Privacy-Focused Browsers & Extensions -- Firefox, Brave, Tor & uBlock Origin
In this tutorial, you'll learn about Privacy. We cover key concepts, practical examples, and best practices.
A privacy-focused browser minimizes data collection by blocking trackers, fingerprinting scripts, and third-party cookies while enforcing HTTPS connections and isolating site data to prevent cross-site tracking.
What You'll Learn
You will learn to harden Firefox with about:config settings, configure Brave Shields for maximum privacy, route traffic through Tor, deploy anti-fingerprinting extensions, and audit your browser fingerprint uniqueness.
Why It Matters
The average website loads 23 third-party trackers according to a 2025 analysis by Ghostery. These trackers build behavioral profiles across sites, collecting browsing history, interests, and personally identifiable information without user consent.
Real-World Use
A journalist uses the Tor Browser to research sensitive topics. Firefox is hardened with resistFingerprinting enabled and uBlock Origin blocks all trackers. Even if the journalist's ISP monitors traffic, they see only encrypted Tor circuit data with no indication of which sites are accessed.
Browser Privacy Architecture
flowchart TD
A[User Request] --> B[Browser]
B --> C{Privacy Features}
C --> D[Tracker Blocking]
C --> E[Fingerprinting Protection]
C --> F[HTTPS Enforcement]
C --> G[State Partitioning]
D --> H[Block 3rd-Party Cookies]
D --> I[Block Tracking Scripts]
E --> J[Spoof Canvas/WebGL]
E --> K[Report Fake Timezone]
G --> L[Per-Site Storage]
G --> M[Per-Site Cache]
style C fill:#4a9,stroke:#333
style E fill:#f96,stroke:#333
How it works: Privacy browsers intercept requests at multiple levels. Tracker blocking prevents connections to known tracking domains. Fingerprinting protection returns fake or inconsistent data from APIs like Canvas and WebGL. State partitioning isolates storage so trackers cannot correlate activity across sites.
Firefox Hardening
// Firefox about:config - privacy hardening settings
// Access via typing "about:config" in the address bar
// Enable strict tracking protection
// Set: privacy.trackingprotection.enabled = true
// Set: privacy.trackingprotection.fingerprinting.enabled = true
// Set: privacy.trackingprotection.cryptomining.enabled = true
// Enable fingerprinting resistance
// Set: privacy.resistFingerprinting = true
// Effect: Spoofs timezone to UTC, rounds screen dimensions,
// limits font enumeration, randomizes canvas output
// Force HTTPS connections
// Set: dom.security.https_only_mode = true
// Set: dom.security.https_only_mode_ever_enabled = true
// Disable telemetry
// Set: browser.newtabpage.activity-stream.feeds.telemetry = false
// Set: browser.ping-centre.telemetry = false
// Set: toolkit.telemetry.unified = false
// Set: toolkit.telemetry.enabled = false
// Disable Pocket
// Set: extensions.pocket.enabled = false
// Enable DNS-over-HTTPS
// Set: network.trr.mode = 2 // TRR first, fallback to system DNS
// Set: network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
// Strict cross-origin isolation
// Set: privacy.partition.network_state = true
// Set: privacy.partition.always_partition_third_party_non_cookie_storage = true
Expected behavior: Firefox blocks known trackers and fingerprinting scripts. The browser reports a fake timezone (UTC), rounds screen dimensions to common values, and limits available fonts. HTTPS-only mode prevents accidental HTTP connections. DNS-over-HTTPS encrypts DNS queries.
