ssh-server-from-windows-macos-or-linux/) in to a server you purchase. We will also assume you know how to purchase and set up a Linux server with SSH access, more info in Step 2.
### Step 1 — Download & Install Outline Manager
Outline allows you to setup and configure your servers from an easy-to-use management console called Outline Manager, which can be downloaded from [getoutline.org](https://getoutline.org). It has binaries available for Windows, macOS, and Linux.
Simply download and install the Outline Manager application to your computer.
![Screenshot of the Outline installation process](/assets/img/blog/shadowsocks-outline-1.png){:.img-fluid .w-75 .mx-auto .d-block}
Note: getoutline.org is blocked in China and likely other countries, however you can download the releases directly from [their GitHub page](https://github.com/Jigsaw-Code/outline-server/releases) as well.
### Step 2 — Choose a Server Provider
Outline has the ability to create servers on three different providers automatically: DigitalOcean, Google Cloud, and Amazon Web Services. In some situations, Google Cloud or AWS may be preferable, because they are less likely to be blocked by hostile ISPs/governments and will therefore allow you to more likely circumvent internet censorship. However, keep in mind that the server provider you choose—like any VPN provider—will have the technical ability to read your internet traffic. This is much less likely to happen when using a cloud provider versus a commercial VPN, which is why we recommend self-hosting, but it is still possible. Choose a provider you trust.
Additionally, keep in mind that many US-based cloud providers block all network traffic to and from [countries sanctioned by the United States](https://en.wikipedia.org/wiki/United_States_sanctions#Countries), including AWS and Google Cloud. Users in or visiting those countries may wish to find a European-based hosting provider to run their Outline Server on.
Another factor to consider is your providers network and latency. Choosing a server closer to you (geographically speaking) will give you better latency, and choosing a server with good bandwidth (>1 Gbps) will minimize the performance hit when using the VPN. Both factors are important to keeping a good browsing experience, but keep in mind using _any_ VPN will always be slower than just your plain old internet connection.
Finally, if you want to go with DigitalOcean you can use my affiliate link to receive a $50 credit: [https://m.do.co/c/fb6730f5bb99](https://m.do.co/c/fb6730f5bb99). Thats 10 months of free VPN hosting, at $5/month/server. Dont feel obligated to use this link, but youll receive free credit, and if you spend $25 with DigitalOcean after using it I will get credited, which will enable me to continue writing guides like this! DigitalOcean has a great performing network in my personal experience, and in the experience of the Outline team it works well in regard to circumventing censorship: Not many IP addresses of theirs are blocked.
For this guide we are not going to use an automatic provider in Outline Manager, rather we will manually configure a Linux server. We are using Debian 10. Other distros may work as well, but you may need to install Docker manually.
### Step 3 — Configure Your Server
First, we need to update our system and install `curl`. Connect to your server via SSH and enter the following commands:
Next open Outline Manager on your local machine and you should be given 4 options to configure a server. Select the “Set Up” button under the “Advanced, Set up Outline anywhere” option.
![Screenshot of Outline Manager](/assets/img/blog/shadowsocks-outline-2.png){:.img-fluid .w-100 .mx-auto .d-block}
Outline will give you a string to paste. More technical users can [view the script](https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh) that line runs in a browser to validate exactly what is being run and installed on your server, but we have examined the script and have seen no alarming commands.
Connect to your server over SSH and paste the code from above in the Outline Manager box into the Terminal. The process will take a minute or two and will ask you a couple questions. You can just press enter to accept the default configuration whenever it asks.
After it completes, it will give you a long line starting with `{"apiUrl"` (depending on your Terminals color support it will appear as green). Copy that line, and paste it in the second box back in Outline Manager. Then, click “Done”.
