Tips for Better Browsing - Privacy and Security

Software

WEB-ED Editor Now free
JS PhotoPrep Now free
JS PhotoPrep
Screenshot
Download, Install and
Compatibility Info.
Small Programs

Code and
Utilities

Info and
Diatribes

Online Privacy Tips
Online Security Issues:
Internet Explorer
Browser Optimizing Tips
Disk Imaging Backup
& Computer Upgrades
Changes in Computing
Whither Technology?

A reflection on the role of
technology in the age
of senile modernism.

Links

Site Links

Tips for Better Browsing - Privacy and Security

This page is intended to provide basic information about online security and privacy, as it relates to the browser you use. The tech. media have concocted an ongoing browser "contest", obsessed with comparing the webpage loading speed of various browsers, which is largely irrelevant. Seldom do the media provide useful information about rendering differences, security settings, etc. With that in mind, this page attempts to provide concise explanations of the major privacy and security issues, then explain how those issues are dealt with in various browsers.

Note that while there are more browsers available for Windows than those listed here, all of them are variations on one of 3 browsers: Mozilla (Firefox, Pale Moon), Apple WebKit (Chrome, Safari, Opera) and Internet Explorer(IE). Any browser not listed here is probably just a "skin" on top of Internet Explorer. Those browsers might look different or have some special features, but basically they are IE.

Better Browsing... Information

Security and Privacy Factors You Should Know About
Javascript
Cookies
IFRAMEs
Flash
Risky bloat
HOSTS File and Ad Blocking
Geo-location spying
The New Push Internet: Shut Up and Bend Over
Usurping the EU General Data Protection Regulation to Push the New Push

Browsers
Internet Explorer
Opera (RIP)
Chrome and Safari
Firefox / Pale Moon
Custom Settings specific to Firefox/Pale Moon
General
Blocking Frames and IFrames
Disable "Safe Browsing" Spyware
Block 3rd-party Images (ads)
Stop Image Animation
Stop CSS Animation
Blocking "web beacon" Tracking Bugs
Misc userContent CSS Settings
Stop Blinking Text
Block Referrer Header
Customize userAgent
Stop Prefetching
Stop Geo-location Spying
Block Forced Page Reload
Customize Activity Indicator
About the userContent.css File
Download a Guide to Firefox Custom Settings

Some Simple Tweaks Anyone Can Do
Download an Online Tweaks Kit

Security and Privacy Factors

Javascript

   Script refers to executable code in text form. A webpage mainly consists of HTML. HTML tells the browser how to display the page. Script is used to make the page interactive. Many webpages use script. Very few need to. Most web designers do not understand script. Most do not understand the risks associated with using script. Most do not even understand the HTML code that makes up their webpages. So they often use script without being aware of it. They just wanted to jazz up their webpage design. In some cases their webpages will not even be viewable unless you enable script.

   Script is so common that web designers, and even security experts, usually don't give it much thought. But script is implicated in nearly all online security problems. Script is also implicated in many privacy problems online. The single best thing you can do in terms of privacy and security online -- by far -- is to disable javascript. But that may not be so easy for many people. Most websites do not actually require script to function, but some very popular interactive sites -- such as free webmail, Facebook, etc. -- will not work without script enabled.

   One solution to the problem of script might be to use a particular browser only for specific sites that require script, and use another browser, configured with safe settings, for all other online activity.

Back to Index

Cookies

   Cookies are chiefly a concern in terms of privacy. A "cookie" is just a small text file saved on your PC by a website that you visit. Usually that file contains something like an ID number that allows websites to recognize you when you visit. Cookies were invented in the early days of the Internet to allow for continuity between webpages. For instance, if you fill out a multi-page form online, a cookie might be used to keep track of your entries as you move between webpages. Cookies can also be used for semi-permanent data: If a website "remembers" your login name it does that through a cookie.

   Today, cookies are generally not needed to provide continuity. They may still be used to store login data. But for the most part cookies are being misused -- to track people online. If you do not block cookies then you almost certainly have dozens -- perhaps hundreds -- stored on a virtually permanent basis. That multitude of cookies is used by various online advertising companies, retailers, etc. to track your activities. Cookies were specifically designed to function only for the website of origin. That design was meant to protect privacy. But various tricks are used to get around that limitation. For instance, Google/Doubleclick has ads hosted on most webpages. If you visit a webpage with a Doubleclick ad you are also visiting Doubleclick.com (in order to retrieve the ad image). The result is that Google/Doubleclick can save a "3rd-party cookie" on your PC. With Google/Doubleclick ads on most major websites, the Doubleclick cookie no longer functions as a cookie. It becomes something more akin to a radio tracking collar, following your actions online in real time.

   All browsers can block cookies, but they only block the creation of new cookies. If you want to block cookies altogether you also need to delete all cookies previously stored.

   For an in-depth explanation of cookies, cookie abuse, and the lesser-known problem of "super cookies", see the Online Privacy Tips page.

Back to Index

IFRAMEs

   "IFRAME" is HTML code. A webpage is composed mainly of HTML. HTML uses keywords, known as "tags", to specify webpage layout and content to the browser. IFRAME is one of those tags. It is short for "inline frame". An IFRAME is basically a rectangular area of a webpage that contains an entirely separate webpage. For instance, a webpage at www.somewhere.com could use an IFRAME to display the search page at www.google.com in a box. It's as if you had two browser windows open, at different URLs, but they're actually on the same page.

   IFRAMEs are entirely unnecessary in terms of webpage functionality, yet they have become increasingly common. The situation is similar to the problem of javascript: IFRAMES are a security risk and a privacy risk. But that also makes them attractive to corporate snoops and advertisers.

   There are two very different, but important problems with IFRAMEs:

1) IFRAMES are used in a large number of online attacks that use what is known as "cross-site scripting". The design that allows webpages within webpages is inherently insecure.

