Long gone are the days when websites consisted of static HTML pages styled with basic CSS, when links actually directed users to new web locations instead of calling a Javascript function. Now, websites (or should I call them web apps?) have grown so complex that browsers had no choice but to turn into operating systems. This made for a much richer user experience with so many possibilities; you can do online banking, play video games, join video conferences, shop, and even install apps, all within the same application: the browser. It’s obvious that the more complex any software gets, the more chances there are for security vulnerabilities to emerge, and the browser is no exception. The surge of browser CVEs we’ve witnessed in recent years is a good testament to that. Additionally, the more user interactions are made possible in the browser the more attractive it becomes to marketers and companies looking for new revenue streams. Online advertising, which is fueled by online tracking, has become so lucrative that it’s consistently been the top revenue category for so many big tech corporations. So, should we just throw our hands up in the air and accept our imposed destiny? Do we have to give up our privacy if we’re to do any meaningful browsing on the internet?
Using a sound browser will go a long way in mitigating the risk of privacy violations. Like anything else in life, it’s important to use the right tool for the job. If you’re going on a road trip across the country, you’d want to drive the right vehicle, have spare tires, make sure the engine is healthy and won’t overheat, plan charging breaks if you’re going electric, and so on. The same applies to browsing the internet. In this article, I’ll go over different security and privacy measures implemented in Firefox, my favourite browser.
Before we dive in, let me note that my decision to run Firefox as my daily driver is not a political one or based on Mozilla’s management, work conditions, or product line. I’m only focused on the software itself and how it serves my personal internet browsing needs.
HTTP header sanitization
In this day and age, web pages have become remarkably complex to the point where it’s quite rare to find web services that don’t pull resources from other domains, may they be fonts, images, videos, scripts, or other types of resources. When a browser goes out to fetch external resources, it attaches the original URL to every request in the HTTP Referer header. The entire URL that the user had initially put in their browser address bar ends up transmitted to all the domains that the page being visited depends on. To give you an idea, if a user was reading an article on a news site in dark mode with big font (URL: https://www.allthenews.com/breaking-news-read-now?mode=dark&font-size=big); and this site loaded “share” buttons from Google, Twitter, and Facebook; all of these companies would be made aware of the article the user was reading and the preferred settings for article consumption.
Firefox trims the path and query parameters from the HTTP Referer header for all cross-origin requests by default. So in our previous example the URL would be turned into https://www.allthenews.com/ when communicated as a referrer to Google, Twitter, and Facebook, thereby reducing the amount of leaked user information.
Cookie store isolation
When it comes to cookie management, Firefox has really stepped up their game. I don’t think any other browser handles cookies nearly as well. Firefox not only blocks cookies from domains that were identified as trackers, it totally cripples cookie-based tracking with its Total Cookie Protection. It works by operating completely isolated cookie jars, each dedicated to a website that the user explicitly visited. By way of illustration, cookies set when the user visits website A are only ever attached to requests triggered by user actions on website A, including third-party cookies. This is exceptionally powerful because it means that a third-party cookie coming from Facebook, for instance, while browsing a news site will never make it back to Facebook when browsing any other website that uses Facebook’s assets.
In addition, Firefox’s Enhanced Cookie Clearing (ECC) allows you to wipe out all the data that were created by a specific website. This include first and third party cookies, local storage data, settings, and cache. This is different than the typical “delete website cookies” setting you’ll find in other mainstream bowsers in that ECC not only deletes data that belong to the selected website, but also all other data that were saved in your browser while visiting that website. Let’s say you’re on recipes.com that pulls in some assets from google.com, while also being directly logged into google.com in a separate tab. Clearing cookies of recipes.com using ECC will have the following effects:
- Delete all the data created by recipes.com
- Delete all the data created by google.com while browsing recipes.com. This means that we’ll remain logged into google.com in the second tab. This is extremely potent as it grants you the ability to make your browser effectively forget about all your activity on a given website.
Process isolation
Every time you visit a website with Javascript enabled, you run code that you’ve most likely never seen on your computer1. The vast majority of browsers do a great job containing this code in a tight sandbox to prevent malicious out-of-scope access, but not all enforce good segregation within the sandbox. Firefox goes to great lengths to isolate code pulled from the internet that runs on your machine. With its Site Isolation, also called Project Fission, each website is loaded in a separate Operating System (OS) process. So if you visit “example.com” and, in a new tab, load “example.org”, these 2 websites’ code will run in 2 OS-segregated processes, each with its own isolated memory. And this isn’t specific to tabs; if “example.com” had an iframe that loaded content from “example.org”, the same thing would happen: Two processes would be spawned, one for each domain. This drastically improves protection against timing attacks like Spectre and Meltdown where one process can illegitimately peak into another’s memory. To see Firefox processes type “about:processes” in the address bar and hit “Enter”.
Moreover, Firefox is smart enough to also account for Public Suffix List2 domains where multiple sites can be served as different subdomains of the same domain. For instance, if you were to load “my-site.codeberg.page” and “another-site.codeberg.page”, they would each get a separate process because they would be considered two different websites even though they share the same domain, since this domain is part of the Public Suffix List.
Session isolation
Now, let’s go up few layers and look at what Firefox does at the session level. While there’s no built-in session separation beyond Private Browsing in Firefox, their team has built the Multi-Account Containers add-on which takes compartmentalization to the next level. Every container is a fresh browser session with its own storage and cookie store. Think “Private Browsing” but not limited to a single private session. This is particularly convenient when you want to log into multiple accounts on the same website. Furthermore, all the security and privacy measures we touched on so far are maintained inside each container. When you first visit a website in a container, Firefox remembers that and asks you the next time around if you’d like to assign that website to that container. Replying yes makes Firefox always open that website in the chosen container without you having to do so every time. Who said you had to pick between privacy and convenience again?
You can also set a separate Virtual Private Network (VPN) per container. For example, if you want to use a VPN when shopping online you could create a “shopping” container and configure it to always use your VPN3.
Profiles
To push compartmentalization even further, Firefox allows you to manage multiple profiles within the same installation. A profile is nothing more than a set of user information, like bookmarks, saved passwords, settings, etc. While using profiles is generally not needed, there are few cases where it comes in very handy. Imagine dealing with a website that doesn’t work properly with Firefox strict tracking protection mode, which you should always have on by the way. You could, short of ditching that website and finding a better alternative, spin up a new profile where you don’t use strict tracking protection mode for the sole purpose of visiting that website. This can apply to anything that’s not impacted by the Multi-Account Containers add-on like bookmarks, extensions, and themes.
Wrap up
Well that was a lot of material! We’ve covered various security and privacy features that come with Firefox out of the box, in addition to an add-on that brings a new dimension of compartmentalization to the mix. Things like cookie store, session, and process isolation; HTTP header sanitization; and more. In my view, this makes Firefox the best browser, at the time of this writing, for a privacy-conscious internet user like myself.
If you know a free and open-source browser that offers all the guarantees mentioned in this article, please bring it to my attention; I’d love to see how it compares to Firefox.
Provided that said website uses Javasctipt ↩︎
Public Suffix List is a community-maintained list of effective top level domains (eTLDs) that host different sites as subdomains, like github.io and codeberg.page. ↩︎
This only applies to HTTP/HTTPS requests. DNS queries are still subject to browser DNS settings and do not go through the VPN configured for the container. ↩︎