### Step 4 — Connect Your Devices
Download the Outline app on the device you want to connect. Outline has applications for the following operating systems:
* [Android](https://play.google.com/store/apps/details?id=org.outline.android.client)
* [iOS](https://apps.apple.com/app/id1356177741)
* [Windows](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe)
* [macOS](https://apps.apple.com/app/id1356178125)
* [Chrome OS](https://play.google.com/store/apps/details?id=org.outline.android.client)
* [Linux](https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.AppImage)
You should also be able to use any [Shadowsocks client](https://shadowsocks.org/en/download/clients.html), including alternative clients for each operating system and a client for OpenWRT routers. And like with the Manager, you can download Outline releases from [their GitHub page](https://github.com/Jigsaw-Code/outline-client/releases) as well.
Back in Outline Manager, select your server in the sidebar. On the far right side of “My access key” there is an icon of a laptop and phone. Click that icon, and select “Connect This Device” in the popup window. It will give you a string to copy, starting with `ss://`. Simply paste that string into the configuration of any Shadowsocks client to add your server!
Once you add your server, thats it! In the Outline clients its just a matter of pressing “Connect”, and all your traffic will be proxied through your server! You can use this connection to keep your traffic safe when youre on public WiFi networks, or just to keep your browsing hidden from your ISP.
### Conclusion
That should be all you need to get your very own VPN up and running! **Do not share your access key with anyone**, this is the key starting with `ss://`. If you want to grant other users access to your server, click “Add a new key” in Outline Manager and give them a new, unique key. If you share a key, anyone with knowledge of that key will be able to see all the traffic of anyone else using the key. It should go without saying, but dont send people keys over unencrypted channels: No Facebook Messenger, no emails. Stick with [Signal, Wire, or Briar](/real-time-communication) if you dont have a secure app already.
With Outline, there is no need to worry about the security of your server. Everything is set to automatically update with no intervention required! Another thing to note: The port on your Outline server is randomly generated. This is so the port cant be easily blocked by nation/ISP level censors, however, this VPN may not function on some networks that only allow access to port 80/443, or on servers that only allow traffic on certain ports. These are edge-cases, but something to keep in mind, and if they apply you may need to look for more technical options.

View File

@ -1,60 +0,0 @@
---
title: Understanding VPNs
author: Jonah
background: understanding-vpns-cover.jpg
background_src: 'https://unsplash.com/@freeche'
template: overrides/blog.html
excerpt: A VPN is a tool that secures your internet connection from attackers on your network...
---
<p class="lead">A <strong>VPN</strong> — or <strong>Virtual Private Network</strong> — is a tool that secures your internet connection from attackers on your network. But before I explain how that all works, let's talk about the internet without them.</p>
Your Internet Service Provider (ISP) can see everything you do online. Well, nearly everything: When websites use HTTPS (or TLS, or SSL. these terms are often used interchangeably when referring to website encryption), indicated by the padlock in your web browser, your ISP cannot see exactly what you're doing on the website. So, they usually can't see what specific pages you look at or what you type in to forms. However, they can still see what websites you're visiting (domains and IP addresses).
That sounds bad, right? But thats not even the worst part! (I know, right?) Not only can your ISP see what youre doing online, they can (and do) insert ads into websites, sell your browsing history (which is now legal in the US), restrict access to some websites, and do other awful stuff, because <mark>your ISP complete control over your Internet connection</mark>.
Furthermore, this doesn't only happen at your home. Every network you connect to—your cellular network, your Wi-Fi at work, the internet at Starbucks—has their own ISP that will be able to read your data.
Fortunately, more and more websites are beginning to use HTTPS, thanks to free certificates from Let's Encrypt and Cloudflare. But many sites still don't (at least by default), and even HTTPS doesn't solve the problem that your ISP can see the websites you're visiting.
## How VPNs can protect us
Luckily, you can hide all this information from your ISP using a VPN. Instead of letting your ISP see all the websites you visit, VPNs only let them see that you are connected (using an **encrypted** connection) to the VPN provider's servers.
*Basically, instead of connecting directly to the Internet, you connect to one of your VPN providers servers, which connects you to the Internet.*
So, `you <----> Internet` becomes `you <----> VPN <----> Internet` and your ISP can only see the `you <----> VPN` part.