2) IFRAMES are used for snooping: Major online advertising companies like Google/Doubleclick want to track you online so that they can show you "targetted" ads and thus charge more money for those ads. One way to track you is via cookies. They generally have little trouble tracking you online because most major websites host ads from these companies. If you block 3rd-party cookies then advertising companies have a more difficult time tracking you. For example, if you visit youtube.com there may be an ad there from Doubleclick. Doubleclick cannot put a cookie onto your PC if you block 3rd-party cookies because you are not actually visiting Doubleclick.com. But advertisers came up with an ingenious way to get around that limitation. They put each ad inside an IFRAME. The resulting webpage looks exactly the same as it did before, but each ad is also actually a unique webpage. You might have 10 different webpages loaded in what looks like a single webpage -- with 9 of them containing only a single image-advertisement. So none of these ads is 3rd-party. Technically you are visiting all 10 websites directly. The page you chose to visit forced you to visit the other sites by loading them into IFRAMEs. That means that 9 companies you may have never heard of, and didn't mean to visit, can save a cookie on your PC. The end result is that numerous companies can follow you around online through a "cookie tracking collar", even if you block 3rd-party cookies. (Ironically, Google, Doubleclick and YouTube all happen to be the same company. That's a good example of the problem with allowing any cookies at all. Even if you block both 3rd-party cookies and IFRAMES at YouTube, you're still allowing DoubleClick to track you, because DoubleClick is Google is YouTube!) Aside from the 3rd-party cookie problem, loading ads from massive ad servers like Google/Doubleclick allows another kind of tracking: The ads themselves -- image files -- function as "web beacons". Each time your browser loads a Google/Doubleclick ad it sends your IP address, referrer, etc. to Google/Doubleclick. Since Google/Doubleclick ads and Google's AdSense ads are extremely common online, if you allow the ads to load you can effectively be watched as you move around online. (This is not only a Google/Doubleclick problem. Google/Doubleclick is the most ubiquitous, but there are a number of very large ad serving companies operating online; not to mention the IFRAMES used by Facebook's Like button, etc.)

   Note that IFRAMES are not the only way that websites use web beacons. If you want to stop web beacons you have to prevent loading any files from the offending server. Also, at least in the case of Mozilla browsers, blocking IFRAMES is done by blocking their display. That may not block the browser from retrieving the IFRAME content. If the browser retrieves the content, even if you don't see it, your IP address has still been sent to the tracking server. So it's best to combine blocking IFRAMES with a HOSTS file. For more on that see the HOSTS file topic and the Firefox/Pale Moon settings topic.

   A dramatic demonstration of the ubiquity of IFRAMES can be seen if you block the major ad servers in your HOSTS file but do not block IFRAMES. That will prevent the ads from being retrieved and you'll find that many webpages will be littered with tiny browser windows showing a 404 "Error loading" webpage!

   By blocking IFRAMES you will significantly improve online security, reduce snooping, and reduce the number of ads you see, but there are also disadvantages: Some webpages may not work properly. For instance, some webmail sites are constructed with multiple IFRAMEs. If you use hotmail or gmail you may find that the website is blank when IFRAMEs are blocked. In fact, unnecessary use of IFRAMES seems to have increased with the increase of IFRAMEs for ads, which seems to indicate that some companies are deliberately trying to make IFRAME-blocking unrealistic. As with javascript, it may be easiest to use one browser for a few specific sites, then use a second safe browser -- with script, cookies and IFRAMEs disabled -- for all other online activity.

Back to Index

Flash

   Flash is Adobe's animation software. It is often used to show cartoons or animated graphics on a webpage, similar to TV graphics. For example, images might move, change, zoom in, zoom out. Text might appear and disappear. Flash is just decoration, but it's fashionable decoration. Many web designers like it to provide the appearance of an active page, like a TV broadcast, regarding a static page as dowdy and outdated. ("Content is just so 90s.") Ironically, there is really nothing active about Flash. The animation is just a static loop that repeats -- like a complex animated GIF.

   But Flash is more than just a tedious cartoon distraction. A Flash cartoon is actually a separate program. Whenever you see Flash on a website you are actually looking at a small cartoon movie that your browser has downloaded. The movie is also executable, like a program. And it uses script. Since Flash is basically an executable file, there have been a number of online attacks that have targetted Flash vulnerabilities. Flash is also a privacy problem due to Flash "super cookies".

   If you disable Flash -- remove the Flash Player plugin -- you will be safer, you will plug an obscure privacy hole (see the super cookies topic on the Privacy Tips page) and you will see a lot less annoying, garish cartoons and animated ads online.

   However, if you disable Flash you may also be unable to view videos online at sites such as YouTube. Flash is not actually necessary to show online video. Websites like YouTube could just let you download a video file. And Flash alternatives like HTML5 are increasingly being used. But most sites "stream" video using functionality provided by Flash, so that you can see the video but are blocked from saving the copy of the file that you download. That way you have to return to their website, and see more ads, if you want to view the video again. (Streaming makes the video appear like a TV broadcast, even though it's really a download. All webpages are composed of code with text, images, video, sound, etc. All of those elements are files that you download. Your browser then puts the files together to create a webpage based on directions in the webpage code. You cannot see an online video without downloading the video file.)

Back to Index

Risky bloat

Risky bloat refers to Java, PDF readers such as Adobe Acrobat Reader, Microsoft's .Net Silverlight, plugins, toolbars, etc. All of these things provide slight convenience in some respect. You might find a specific toolbar useful. You might like the convenience of reading PDF files in the browser window. You may be required to use Silverlight or Java when you access certain highly interactive sites.

In general, none of these things are necessary, but most of them are aggressively marketed. All carry some security risk. In particular, Adobe products (Flash and Acrobat Reader), Microsoft Office and Java have been the source of numerous exploits. (See here and here.) Only script itself is more risky than the most commonly used browser add-ons.

If possible, remove all connections between your browser and any of these extra, executable plugins.