Brave Shields Configuration
// Brave Shields - privacy configuration via brave://settings/shields
// Global shields defaults:
// Block trackers & ads: Aggressive
// Upgrade connections to HTTPS: Strict (upgrades all HTTP to HTTPS)
// Block fingerprinting: Enabled (strict)
// Block third-party cookies: Block all
// Block scripts: Disabled (breaks most sites, enable per-site)
// Cookie blocking by site type:
const cookieConfig = {
// Strict - blocks all third-party cookies
strict: {
cookies: "block_all",
localStorage: "block_third_party",
sessionStorage: "block_third_party",
},
// Standard - blocks cross-site tracking cookies
standard: {
cookies: "block_cross_site",
localStorage: "block_third_party",
sessionStorage: "block_third_party",
},
};
// Per-site shield configuration
const shieldsConfig = {
"banking.example.com": {
trackers: "disabled", // Banking sites need full functionality
cookies: "allow_all", // Allow all cookies for login
https: "strict", // Always use HTTPS
fingerprinting: "block", // Block fingerprinting
},
"news.example.com": {
trackers: "aggressive", // Block all trackers
cookies: "block_all", // Block all third-party cookies
https: "strict", // Upgrade to HTTPS
fingerprinting: "block", // Block fingerprinting
},
"internal.company.com": {
trackers: "disabled", // Internal sites have no trackers
cookies: "allow_all", // Full functionality needed
https: "strict", // Internal HTTPS enforcement
fingerprinting: "disabled", // No need for fingerprinting protection
},
};
Expected behavior: Brave Shields blocks ads and trackers at the network level before they load. The browser upgrades all connections to HTTPS. Fingerprinting scripts receive randomized data. Cookie blocking prevents cross-site tracking while allowing per-site breakage toggling.
Tor Browser Configuration
# Tor Browser configuration automation
import subprocess
import os
class TorBrowserConfig:
"""Configure Tor Browser privacy settings."""
def __init__(self, torrc_path):
self.torrc_path = torrc_path
def set_security_level(self, level):
"""Set Tor Browser security level (Standard, Safer, Safest)."""
levels = {
"standard": {
"javascript": True,
"fingerprinting": False,
"media": True,
},
"safer": {
"javascript": True,
"fingerprinting": True,
"media": False, # Disable video/audio
},
"safest": {
"javascript": False, # Disable JS entirely
"fingerprinting": True,
"media": False,
},
}
config = levels.get(level)
if not config:
raise ValueError(f"Unknown security level: {level}")
return config
def configure_torrc(self):
"""Write hardened torrc configuration."""
config = """
# Tor Browser hardened configuration
SocksPort 9050
ControlPort 9151
CookieAuthentication 1
# Enable bridges in censored environments
# Bridge obfs4 <bridge-address>:<port> <fingerprint>
# Disable exit node logging
SafeLogging 1
# Enable stream isolation
IsolateDestAddr 1
IsolateDestPort 1
IsolateClientProtocol 1
IsolateSOCKSAuth 1
# Use strict nodes (optional)
# ExitNodes {us},{de},{nl}
# StrictNodes 1
# Circuit configuration
NewCircuitPeriod 300
MaxCircuitDirtiness 600
# Disable DNS leaking
DNSPort 5353
AutomapHostsOnResolve 1
VirtualAddrNetwork 10.192.0.0/10
"""
with open(self.torrc_path, 'w') as f:
f.write(config)
print(f"torrc written to {self.torrc_path}")
# Usage
config = TorBrowserConfig("/etc/tor/torrc")
level = config.set_security_level("safer")
print(f"Security level: Safer")
print(f" JavaScript enabled: {level['javascript']}")
print(f" Fingerprinting blocked: {level['fingerprinting']}")
print(f" Media disabled: {level['media']}")
config.configure_torrc()
Expected output:
Security level: Safer
JavaScript enabled: True
Fingerprinting blocked: True
Media disabled: True
torrc written to /etc/tor/torrc
Expected behavior: Tor Browser connects through the Tor network with three layers of encryption. The Safer security level disables potentially unsafe media while allowing JavaScript. The torrc configuration enforces stream isolation so different sites use different circuits.