## More ways VPNs can protect us
So VPNs are pretty handy, but hiding your traffic from your ISP isn't the only advantage a VPN provides.
Did you know that if youre on a public Wi-Fi network, <mark>anyone connected to the same network can see as much as your ISP can</mark>? Obviously, this isnt an issue at home, unless you have very creepy neighbors and an open Wi-Fi network. However, it is a problem in public places with Wi-Fi, such as cafés.
Because your connection to the VPN is **encrypted** and its the only active connection on your device, that creepy guy with the laptop sitting in the corner is no longer a threat to your Internet connection. Like the ISP, the only thing he'd be able to see is that single connection to your VPN.
So, is that all? Not yet. Theres still one big advantage. Websites that youre connected to can see this (usually) near-unique identifier called an **IP address**. But when you use a VPN the websites dont see your IP address, they see one of the VPN server's IP addresses.
This also provides an added side-benefit: Most VPN providers have servers in many countries, thus you can make it appear to websites as if youre browsing from a completely different country (which apart from privacy is useful due to some content and services being available only to specific regions, like Netflix and Hulu).
But even if you use a different IP address than your “normal” one, isnt it still personally identifiable? Nope. Many people use the same server, letting the websites you visit see only that youre using the same VPN as many other people.
## Drawbacks of a VPN
But VPNs aren't all powerful tools to protect your privacy. In fact, there are a number of glaring issues that should not be overlooked when making the decision to use one.
Most importantly, using a VPN only *shifts* the power to view your traffic from your ISP to the VPN provider itself. That means that all the traffic your ISP used to be able to see, your VPN provider will still be able to. Therefore, choosing a trustworthy VPN is important. Many will be able to find a provider that they can trust more than their ISP, but some may not.
Using a commercial VPN provider is almost like entrusting your data to a black box. There are no ways to verify claims like "no logging", you just need to take them at their word. Some providers will work harder than others to validate their claims for you—by releasing audits of their policies and code for example—, but at the end of the day it ultimately comes down to trust.
Finally, using a VPN will not make you anonymous in any way. Your VPN provider or especially dedicated attackers will be able to trace a connection back to you fairly trivially. Your VPN provider will also likely have a money trail leading back to you.
## So what?
If you're looking for perfect anonymity, there are better options. Software like the Tor Browser provides privacy and anonymity *by design*, whereas VPNs provide privacy based on trust alone. You cannot rely on "no logging" claims to protect you.
If you just need protection on a public Wi-Fi network, from your ISP, or just from copyright warnings in the mail, a VPN might be the solution for you.
PrivacyTools's [VPN Providers](https://www.privacytools.io/providers/vpn/) page lists some recommendations and reasonings for privacy-respecting and trustworthy VPN providers.
Wondering what exactly makes a VPN choice good or bad? We've published a guide on some of the criteria we use to evaluate VPN providers. Looking into the details of any VPN provider you choose will help you make a more fully informed decision about who you trust your internet traffic to.

View File

@ -1,86 +0,0 @@
---
title: Choosing a VPN
author: Jonah
template: overrides/blog.html
---
So [you know what a VPN is](/blog/2019/10/05/understanding-vpns), but there are so many options to choose from! Well before we dive into this, let's get one thing off the bat:
## Avoid Free VPNs
Privacy-respecting VPNs can provide their service because you pay them for it. Free VPNs are **worse** than your ISP when it comes to respecting your privacy, because **selling your data is the only way they can make money**, whereas an ISP is primarily paid for by you.
> If youre not paying for it, youre the product.
This isn't to say all paid VPNs automatically become trustworthy, far from it. In fact many paid VPN providers have been known to or suspected to have sold their users' data or have done some otherwise shady things with it. Always completely evaluate the VPN provider you choose, rather than just take theirs or anyone else's word for it. The main takeaway here is that it is impossible to provide a service like a VPN — which requires servers, bandwidth, time, and energy to maintain — for free for thousands of users, without having some sort of other monetization model.
## Choosing a VPN
Alright, now we can get into it. The first thing we need to decide is _why_ exactly you need a VPN. Most people will fall into the following two camps:
### 1. Avoiding Geographical Restrictions
Maybe you want to watch BBC online, possibly avoid creeps at cafés, but dont really care about your VPN logging your traffic — just like your ISP does.
**Therefore**: You want a VPN with servers in countries like US, UK — basically where services like Netflix work. (Tip: Netflix is continually banning VPNs, so be sure to use one that isnt blocked. You might want to look into the [r/NetflixViaVPN](https://www.reddit.com/r/NetflixViaVPN) Subreddit for help with this one).
### 2. Maximizing Your Privacy Online
Being **Privacy** Guides, this is the big one for us. If you really care about your privacy, you'll want to look for a provider that at the very least does the following:
* Supports modern technologies like OpenVPN or WireGuard.
* Accepts anonymous payments like cash, gift cards, or cryptocurrencies.
* Provides strong, future-proof encryption for their connections.
* And, is public about their leadership and ownership.
These 4 points should always be considered when you're evaluating a VPN provider. Additionally, note what jurisdiction the provider is incorporated in, and where their servers are located. This is probably the most important factor to consider, and also the most time-consuming, as privacy laws in various countries vary wildly.
Let me explain what these points mean exactly in more detail, so you know what to look for.
## Modern Technology
You should be able to connect to your VPN with any **OpenVPN** client. L2TP, PPTP, and IPSec are all insecure technologies that should not be used. A new technology called **WireGuard** looks very promising, but is still in active development and not recommended for use.
While we're looking at technology, take a look at whether your provider has their own client for you to download and connect with. These applications usually make using your VPN a lot simpler, and sometimes safer. If they do, ask the following questions:
* **Is this client open-source?** Having an open-source client is important because it allows you or anyone else to audit the code and see exactly what's happening. Closed source clients are essentially a black box you'd be putting all your data into, not the best idea!
* **Does the client have a killswitch?** Not many generic OpenVPN clients come with this functionality, but many custom VPN clients will. A killswitch option allows you to completely disable your internet connection when the VPN is disconnected. This will make sure that you don't accidentally connect to the internet with your ISP's connection.
## Anonymous Payments
This one's an easy one. Take a look at how you're able to pay for your provider's subscription. Some providers will take cash in the mail as payment, a great way to pay without leaving a digital money trail. Others will allow you to pay with gift cards from major retailers like Amazon, Target, and Wal-Mart (which you can hopefully obtain anonymously with cash, replacing the mail middleman from before). Still others will accept various cryptocurrencies.
If not leaving a money trail is important, you'll want to make sure you aren't paying with something linked to you financially, like a credit or debit card, or PayPal. If your provider doesn't accept the payment forms above, you aren't entirely out of luck however. You can still use a prepaid debit card to pay for things as anonymously as possible. But consider: If your provider isn't dedicated to making easy, anonymous payment alternatives available to you, how focused are they on your privacy?
## Strong Security
Most providers using OpenVPN will also be using strong encryption methods, but still make sure you double-check before choosing a provider. What you'll want to look for from your provider at a minimum is:
* **RSA-2048 encryption.** Ideally, they should support RSA-4096 connections, for maximum security.
* **Perfect Forward Secrecy (PFS).** This technology makes each VPN session use a different key every time, so that if an attacker manages to decrypt one of your connections, they won't also be able to see all your other data.
In addition, look into whether your provider has ever had their security practices audited by an independent third-party. For example, TunnelBear [publishes](https://cure53.de/summary-report_tunnelbear_2018.pdf) yearly audits of their entire service, or Mullvad, which has [published](https://cure53.de/pentest-report_mullvad_v2.pdf) a comprehensive security audit of their client applications.
Independent audits are important because, while ultimately the actual security of the service will come down to _trusting_ the providers, a successful security audit demonstrates that the provider at least has the _capability_ to provide you with a secure connection, instead of just taking their claims at face value.
## Public Trust
You want to remain private, but your provider shouldn't. If your provider is hiding their ownership information and their leadership from you behind some Panamanian shell company, what other business practices might they be hiding?
> You wouldn't trust your finances to someone with a fake identity, so why trust them with your internet data?
Find out where your choice is incorporated. Who owns it? What other companies have their executives worked for?
Frequent transparency reports are a huge plus too. They should publish information related to government requests, so you know what their responses look like. All VPN providers will need to respond to legitimate legal requests, but does your choice reject or counter as many as possible?
## So what next?
If you're currently using a commercial VPN, use this information to evaluate their business. Do they seem trustworthy?
At Privacy Guides we've [evaluated](/vpn) a huge number of VPN providers along similar criteria to these. In our opinion, as of October 2019, Mullvad leads the pack with respect to all these criteria, with IVPN and ProtonVPN falling just slightly behind but catching up quickly. There are still a huge number of providers out there, however. The way to find the best solution for you, is by researching providers with _your_ criteria in mind.
Join the discussion on our forum below, and chat with our community about any questions you have or any interesting things you discover.
----------
_Please note that we are not affiliated with or receive financial compensation from any commercial VPN providers. A lot of VPN providers engage in questionable affiliate marketing strategies which generates a lot of misinformation on VPNs in general online. At Privacy Guides we are trying to make guides and recommendations based on objective research and criteria._

View File

@ -1,156 +0,0 @@
---
title: 'Firefox Privacy: Tips and Tricks for Better Browsing'
author: Jonah
background: firefox-privacy-cover.jpg
background_src: 'https://unsplash.com/@vmxhu'
template: overrides/blog.html
excerpt: Mozilla Firefox is one of the most popular web browsers around, and for good reason. It's fast, secure, open-source, and it's backed by an organization that actually respects your privacy.
---
!!! Warning "Outdated"
This article is outdated, see [Firefox Privacy: 2021 update](/blog/2021/12/01/firefox-privacy-2021-update/) for more current information.
Mozilla Firefox is one of the most popular web browsers around, and for good reason. It's fast, secure, open-source, and it's backed by an organization that actually respects your privacy. Unlike many other Chrome alternatives and forks, it has a massive development team behind it that publishes new updates on a constant, regular basis. Regular updates doesn't only mean shiny new features, it means you'll also receive security updates that will keep you protected as you browse the web.
Because of all of this, the Privacy Guides team [recommends Firefox](https://privacyguides.org/browsers/) as a general-purpose browser for most users. It's the best alternative to Google Chrome and Edge for privacy conscious individuals.
Firefox is fantastic out of the box, but where it really shines is customizability. By adjusting Firefox privacy settings and using helpful add-ons, you can increase your privacy and security even further. Making those changes is what we're going to go over in this Firefox privacy guide.
Before we get started, there's a couple things that should be noted that are not only applicable to this guide, but privacy in general:
## Considerations
Protecting your privacy online is a tricky proposition, there are so many factors to take into consideration on an individual basis for any one guide or site to cover comprehensively. You will need to take into account things like threat modeling and your general preferences before making any changes or following any recommendations.
### Threat Modeling
*What is [threat modeling](/threat-modeling/)?* Consider who you're trying to keep your data hidden from. Do you need to keep your information hidden from the government, or just the average stranger? Maybe you're just looking for alternatives to Big Tech Corporations like Google and Facebook. You'll also want to consider how much time and resources you want to spend hiding your data from those "threats". Some solutions might not be feasible from a financial or time standpoint and you'll have to make compromises. Taking all those questions into account creates a basic *threat model* for you to work with.
We want to publish a more complete guide on threat modeling in the future, so stay tuned to this blog for further updates. But for now, just keep those thoughts in the back of your mind as we go through this article. Not every solution might be for you, or conversely you may need to pay more attention to certain areas we aren't able to cover completely.
### Browser Fingerprinting
Another consideration is your browser's fingerprint. When you visit a web page, your browser voluntarily sends information about its configuration, such as available fonts, browser type, and add-ons. If this combination of information is unique, it may be possible to identify and track you without using more common tracking tools, like cookies.
That's right, add-ons contribute to your fingerprint. Another thing a lot of people miss when they are setting up their browser is that <mark>more is not always the best solution to your problems</mark>. You don't need to use every add-on and tweak that offers privacy, and the more you configure the greater chance there is that your browser will appear more unique to websites. Think about your specific situation and pick and choose the add-ons and tweaks we recommend only if you think they will help *you*.
## Firefox Privacy Settings
We'll start off with the easy solutions. Firefox has a number of privacy settings built in, no add-ons necessary! Open your *Options* page (*Preferences* on macOS) and we'll go through them one at a time.
### DNS over HTTPS
DNS (or the Domain Name System) is what your browser uses to turn domain names like `privacyguides.org` into IP addresses like `145.239.169.56`. Because computers can only make connections to IP addresses, it's necessary to use DNS every time you visit a new domain. But DNS is unencrypted by default, that means everyone on your network (including your ISP) can view what domains you're looking up, and in some situations even change the IP answers to redirect you to their own websites! Encrypting your DNS traffic can shield your queries and add some additional protection to your browsing.
Encrypted DNS takes many forms: DNS over HTTPS (DoH), DNS over TLS, DNSCrypt, etc., but they all accomplish the same thing. They keep your DNS queries private from your ISP, and they make sure they aren't tampered with in transit between your DNS provider. Fortunately, Firefox recently added native DoH support to the browser. On the **General** page of your preferences, scroll down to and open **Network Settings**. At the bottom of the window you will be able to select "Enable DNS over HTTPS" and choose a provider:
![Screenshot of the Enable DNS over HTTPS box checked, with Cloudflare selected in the provider dropdown.](/assets/img/blog/firefox-privacy-1.png){:.img-fluid .w-75 .mx-auto .d-block}
Keep in mind that by using DoH you're sending all your queries to a single provider, probably Cloudflare unless you choose [another provider](https://privacyguides.org/dns) that supports DNS over HTTPS. While it may add some privacy protection from your ISP, you're only shifting that trust to the DoH provider. Make sure that's something you want to do.
It should also be noted that even with DoH, your ISP will still be able to see what domain you're connecting to because of a technology called Server Name Indication (SNI). Until SNI is encrypted as well, there's no getting around it. Encrypted SNI (eSNI) is in the works — and can actually be [enabled on Firefox](https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/) today — but it only works with a small number of servers, mainly ones operated by Cloudflare, so its use is limited currently. Therefore, while DoH provides some additional privacy and integrity protections, its use as a privacy tool is limited until other supplemental tools like eSNI and [DNSSEC](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) are finalized and implemented.
### Change Your Search Engine
This is an easy one. In the Search tab, change your Default Search Engine to something other than Google.
![Screenshot of the search engine preferences](/assets/img/blog/firefox-privacy-2.png){:.img-fluid .w-75 .mx-auto .d-block}
Out of the built-in options, DuckDuckGo is the most privacy respecting service, but there's a number of [search engines we would recommend](https://privacyguides.org/providers/search-engines/) that can be easily installed as well.
### Enhanced Tracking Protection
Now we'll delve into the biggest set of options for people like us, Firefox's Privacy & Security tab. First up is their Enhanced Tracking Protection. This set of filters is set to *Standard* by default, but we'll want to change it to *Strict* for more comprehensive coverage.
![Screenshot of strict tracking protection enabled](/assets/img/blog/firefox-privacy-3.png){:.img-fluid .w-75 .mx-auto .d-block}
In rare occasions, Strict browsing protections might cause some of the websites you visit to not function properly. But there's no need to worry! If you suspect the Strict browsing protection is breaking a website you visit frequently, you can disable it on a site by site basis with the shield icon in the address bar.
![Screenshot of per-site settings for Firefox tracking protection](/assets/img/blog/firefox-privacy-4.png){:.img-fluid .w-75 .mx-auto .d-block}
Disabling Enhanced Tracking Protection will of course decrease your privacy on that site, so you will have consider whether that's something you are willing to compromise on, on a site-by-site basis.
Another benefit of Firefox's Enhanced Tracking Protection is that it can actually speed up your browsing! Advertising networks and social media embeds can sometimes make your browser download huge files just to show an ad or a like button, and blocking those out trims the fat, in a sense.
### Disabling Telemetrics
When you use Firefox, Mozilla collects information about what you do, what kind of extensions you have installed, and various other aspects of your browser. While they claim to do this in a privacy-respecting way, sending as little data as possible is always preferred from a privacy standpoint, so we would go ahead and uncheck all the boxes under **Firefox Data Collection and Use** just to be safe.
![Screenshot of Firefox data collection checkboxes](/assets/img/blog/firefox-privacy-5.png){:.img-fluid .w-75 .mx-auto .d-block}
### Clearing Cookies and Site Data
This one is for more advanced users, so if you don't understand what this is doing you can skip this section. Firefox provides the option to delete all your cookies and site data every time Firefox is closed. Cookies and site data are little pieces of information sites store in your browser, and they have a myriad of uses. They are used for things like keeping you logged in and saving your website preferences, but they also can be used to track you across different websites. By deleting your cookies regularly, your browser will appear clean to websites, making you harder to track.
![Screenshot of cookies and site data](/assets/img/blog/firefox-privacy-6.png){:.img-fluid .w-75 .mx-auto .d-block}
This will likely log you out of websites quite often, so make sure that's an inconvenience you're willing to put up with for enhanced privacy.
## Firefox Privacy Add-ons
Of course, just the browser settings alone won't go quite far enough to protect your privacy. Mozilla has made a lot of compromises in order to provide a more functional browsing experience for the average user, which is completely understandable. But, we can take it even further with some browser add-ons that prevent tracking and make your experience more private and secure.
There are a number of [fantastic add-ons for Firefox](https://privacyguides.org/browsers/#addons), but they aren't all necessary for everyone. Some of them provide redundant functionality to each other, and some of them accomplish similar tasks to the settings we've enabled above.
When you are installing add-ons for Firefox, consider whether you actually need them for your personal browsing. Remember that fingerprinting warning from earlier? Adding as many extensions as possible might make you stand out more, which is not the goal.
Keeping all that in mind, there are three add-ons I would consider necessary for virtually every user:
* uBlock Origin
* HTTPS Everywhere
* Decentraleyes
Out of the box, these add-ons only complement the settings we've described in this article already, and they have sane defaults that won't break the sites you visit.
### uBlock Origin
[**uBlock Origin**](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/) is an efficient ad- and tracker-blocker that is easy on memory, and yet can load and enforce thousands more filters than competing blockers. We trust it because it is completely open-source. Additionally, unlike its competitors it has no monetization strategy: There's no "Acceptable" ads program or a similar whitelist like many other adblockers feature.
### HTTPS Everywhere
HTTPS is the secure, encrypted version of HTTP. When you see an address starting with https:// along with the padlock in your browser's address bar, you know that your connection to the website is completely secure. This is of course important when you're logging into websites and sending your passwords and emails in a form. But it also prevents people on your network and your ISP from snooping in on what you're reading, or changing the contents of an unencrypted webpage to whatever they want.
Therefore, [**HTTPS Everywhere**](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere) is a must-have extension, all it does is upgrade your HTTP connections to HTTPS wherever possible. And because it works silently in the background, you probably will never notice it! We trust HTTPS Everywhere because it is completely open-source, and is developed by the [Electronic Frontier Foundation](https://www.eff.org/https-everywhere), a non-profit dedicated to private and secure technologies.