Back to Index

HOSTs File and Ad Blocking

   In brief: Use of a HOSTS file goes back to the early days of the Internet. When you visit a website your browser has to look up the IP (Internet Protocol) address. It's as though every website had its own telephone number. You can't just go to www.somewhere.com. Your browser has to look up the IP address of www.somewhere.com and "call that number" in order to contact the website. A HOSTS file is like a phone book. It can be used to set the IP addresses of websites. All browsers will check for a HOSTS file listing before going online to get an IP address. If you set the IP address of www.somewhere.com to 127.0.0.1 in your HOSTS file then browsers will think somewhere.com is on your PC and will not retrieve any content from that domain. So a HOSTS file is a very simple ad and spyware blocker. You can use it to block your browser from visiting any number of URLs.

   A HOSTS file provides perhaps the easiest and most thorough way to greatly reduce online tracking while also eliminating the vast majority of ads online. It is not browser-specific. It works with any browser. Also, a HOSTS file does not block honest ads that are actually on the webpage you visit. It only blocks third-party tracking ads from sites that you never chose to visit in the first place. Yet, strangely, most people do not know about the HOSTS file.

For a full explanation of HOSTS files, and a sample HOSTS file, download the HOSTS file package.
There is also a more in-depth explanation of HOSTS files on the Privacy Tips page.

A Super HOSTS File Option:

   A HOSTS file allows you to block contact with any number of websites, but the URLs are specific. If you block ads.doubleclick.net that will not block contact with ad.doubleclick.net. However, that kind of blocking is possible. The open source program Acrylic DNS Proxy provides a proxy DNS server. What that means is that when your browser tries to call out to find the address of a given URL, Acrylic handles that call. Part of the Acrylic function is a custom HOSTS file. Acrylic allows for wildcards. So you can block all of doubleclick.net by blocking *.doubleclick.net. The HOSTS file download here now includes information and a sample to help in setting up an Acrylic HOSTS file.

Windows Vista/7 note: Windows Vista/7 is severely hobbled by restrictions, and in later versions of Windows Microsoft has hidden the HOSTS file in an obscure, restricted corner of the file system. That creates problems. There is a partial explanation here. Some anti-virus programs may also control or monitor the HOSTS file. If you want to be able to edit or replace the HOSTS file on Windows Vista/7 you will need to change the permissions and curtail any malware/AV software that might get in the way.

Back to Index

Geo-location Spying

   This topic is covered on the Privacy Tips page, but it's repeated here because it's a browser-specific issue. Geo-location is a stunningly intrusive addition to browsers, yet many people are not aware of it. Most browsers now support geo-location. Most do not provide clear settings.

   How geo-location works: If you use a cellphone or wifi-equipped computer, hardware in that device communicates with cell towers or wifi access points, respectively. Your location can then be calculated based on which towers or wifi servers you contact and how long the transmission takes.

   Any website can collect that information. They need only add a snippet of simple code to their webpage. Or any number of 3rd-party actors who have scripts linked into that webpage can do it. They ask the browser for geo-location data. If you're lucky the browser asks you for permission to provide it. Then the browser calls a service, most likely to be Google, with the data collected from your device and the service returns latitude/longitude coordinates, potentially accurate to within feet. The browser then relays that data to the website.

   There are several ramifications to this. First, the website may know exactly where you are. Since they probably want that information for targetted ads, the companies advertising on their website probably also know exactly where you are. Since Google uses numerous tracking techniques on most commercial websites (Google Analytics website tracking, cookies, Doubleclick ads and web beacon, Google fonts, Google javascript libraries such as jquery) it's very likely that Google already has a record of your travels online as a result of their extensive tracking. That means they're tracking your IP address. When your browser then calls Google for location data it has to send your IP address. So Google ends up with your browsing history and they've matched it to your exact location. All you had to do was to allow geo-location service on only one website. Now they know where you live... Or they know you're in the produce aisle of the local supermarket... With enough repeat tracking they can know where you live and they can know your habits, your social contacts, etc.

   If you use a Mozilla browser (Firefox, Pale Moon, K-Meleon) you can, at least, disable geo-location. See below for details about that.

Back to Index

The New Push Internet: Shut Up and Bend Over

   Since the early days of the Internet there has been the idea of "push" and "pull" webpages. Pull means you go to a website and your browser requests the webpage. You "pull" the page you want to read. Pull is how the Internet was designed to work. The webpages are primarily static content, posted in a publicly accessible location. They can be viewed and read by anyone who wants to do so.

   Push means that the website takes the initiative, sending something to you without being asked. Push is slowly showing up in browsers as an option to "opt in" to messages sent by websites. In general that means ads or service notifications.

   Many commercial sites have long wanted to migrate toward a push approach, turning the Internet into something like interactive TV, with an emphasis on commercial services, ads and shopping. Naturally that idea has never really taken off. The attempts, and failures, to popularize push webpages go all the way back to Windows Active Desktop (1998), with the idea that people could subscribe to websites and stick them to their Windows desktop. But subscribe to what? Ads, mostly. Even Bill Gates could only think of tired, pointless ideas: Self-updating weather reports and stock quotes as excuses to show ads.

   Since the intention with push is to show ads and sell services, the so-called content -- if, in fact, there is any beyond ads -- quickly degrades into lowest-common-denominator entertainment. Facebook and Google are obvious examples of how badly wrong things can go. Facebook started out as a way to be in touch with friends. Google started out as a search engine with contextual ads on the side of the page. Both are now primarily spyware/adware companies whose business models call for spying as much as possible in order to show you as many targetted ads as possible... and doing anything necessary to keep you on their websites. Both have become push-oriented in order to constantly increase profits. Google news? That hasn't actually been news at all for several years now. Rather, stories are selected for you personally, with the intention of getting you to stick around and view more ads. (A critical point to understand here is that all of this spying, tracking and personalizing can only be done in earnest if you allow script.)

   More recently, a more insidious approach has developed. It might be called passive-aggressive push. Commercial websites design their pages to only be functional if you allow script, cookies, video, etc. Not only must you allow those things. You must watch ads and allow the website to decide what the webpage will be. You must allow them to spy on you, profile you, then dynamically generate a page full of ads, spyware and "content" that's geared to you personally. The page ends up being what they want you to see, not a static presentation that you choose to visit. News stories, retail prices, layouts and ads are all customized in accord with information they collect about who you are.