Fingerprint Auditing
// Browser fingerprint audit - check your uniqueness
async function auditFingerprint() {
const fingerprint = {
userAgent: navigator.userAgent,
platform: navigator.platform,
hardwareConcurrency: navigator.hardwareConcurrency,
deviceMemory: navigator.deviceMemory,
language: navigator.language,
languages: navigator.languages,
timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
colorDepth: screen.colorDepth,
pixelDepth: screen.pixelDepth,
screenResolution: `${screen.width}x${screen.height}`,
availResolution: `${screen.availWidth}x${screen.availHeight}`,
colorGamut: null,
hdr: null,
};
// Newer APIs
if (screen.colorGamut) {
fingerprint.colorGamut = screen.colorGamut;
}
// Canvas fingerprinting test
const canvas = document.createElement("canvas");
canvas.width = 256;
canvas.height = 256;
const ctx = canvas.getContext("2d");
ctx.fillText("Fingerprint Test", 50, 50);
fingerprint.canvasHash = canvas.toDataURL().length;
// Font enumeration test
const fontCheck = new Set();
const testFonts = [
"Arial", "Helvetica", "Times New Roman", "Courier New",
"Verdana", "Georgia", "Comic Sans MS", "Impact",
"monospace", "sans-serif", "serif",
];
testFonts.forEach((font) => {
if (document.fonts.check(`12px "${font}"`)) {
fontCheck.add(font);
}
});
fingerprint.fonts = Array.from(fontCheck);
return fingerprint;
}
// Run audit
auditFingerprint().then((fp) => {
console.table(fp);
console.log("Fingerprint hash:", btoa(JSON.stringify(fp)).slice(0, 32));
});
Expected output:
┌─────────────────────┬──────────────────────────────────┐
│ userAgent │ Mozilla/5.0 (Windows NT 10.0;…) │
│ platform │ Win32 │
│ hardwareConcurrency │ 2 │
│ deviceMemory │ 4 │
│ language │ en-US │
│ timezone │ UTC │
│ screenResolution │ 1920x1080 │
│ canvasHash │ 12345 │
│ fonts │ ["Arial", "Verdana", "monospace"]│
└─────────────────────┴──────────────────────────────────┘
Fingerprint hash: MDAwMTAxMDEwMTAxMDEwMTAxMDEwMTA=
Expected behavior: The audit reveals how uniquely identifiable the browser is. Privacy-focused browsers return standardized values (timezone = UTC, rounded screen dimensions) to blend in with other users. A unique fingerprint suggests privacy protections are insufficient.
Extension Security
#!/bin/bash
# Audit browser extensions for privacy impact
# Requires jq and curl
extensions=(
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # uBlock Origin
"gcbommkclmclpchllfjekcdonpmejbdp" # HTTPS Everywhere
"pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # Privacy Badger
"bhlhnicpbhoccbdhgmlchkaabkfkaoae" # Decentraleyes
"nngceckbapebfimnlnhpahjokkdghndj" # Bitwarden
)
echo "=== Extension Audit ==="
for ext_id in "${extensions[@]}"; do
# Fetch extension metadata from Chrome Web Store
url="https://chrome.google.com/webstore/detail/$ext_id"
echo "Extension: $ext_id"
echo " URL: $url"
# Check permissions (require manual review via Chrome://extensions)
echo " Status: Review permissions at chrome://extensions"
echo ""
done
# List all installed extensions
echo "=== Installed Extensions ==="
find ~/.config/google-chrome/Default/Extensions -maxdepth 1 -type d \
-exec basename {} \; 2>/dev/null || echo "Chrome not installed"
find ~/.mozilla/firefox/*.default/extensions -name "*.xpi" -type f \
-exec basename {} \; 2>/dev/null || echo "Firefox not installed"
Expected output:
=== Extension Audit ===
Extension: cjpalhdlnbpafiamejdnhcphjbkeiagm
URL: https://chrome.google.com/webstore/detail/cjpalhdlnbpafiamejdnhcphjbkeiagm
Status: Review permissions at chrome://extensions
=== Installed Extensions ===
uBlock0@raymondhill.net.xpi
jid1-MnnxcxisBPnSXQ@jetpack.xpi (Privacy Badger)
{tored-eccn-gnik-otp-reference} (HTTPS Everywhere)
Expected behavior: The audit lists installed extensions and their Chrome Web Store pages. Each extension's permissions must be reviewed. Privacy-focused extensions like uBlock Origin require minimal permissions compared to trackers disguised as useful tools.