Of course, it only works with sites that support HTTPS on the server's side, so you'll still need to keep an eye on your address bar to make sure you're securely connected. But fortunately more and more websites have implemented HTTPS, thanks to the advent of free certificates from organizations like Let's Encrypt.
### Decentraleyes
When you connect to many websites, your browser is most likely making connections to a myriad of "Content Delivery Networks" like Google Fonts, Akamai, and Cloudflare, to download fonts and Javascript that make the website run. This generally makes websites look and feel better, but it means you're constantly making connections to these servers, allowing them to build a fairly accurate tracking profile of you.
[**Decentraleyes**](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes) works by impersonating those CDNs locally in your browser. When a website wants to download a program like jQuery, instead of connecting to a remote CDN Decentraleyes will serve the file from its own cache of files. This means that you'll won't have to make remote CDN connections for the files that Decentraleyes supports, and therefore the remote CDNs can't track your browser. Decentraleyes may even speed up your browsing, because everything is stored locally instead of on a far-away server. Everything happens instantly, and you won't see a difference in the websites you visit.
### Additional Firefox Privacy Add-ons
There is of course more functionality that can be achieved at the expense of more time spent configuring your browser and reduced website functionality. If you're looking for the most privacy options possible however, they may be for you. Check out the page on [Browser add-ons at Privacy Guides](https://privacyguides.org/browsers/#addons) for further information and additional resources.
## More Privacy Functionality
Firefox has developed a number of other privacy tools that can be used to enhance your privacy or security. They may be worth looking into, but they have some drawbacks that would prevent me from recommending them outright.
### Firefox Private Network
**Firefox Private Network** is a new extension developed by Mozilla that serves as a [Virtual Private Network](/blog/2019/10/05/understanding-vpns) (VPN), securing you on public WiFi networks and other situations where you might trust Mozilla more than the ISP or network administrator. It is free in beta, but will likely be available at some subscription pricing once the test pilot ends.
Firefox Private Network is still just a VPN, and there are a number of drawbacks you would want to consider before using it. Ultimately, your VPN provider of choice will be able to see your web traffic. All you are accomplishing is shifting the trust from your network to the VPN provider, in this case *Cloudflare*, the operators behind this service.
Additionally, unlike a traditional VPN, only data through the Firefox browser is protected, not every app on your machine. This means that it won't adequately protect you from many of the threats people typically want to protect against when they use a VPN, like IP leaks.
And finally, Cloudflare and Mozilla are both US companies. There are a number of concerns with entrusting internet traffic to the US and other [Fourteen Eyes](https://privacyguides.org/providers/#ukusa) countries that should not be overlooked.
If you require a Virtual Private Network, we would look elsewhere. There are a number of [good VPN providers](https://privacyguides.org/providers/vpn/) like Mullvad that will provide a better experience at a low cost.
### Multi-Account Containers
Mozilla has an in-house add-on called [**Multi-Account Containers**](https://support.mozilla.org/en-US/kb/containers) that allows you to isolate websites from each other. For example, you could have Facebook in a container separate from your other browsing. In this situation, Facebook would only be able to set cookies with your profile on sites within the container, keeping your other browsing protected.
A containers setup may be a good alternative to techniques like regularly deleting cookies, but requires a lot of manual intervention to setup and maintain. If you want complete control of what websites can do in your browser, it's definitely worth looking into, but we wouldn't call it a necessary addition by any means.
## Additional Resources
[ghacks user.js](https://github.com/ghacksuserjs/ghacks-user.js) — For more advanced users, the ghacks user.js is a "configuration file that can control hundreds of Firefox settings [...] which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage".
[Mozilla's Privacy Policy](https://www.mozilla.org/en-US/privacy/) — Of course, we always recommend reading through the privacy statement of any organization you deal with, and Mozilla is no exception.
## Firefox Privacy Summary
In conclusion, we believe that Firefox is the most promising browser for privacy-conscious individuals. The non-profit behind it seems truly dedicated to promoting user control and privacy, and the good defaults coupled with the sheer customizability of the browser allow you to truly protect your information when you browse the web.