   You ostensibly visit the website in traditional pull mode. But actually, the page you visit is really a fullscale software program that runs on your computer. It's really a pushed product.

   An increasing number of sites are actually breaking their websites rather than allow pull access. Forbes, for example, embeds their whole page in script, so that their webpage is actually blank unless you allow them to spy, profile, show ads, and customize the content. Forbes would rather break their website than let you see it without your browser being under their control.

   A smaller but interesting example is the Patriot Ledger, a small, local newspaper outside Boston that's taken the tragic approach that no one will see any of their website without subscribing. The actual text of their news stories is embedded in JSON code, meant to be readable only after being rendered by javascript!

   An obvious problem with these approaches, especially by journalists, is that it goes against the design of the Internet. A company puts their website out in public, for anyone to see, but then tries to control who can see it. It's unrealistic. But it's also dishonest. Forcing people to pay for news reports is one thing. Forcing them to allow surveillance and targetted ads, while trying to hide that aspect, is another thing altogether. Would they embed little cameras and microphones in their print version if it were possible. Would you allow them to spy on you while you read their magazine or newspaper?

   It's happening online only because it's easy and relatively invisible. These companies claim they need to spy in order to pay for the content. But Google made billions with contextual ads before they started spying. In other words, a news site can show contextual ads, with an ad for jewelry alongside a fashion article, or ads for cars alongside sports articles -- just like they do in the newspaper. There's no excuse for customer surveillance.

   Some sites now do things such as obscuring webpages with big, gray rectangles. They don't officially require script. They just make their webpages unreadable if script is disabled. The script is used to remove the big, gray rectangle. Other sites make images non-visible without script, or deliberately break their links.

   There are also security problems with this trend, besides the obvious, dishonest sleaze factor. To begin with, script is responsible for nearly all security risks online and many privacy intrusions. For that reason, script was being phased out until a few years ago, when its strategic value for commercial pages became obvious. Script allows a website to find out more about who you are, allows them to watch what you do, what you read, and where you move the mouse. Script also allow tricks like autoplay video, disabling the context menu, forcing popup windows, etc. None of those things can be done without script. Script turns a webpage into a software program. (To get an idea of just how exposed you are by enabling script, visit Panopticlick, operated by the Electronic Frontier Foundation, and see how much you're telling to websites you visit. Most of what they can find out requires javascript.)

   This is the new push. What's new is that it's no longer asking you to subscribe to notifications. It's push masquerading as pull. Shut up and bend over. Or don't try to visit our website.

   What can you do about the new push? Your options are real, but limited. A website like Forbes.com or patriotledger.com, mentioned above, is simply broken. It's not worth trying to fish through their webpage source code for the content. And since very few websites are truly critical sources of information, one can just skip such sites altogether. They're refusing to let you actually see their webpage unless you hand over control of your browser, your privacy and your security.

   Many other websites are deliberately designed to malfunction if script is disabled, but are not entirely broken. Disable script and you might not be able to see the content. Some may appear blank. Others may display headlines in an unreadable jumble of text. For those sites it will often work, in most browsers, to go to the View menu and select "No Style". The dysfunctional pages are usually made with deliberately faulty CSS, which is then repaired by script when the page loads. Reading a webpage without style (formatting) is generally not very attractive, but it's often the most functional way to read it. In fact, many sites like the New York Times or Washington Post, which allow you to read their articles without script enabled, nevertheless have such poorly designed pages, with gigantic text and triple line spacing, that reading the page text as it's meant to be can be a tedious task, simplified by disabling styles.

   Beyond disabling styles there's not much you can do with a broken website. Just bend over, or go elsewhere. The new push won't stop unless people reject it.

Usurping the EU General Data Protection Regulation to Push the New Push

   As of June 2018, the EU's General Data Protection Regulation (GDPR) is in effect to force websites to get permission before collecting private data. The idea of the law is to make sure people online 1) know what information is collected and 2) grant permission before the collection happens. But many sites are using the GDPR to augment their push strategy by setting up what's being called tracking walls.

   Examples: The Washington Post has been intermittently rerouting visitors to a forced opt-in page. NPR has been intermittently redirecting to a page that presents a choice between tracking or a plain text version of their website. NPR is theoretically a non-profit news corporation. Yet their tracking wall requires that visitors enable script and permanent, 3rd-party spyware cookies from the likes of Google in order to see their website. If you don't agree they'll dump you to a blank page with plain text links, seemingly out of spite.

   These tracking walls are even being aimed at US visitors who are not covered by the EU law. In other words, the law that is supposed to protect privacy is being used to do exactly the opposite -- ensure no privacy by giving visitors an ultimatum: You remove all restrictions to our ability to track, spy, identify who you are, and target ads at you, or you can't visit our website at all.

   Interestingly, Max Schrems of None of Your Business has filed lawsuits to force compliance with the spirit of the law. It remains to be seen whether GDPR ends up being an improvement. (An ironic twist to this story. We originally intended to use a link to a Reuters story rather than the techcrunch link above, but Reuters have instigated their own unique style of spyware tracking, which they add to URLs. The webpage with the story won't load unless it has a unique ID code appended. That is, if we provided a link to the Reuters story it would tell them where you got the link, where we got the link, where that source got the link, and so on.)

Back to Index

Browsers

A good browser should have a button on the toolbar that says, "Allow script for this site only." Likewise for cookies and Flash and IFRAMEs. All of those things are in conflict with online security and privacy. If they are not disabled by default, and very easily enabled for a particular website, the browser cannot both work well and be safe to use. Unfortunately, due to the demands of convenience, online commerce and corporate greed, there is no browser that is both safe and highly functional at the same time.

Internet Explorer

   In a nutshell, Internet Explorer (IE) is a mess. Versions 6, 7 and 8 are all different in terms of how they render webpages. Each version has become more dysfunctional than the last, with silly security warnings and restrictions. And all of the important security and privacy factors listed above are difficult to manage in IE. Over the years, IE settings have gone from complex, to convoluted, to arcane, to downright outlandish.

Javascript : There are several script-related settings in IE. It is no small job to sort out the numerous, obscure and generally undocumented settings that make up IE's "Internet Options". If you do manage to figure out which settings you want to change, you may or may not be able to really change them. Each setting appears in 5 different "zones", and the 5 zones appear in up to 8 different locations in the Registry. So there are potentially 40 different Registry settings for each setting in Internet Explorer's Security settings! Most of those settings are not accessible except to Registry experts. In fact, this bizarre system was developed so that corporate system administrators could override employee settings without the employees' knowledge or control. The Internet Explorer settings are unusable. Period.

Cookies: Cookie settings are on the IE privacy tab. Like the script settings, they are a good example of a common Microsoft trick. Settings are made so complex, convoluted and abstruse that few people ever use them. In the case of cookies, the actual settings are hidden behind an intimidating "Advanced" button.

IFRAMEs: There is no IE setting to disable IFRAMES.

   IE is designed especially for corporate use. The settings are extremely complex and confusing by design. That allows corporate IT people to control the Internet settings of employees, and it allows Microsoft, in effect, to control the Internet settings of everyone else. Basically, IE is not safe for use online and cannot be made safe through any reasonable efforts. For a thorough discussion of problems with IE, see The Wacky World of Windows Internet Security.

Side note - Is Windows slow? It may be the fault of IE's cache:

   This is not a web browsing issue, per se, but it's a problem that many people experience without knowing the cause. Windows starts out fine, but then over time it gets slower and slower. Many things can cause that: junkware toolbars, bloated anti-virus, etc. But perhaps the most common cause is Internet Explorer's cache. IE stores visited webpages, like any browser. But IE is unique in that it is entangled with Explorer, the Windows file viewer. IE is also unique in that the size of the cache is not usually specified. It's not unusual for IE to have a cache size in excess of 1 GB! Windows then tracks all of that rubbish, bringing Desktop navigation to a crawl. To fix that, go to Internet Options -> General . Under "Temporary Internet Files" click Delete Files . Wait for all files to be deleted, then click it again. (It doesn't work very well sometimes.) Next, click Settings . In the area to select "amount of disk space to use", set the number at something like 10 MB or less. (These days, with high speed Internet and frequently changing webpages, the cache is of little use.)

Back to Index

Opera

As of mid-2013, the original Opera browser no longer exists.

The new Opera browser is an unmitigated disaster. Opera used to make their own browser, which included a large number of custom settings options for privacy and security. As of mid-2013 that's all changed. Opera has been reduced to commercial drivel. It's now an adware wrapper around WebKit and looks very much like Apple's work: a kiddie-cartoon interface with annoying, pointless window animation and very few settings options. All of the unique customizing settings that made Opera desirable have been removed. Even many of the standard customizing options have been removed: The option for a homepage has been replaced with an adware page called "speed dial". There is no way to control the new "super cookies" stored data. There isn't even an option anymore to not send mistyped URLs to a search engine!

Also, Opera is still spyware. It tries to go online and run its updater, without asking, as soon as the program is started. It's hard to imagine any reason that anyone would want to use the new Opera, unless one is a big fan of WebKit and thinks that the Opera people might be less sleazy than Apple and Google (the other makers of WebKit browsers).

Back to Index

Chrome and Safari

   Chrome and Safari are both based on Apple's WebKit browser core.

   Chrome is made by Google, a company with a shocking disregard for privacy. Chrome reflects the Google attitude, with very few settings options to choose from. If you're a Facebook fan, mainly visiting interactive websites with little concern for protecting your privacy, then Chrome may be a good browser to use. That's what it's designed for. The Googlites envision an Internet as interactive TV, where webpages are commercially operated, script-based software that tracks and responds to your every action -- while advertisers calculate your "personalized marketing exploitability profile" based on your geo-location, gender, age, browsing history, etc. ...And Google makes a cut from the vast majority of webpages -- every time they're visited.
   If you prefer not to be tracked and recorded in everything you do online, with targetted ads chasing you wherever you go, avoid anything Google.

   It would be difficult to overstate either the ubiquity and sophistication of online tracking and privacy intrusion, or the ignorance of that tracking on the part of the general public. Online tracking comes close to being wiretapping, and Google is arguably the worst culprit. If you read Google's official privacy policy for Chrome you'll see that Google seems to be almost respectful of privacy. Their policy mentions cookies and a few other "harmless" privacy issues that can be disabled. Chrome seems to be almost squeaky clean. The average person would read the Google privacy policy as reassuring.

   What Google does not explain in their policy is that cookies are just a small part of the Internet privacy issue. The spyware role of cookies can be filled by script, web beacons, referrers, Flash cookies, etc. In many cases it will make no difference whether you enable cookies. You can still be monitored via IP address, script, web bugs, etc. as you travel from site to site. You can even be watched, in many cases, as you move about on a particular webpage. Dishonestly, secretly, intruding on your privacy has become a critical part of business for many online companies -- especially for Google. Google is actively opposing a proposed California law to protect online privacy. Google's former CEO, Eric Schmidt, has been widely quoted as saying, in reference to online privacy, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." Google is Doubleclick, the largest online advertising company. Google is not in the search business. Google is in the advertising business. And the more they know about you, the more they can charge for "targetted" ad space on the pages that you view.

   First Google helped to create "the information superhighway". Then Google helped to transform that resource into the international eShopping mall that the Internet has become. Today Google serves a role in conflict. By weighting search results based on incoming links from other sites, Google has heavily commercialized search results. And many, perhaps most, of those results link to pages hosting Google/Doubleclick ads. Further, Google actually acknowledges in their privacy policy that Chrome is spyware. Google Update installs itself without permission as a separate program, spying on you and updating Chrome without permission. From the Chrome privacy policy: "Google Update also sends other information... how many people are using Chrome and how often they use it... whether you used Google Chrome in the last day, the number of days since the last time you used it, and the total number of days that Google Chrome has been installed."

   Given all of that, do you really want to use a browser provided by Google? Google will say they "anonymize" the collected data. Most companies say that. But it's a myth. There is no such thing as anonymized data where computers are concerned. That's the whole point of software databases: They provide the ability to process collected data in any number of ways. Further, Google's whole business is based on targetted ads. How can anyone believe that they collect the data they need for that purpose, but then don't fully use it?

   Safari is at least twice as bloated as any other browser. It is not widely used, even though Apple tried to trick Windows users into installing it. And Safari, of course, is made by Apple, a company that has repeatedly demonstrated contempt for their customers -- like a car company that sells you an overpriced car and then rigs that car so that you also have to buy their overpriced gas. If you're not an Apple cultist, following the crowd in thinking that you "think different", there's really no reason to deal with any sort of Apple product. People using Windows have lots of other options.

Back to Index

Firefox / Pale Moon

   Of the browsers already mentioned, IE, Chrome, Opera and Safari are seriously flawed. That leaves only Firefox and Pale Moon as good browser candidates. (K-Meleon used to be listed here, but K-Meleon has not been updated for several years now.) Firefox and Pale Moon are the same browser underneath. They have been going downhill in recent versions. (FF v. 23 requires an add-on to remove tabs and removes javascript control from the main settings!) Nevertheless, Firefox and Pale Moon are the lesser of the evils when compared to Google's spyware, Opera's adware, and Microsoft's disaster.) Firefox is somewhat the more polished of the two, and also more bloated. Pale Moon is nearly identical to Firefox, but provides a slightly leaner product by leaving out some functionality that many people don't need.

   Firefox started out as a lean, honest alternative to IE. It was a non-profit venture. Firefox, therefore, should be the best browser; the people's browser. But over time Firefox has become more bloated and less honest. Mozilla, the organization that makes Firefox, now get most of their funding from Google. Google wants to show lots of ads to lots of people online. Not surprisingly, Firefox has gradually changed to satisfy the wants of Google, and the Firefox settings reflect that. In Firefox 1 there was a setting to block 3rd-party images (ads). In Firefox 2 that setting was removed, only available through the confusing and semi-secret "about:config" settings. And the value of the setting was deliberately changed to cause confusion. Things have gone downhill from there. In Firefox 3, cookie settings were hidden behind a "Custom Settings" button under "History". There is no setting, even in about:config, to change the browser referrer. One has to know enough to add that setting. In recent versions even changing javascript settings requires a visit to "about:config".

   The folks at Mozilla have taken a lesson from Microsoft: Don't remove options entirely. Just make them impossible to figure out. That way the option is effectively removed without confrontation, and many people will just blame themselves for being "stupid when it comes to computers".

Back to Index

Custom Settings Specific to Firefox and Pale Moon

Tabs: Many people like tabs, but for those who don't, controlling them gets ever more difficult. First the settings became obscure. With Firefox v. 23 the only way to not use tabs is by installing a special extension!

Javascript: Settings in Firefox are straightforward up to version 22, located in Tools -> Options -> Content . (While there you can also disable Java, which is rarely used by anyone online.) Starting with v. 23, the only way to change script settings is through about:config.

Cookies: Settings, as mentioned, are hidden behind a "Custom" button in Tools -> Options -> Privacy .

IFRAMEs: There is no specific setting for IFRAMEs in Firefox, but they can be disabled in various ways:

1) In about:config all frames can be blocked with the following setting:

Setting: browser.frames.enabled  Value: false

One caveat about that setting: It will also block FRAMES. Frames have been gradually phased out over the years. Few sites still use them. But with this setting, any site that does still use them may be blank.

2) The NoScript extension for Firefox/Pale Moon has an option to block IFRAMES. The disadvantage with that, of course, is that it means installing an extension. But NoScript is very well designed and very useful. And the Mozilla people have been making such an inflexible mess of Firefox/Pale Moon in later versions that extensions have become almost unavoidable for people who want to choose how their browser behaves.

3) IFRAMES can be hidden by using the custom styles file in Firefox/Pale Moon. Note that hiding IFRAMES will not stop them from loading and will not stop javascript from running in them. It will also not stop 3rd-party ads or web bugs from loading in them. It will only prevent them from displaying. But that may be useful if you only want to get rid of the numerous IFRAMES that host 3rd-party ads. Add the following line to userContent.css:

IFRAME {display: none !important;}

Note: Ideally, blocking IFRAMES should be used in conjunction with a HOSTS file, especially if you only hide them via userContent.css. See the HOSTS file topic above.

Plugins: To disable Flash or other plugins, go to Tools -> Options -> Main -> Manage Add-ons. If you want to remove plugins look in C:\Program Files\Mozilla Firefox\plugins or in the program folder for the company. (Ex. Program Files\Adobe\...).

Beware the Phishing Filter:

   If you are concerned about privacy you will probably want to disable the ridiculous phishing filter in Firefox. In addition to being essentially spyware, the phishing filter depends on information that is likely to be outdated. The way the filter works is to check the website URLs you visit against a blacklist of known scam websites. The list is hosted by Google/Doubleclick. At full functionality the filter reports to Google/Doubleclick every site you visit, in real time. Google/Doubleclick is also using (3rd-party) tracking cookies in these communications. With the phishing filter enabled you will be inviting Google/Doubleclick to watch you (and presumably customize the ads you see ... and presumably sell your "consumer profile" to other advertising companies... ) as you travel around the Internet. Meanwhile, phishing websites can easily relocate once their URL has been added to the blacklist. If you want to avoid being caught by an online scam, a bit of caution and common sense are far more useful, and far less intrusive, than the Firefox (and IE) phishing filters.

   The Firefox phishing filter settings are under Tools -> Options -> Security . Uncheck the two boxes marked "Tell me if the site I'm visiting....". For more thorough blocking, search about:config for "safebrowsing" and remove all URL strings found.

   Firefox and Pale Moon have a number of features that do not show in the standard settings window but which are adjustable. (Pale Moon settings, in this case, are exactly the same as Firefox settings.) Most of these features are not available in Internet Explorer at all, even though several of them (such as the ability to control the referrer header) should be available in any properly made browser.

   Unfortunately, the documentation for these settings is limited, while the format and system for the naming of settings is excessively "geeky". The system for adjusting these settings dates back to the early days of Netscape and it seems that no one has thought to modernize it since then.

   The easiest way to change these settings is to type about:config into the address bar and then hit ENTER. The resulting list is off-putting. It's a very long list of settings with confusing names and no indication of what the possible values are, but many of the settings are at least documented at mozilla.org. For the settings below, right-click the value and click Modify. If the value is not present it can be added with right-click -> New.

Block 3rd-Party Images

This option is no longer in the settings menu but can still be set in about:config. Image behavior options: 1-accept all images. 2-block all images. 3-no 3rd-party images.

Setting: permissions.default.image Value: 3

Stop Image Animation

This will prevent animated GIFs from repeating:

 Setting: image.animation_mode Value: "once"

Stop CSS Animation

   Some people can't resist overdoing webpage design. Good examples of that in the early days of the Web were animated GIFs, blinking text and Flash cartoons. Much of that junk "noise" is still common, but it can at least be disabled, and Flash can be avoided. More recently, people used javascript to produce similarly maddening, idiotic motion such as "image sliders" or moving/animated items on a webpage. Those can also be disabled, though it requires disabling javascript.

   People who don't know how to control their browser are often accosted by webpages with multiple animations, flashing objects and running videos, like a barrage of ticky tacky neon signs on a strip-mall-infested highway. If one knows how to disable all the junk and is willing to disable script, all webpages can be returned to a state of relative civility. But even with all those things disabled, it is now possible to create similar webpage monstrosities with CSS, using CSS transitions, transforms and animations: image sliders, graphical details that change or move after the page has loaded, fade-ins, fade-outs, etc. A good example of an irritating, involuntary and pointless "image slider" is at the link below. The linked page shows a dizzying, constantly changing set of images, even if script is disabled and Flash is not installed. (Ironically, the page is about meditation.)

http://www.bcbsdharma.org/

   With increasing support for CSS animation, it's bound to get worse before common sense takes hold and the fad dies down. Fortunately, in Firefox and Pale Moon the madness can be stopped through the userContent.css file. Add the following to block CSS-caused movement, image swapping and "transitions" on a webpage:

* {transform: none !important;
-moz-transform: none !important;
transition-property: none !important;
-moz-transition-property: none !important;
animation: none !important;
-moz-animation: none !important;}

   Here is an example of a website that provides code for image sliders. This website can be used to test the success of you CSS animation blocking:

http://www.wowslider.com/css-slider-aqua-flip-demo.html

   (Wowslider.com not only provides CSS and script designed to accost you with nonsense animation whether you want it or not. They actually charge money for their code, despite the fact that the code is present in plain text on any website that uses it!)

   Another, unrelated, form of irritating animation is sometimes created by people getting creative with :before and :after pseudo elements. An example of this problem is here:

http://www.theverge.com/a/anatomy-of-a-hack

   Before and after designate content to go just before or just after an element. There are very few legitimate uses for these elements. Webpage "designers" at The Verge added a chartreuse and a magenta text-shadow before and after headings. The effect is a very distracting, irregular flashing of magenta and green lines around the characters in the heading text. Unattractive, irritating and serving no purpose, this is a classic case of "let's do it because we can". The CSS elements involved can be blocked, with little likelihood that any useful page content will ever be missed. (The typical use of these elements is to do unnecessary things like placing an icon next to links.) To disable these elements of CSS, add the following to your userContent.css file:

:before {display: none !important;}
:after{display: none !important;}

Back to Index

Blocking "web beacon" Tracking Bugs

Blocking invisible, 1-pixel images used to track your travels online requires that you either block 3rd-party images or that you use a HOSTS file. (See above.)

Other useful userContent.css edits

For those who don't know CSS, a few samples of userContent.css options might be helpful. Even if you do know CSS, some of the code used by Mozilla is not conforming to CSS standards. The examples below should provide enough basic guidelines to write your own userContent.css file. Each entry should be on a separate line.:

Hide IFRAME elements:

  IFRAME {display: none !important;}

Hide NOSCRIPT elements:

  NOSCRIPT {display: none !important;}

Hide any elements with the ID "SomeID":

  #SomeID {display: none !important;}

Hide any elements of class "SomeClass":

  .SomeClass {display: none !important;}

Hide only TD elements of class "SomeClass":

  TD.SomeClass {display: none !important;}

Back to Index

Prevent blinking text

Setting: browser.blink_allowed Value: false

Block sending referrer header

This blocks sending of the referrer header, which tells a website where you are coming from if you click a link. That information is used by websites to find out what other sites are linking to them. That's not especially problematic, but if you would prefer to maintain your privacy you can turn the function off. This setting must be added in about:config. The setting has also changed over time. To be thorough, set all of the following:

Setting: network.sendRefererHeader Value: false
Setting: network.http.sendRefererHeader" Value: 0 
Setting: network.http.sendSecureXSiteReferrer Value: false

(This is a good example of the disarray and lack of planning with Firefox settings. Not only do common settings for things like the referrer text get changed willy nilly. There are actually two different spellings used for "referrer"!)

Back to Index

Control UserAgent

The UserAgent string is a string of text that the browser sends to websites in order to identify the operating system and browser. That is normally harmless, but in some cases a webpage may render better if you pretend to be using a different browser. If you have script enabled your userAgent should be displayed below in red:

UserAgent settings are a mess. There are numerous options in about:config that have no reason to be there. Meanwhile, in later versions of Firefox and Pale Moon the main setting may be missing. To change the userAgent, add the following setting in about:config if it is missing. For good measure, also add it to user.js.

Setting: general.useragent.override 
Value: "xxx"

where "xxx" is the UserAgent string in quotes. Note that the setting may get removed if you use an extension that controls userAgent.

The following samples can be used to mask your system as a different operating system and/or browser. Replace xxx with one of the lines below.

Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101  Firefox/23.0
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Other related, semi-documented settings: There are a number of other related settings that seem to only confuse things. If any of the following are present it might be best to remove them from prefs.js, as they can result in conflicting settings when the userAgent is changed: "general.useragent.appName", "general.appName.override", "general.appVersion.override", "general.oscpu.override".

Back to Index

Stop Prefetching

   Prefetching is an idea of questionable value that is nevertheless part of the HTML specification. The idea with prefetching is to allow a website to take advantage of the time when your browser is not busy. For example, if your browser has finished loading Page 1 of an article, a special prefetch link on that page could force the download of, say, a large image that might be needed later if you decide to go on to Page 2 of the article.

   The problem with prefetching is that it's rarely likely to be useful, it takes control away from the visitor, and it can allow unrequested and undesired files to be stored in your browser cache. For instance, there is nothing to prevent a webpage prefetching ads, undesired webpages, and possible cookies that go with them.

   Unfortunately, prefetching is one of several relevant settings that the Firefox "Mozilla team" seems to think are too complex for the browsing public to understand. From the Mozilla.org explanation of why prefetching is not included in the Options window:

"...our theory is that if link prefetching needs to be disabled then there must be something wrong with the implementation. We would rather improve the implementation if it does not work correctly, than simply expect users to locate some obscure preference in the preferences UI."

   That sort of arrogance (combined with the commercializing influence of funding from Google) is why Firefox, despite all of its good features, is badly lacking in options for people to easily control settings. To stop pre-fetching:

This setting must be added in about:config.

Setting: network.prefetch-next 
Value: false

Back to Index

Stop Geo-location Spyware

Geo-location is enabled by default in most current browsers. There is no setting in Firefox. Aside from maybe being asked permission at specific websites, you would probably never have any way to know the functionality even exists. Why would you cooperate with geo-location tracking? The only possible reason for it is spying and targetted ads. Websites can know your general location -- usually the town or city you're in -- from you IP address.

To block geo-location, adjust this setting in about:config:

Setting: geo.enabled 
Value: false

For good measure:

Setting: geo.wifi.uri 
Value: "" [set blank]

Also, there are geo-location settings for search:

Setting: browser.search.geoSpecificDefaults 
Value: false 
Setting: browser.search.geoip.url
Value: "" [set blank]

Back to Index

Block Forced Reloading

This is an interesting setting that allows the blocking of in-page redirection and refresh. Have you ever been in the middle of reading a news article when suddenly the webpage reloads by itself and that article is gone? That's forced reloading. In some cases forced refresh is also used as a sleazy trick, for example to force you to visit another webpage. In rare cases a misbehaving webpage may reload constantly, making it impossible to read.

If you block forced reloading you can stop all these problems. When reloading has been blocked a bar will show along the top of the browser window, providing an option to allow the action. In most cases the reloading does not need to be allowed. To block forced reloading, in about:config adjust the following setting:

Setting: accessibility.blockautorefresh
Value: True

Back to Index

Customize the Activity Indicator or "throbber"

The activity indicator that shows page loading activity can be changed. First, a new image file is needed. It must be an animated GIF and should be 24x24 pixels. Then also select a non-animated GIF to indicate no activity. Open the [Profile]\chrome folder. (Explained elsewhere on this page.) Put the two GIFs in that folder and open or create the file userChrome.css. In userChrome.css add these lines:

#navigator-throbber {list-style-image : url("still.gif") !important;}
#navigator-throbber[busy="true"] {list-style-image : url("active.gif") !important;}

(Note: The file names can be anything.)

Back to Index

About the userContent.css File

userContent.css is a file used by Pale Moon and Firefox. It is a master CSS file. CSS is code used to specify design elements in a webpage, such as fonts, image borders... just about any graphical aspect you can think of. Most websites use .css files for that purpose. userContent.css allows you to override any CSS used on a website with your own CSS specifications.

To edit the userContent.css file, in XP go to the folder C:\Documents and Settings\[user name]\Application Data\Mozilla\Firefox\Profiles\xxxxxx.default\chrome\. In Windows Vista/7 that would be C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxx.default\chrome\. "xxxxxx" here can be any combination of random characters. In the chrome folder find, or create, a file named userContent.css. Open that file in Notepad and just add whatever custom CSS you like, then save the file.

Back to Index

Download a Guide to Firefox Custom Settings

   There are hundreds of "pref" settings for Firefox and Pale Moon. Perhaps over 1,000. Many are documented poorly or not at all. These settings were designed for Netscape, intended to be obscure and difficult to access, so that corporate IT people could control employee browser use. More than 15 years after the demise of Netscape, Firefox settings are more numerous, confusing and obscure than ever. New additions and frivolous changes to settings are constant. But these settings, adjusted through a user.js file or by typing about:config in the Location Bar, are the only option for controlling the behavior of Firefox. (Pale Moon generally uses the same settings, while K-Meleon uses most of them and also adds some custom settings.) Increasingly, these settings are not represented in the Tools -> Options window. Even the control of javascript has been removed!

   This download is a Windows help file. A CHM file. It documents about 450 Firefox settings in a small, convenient package. The information was collected from various online sources, especially from mozillazine.org, then organized and edited to produce a single list in the form of "Windows HTML Help", with an index consisting of pref names and fully searchable. This is a work in progress. The current version is dated 3/25/17.

Download Firefox Settings Help File (250 KB)

   Included in the download are instructions and tools to make it possible for anyone to decompile this help file, edit or add pages, then recompile. Also, feel free to offer documentation of more settings to include in this file.

Back to Index

Download an Online Tweaks Kit

Controlling and adjusting browsers is a complex topic, difficult for non-techie people. Unfortunately, there's no easy way to make it simple. But the download here is intended to help. It includes simple directions that will allow you to block most ads and spying online. You can also add some easy optimizations to Firefox. With these tweaks you can greatly reduce spying and security risks online (a lot of malware now gets installed through rigged ads). At the same time you can speed up your browser. There's no extra software to install. Just a few semi-secret adjustments to make.

Download Browser Tweaks Package

Back to Index