Common Errors
Browser fingerprinting resistance breaks legitimate sites -- Canvas spoofing causes visual rendering issues on mapping and design sites. Some banks flag privacy-hardened browsers as suspicious. Use per-site exceptions or drop to "standard" privacy mode for trusted sites.
Tor Browser maximizing reveals screen resolution -- Maximizing the Tor Browser window exposes the true screen resolution, making the fingerprint unique. Keep the Tor Browser window at its default size or use a consistent custom size.
DNS-over-HTTPS leaking through WebRTC -- Even with DoH configured, WebRTC STUN requests can leak the real IP address. Disable WebRTC entirely in about:config (media.peerconnection.enabled = false) or use a WebRTC blocking extension.
Extension permissions creep over updates -- An extension that initially requests minimal permissions may request additional permissions in an update. Review extension permissions after each update and remove extensions with excessive permissions.
Login state persistence across Tor circuits -- Logging into a site in Tor Browser and then the circuit changes, the site sees a new IP address and requires re-authentication. Use New Identity (Ctrl+Shift+U) to clear all state when switching circuits.
Practice Questions
What is browser fingerprinting and how do privacy browsers prevent it? Browser fingerprinting collects unique device characteristics (screen resolution, installed fonts, canvas rendering, WebGL data) to create a tracking identifier. Privacy browsers spoof or randomize these values to make the fingerprint non-unique.
Why does Tor Browser recommend not maximizing the window? Screen resolution is a highly unique fingerprinting signal. The default Tor Browser window is 1000x900 pixels -- a common size shared by many users. Maximizing reveals the true screen resolution, making the browser uniquely identifiable.
What is the difference between Brave Shields and uBlock Origin? Brave Shields is built into the browser and blocks trackers at the network level before any code executes. uBlock Origin is an extension that runs content filtering scripts. Brave Shields cannot be bypassed because it is integrated into the browser engine.
How does state partitioning prevent cross-site tracking? State partitioning stores cookies, localStorage, and cache per origin with an additional top-level site key. A tracker embedded on site A stores data under (tracker.com, siteA.com) and on site B under (tracker.com, siteB.com). The two cannot be correlated.
Challenge: Configure Firefox with all privacy hardening settings from this guide. Install uBlock Origin and Privacy Badger. Visit fingerprinting test sites (browserleaks.com, fingerprintjs.com) and compare your fingerprint before and after hardening.
Mini Project
Set up three browser profiles: a default Chrome profile (baseline), a hardened Firefox profile with uBlock Origin and Privacy Badger, and a Tor Browser profile. Visit the same 10 websites with each profile. Capture the browser fingerprint from each visit using fingerprintjs.com. Document the differences in fingerprint uniqueness and the number of trackers blocked.
FAQ
Does using a VPN make browser fingerprinting irrelevant?
No, a VPN changes only the IP address. The browser fingerprint (screen resolution, fonts, canvas hash) remains the same. A persistent fingerprint combined with a residential VPN IP can still identify users uniquely across sessions.
Can websites detect that I am using Tor?
Yes, Tor exit node IPs are publicly listed. Many websites block or CAPTCHA Tor exit nodes. Tor Browser's security features also create detectable patterns (disabled WebGL, fixed window size) that fingerprinting scripts can identify.
Is incognito/private mode sufficient for privacy?
No, private mode only prevents local history storage. Websites can still track you through fingerprinting, third-party cookies persist within the session, and your ISP can see all traffic destinations. Private mode is for local privacy (shared computers), not online privacy.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro