Wow it really feels like a digdeeper clone... nah fr I hope he doesn't mind I decided to write one of these too. Most browser, in short, come with little actual functionality. You really just don't get much outside of a shell for brwosing the internet. Some have a bit more than others, but in general it's a bleak situation. Extensions to an extent help this situation. They give control that should probably be in the browser by default but isn't, or gives something completely cool.
However, most extensions are either, in short, useless or malicious. Many spy on you without giving much good functionality (just fucking find coupons yourself jeez it's not htat hard) or just are inferior to what others provide. It's a difficult world out there with them, which is why I'm writing this. With that, allons-y!
And remember, as I ranted about in my browsers article the Internet is a shithole anyways. These addons just make it usable but real talk, the Internet at its core has fundamentally been ruined and these are just bandages to make whats there work. Try to avoid using the Internet in general when possible.
Also, don't use too many. Yes, in theory its nice but it really weighs down on performance over time, most notably in terms of speed. I'd honestly use 20+ extensions if I could but it's just too much for the browser to handle. I myself try to limit it between 5-10. In particular, try to limit the niceties that I list out - they're niceties and not essentials for a reason. Also, avoid security/privacy theater, which is offering features that seem to improve security/privacy but really do very little to actually improve it. I'll list examples in the useless section.
Don't go without these. These improve privacy, security and functionality to the point where going wihtout them makes the Internet that much worse to use.
A browser makes connections to various sites when it loads up one. These sites send various types of data, such as cookies, CSS, JavaScript, XHR (JS requests basically), etc.. These connections are what make browsing what it is, and they are the easiest way privacy is abused.
uMatrix gives near total control over these connections. Granted, you can't block individual JS scripts, only ones from a domain as a whole, but in general you get to choose what enters your browser and what does not. You don't want cookies from a.z.com? Sure thing. No XHR in general? Granted! No images because they take up too much bandwidth? Gotcha. uMatrix hands it all to you.
This really cannot be understated - if you haeve the time, use uMatrix! It is the only extension you truly need to stay private and secure. It outdoes everything else by leagues. And hell, as with the examples I noted above, it has more use than just those. It can be used for almost everything! uMatrix is vital towards a great browsing experience. Don't leave home without it if possible. It only takes like a week max to learn if you know what you're doing and less than a minute a website.
That being said, it does take time that many don't have, and expertise that many may not have either. It's not complicated but many people don't get how websites work. It also takes time per site. Thus, I only recommend it if 1. you know basic web structures and 2. you have enough time to fix things if things go wrong. Otherwise, uBlock Origin is a perfectly acceptable alternative.
Finally, I've been told NoScript is similar, but 1. I've never used NoScript and 2. it doesn't seem to cover cookies etc.. IDC, use what you want, I'll stick with uMatrix.
9/20/2020 EDIT: The repository has been archived and the developer has confirmed he won't be working on it anymore (reasoning here) so the future is uncertain. It definitely should continue to work on most browsers, but if Google chooses to change adblocking rules it's probably dead on Chromium based browsers. Firefox/Pale Moon should work fine but this is still a very sad moment. Rest in peace, uMatrix. Still, continue to use it until it stops working or use a new forked version when some other developer takes the lead under a new name.
uMatrix is the only serious privacy extension you'll ever really need. However, it is not accessible to most people. I myself have a spare browser for school that deliberately does not use it because it takes too much time to get it to work. Even then, it can miss some things because of its all-or-nothing approach - either you take all of a connection's JS up the ass or none of it, unless it has subdomains (and the issue still lies there too). With that, uMatrix is not always possible to use and really isn't for everyone.
uBlock Origin is the best you can get outside of uMatrix. It uses lists of domains to block, and does so in an effective manner. It has been benchmarked to be the best performing content filter tested (other than uMatrix) and while that was a few years ago, it's only getting better. It also has other privacy-protecting features, such as WebRTC protection (WebRTC is used for video calls but it can deanonymize you very quickly) that make it worthwhile even alongside uMatrix.
In terms of lists, in general each additional list will have a drag in performance. It's more than the list itself, its about making the connection to download the list. As a result, I recommend using unified lists. There's 2 major ones that I know of - Energized and StevenBlack. Energized had better protection from what I found, but the people behind it run it like a business as can be seen on their site and don't seem open enough to really know if they're accepting bribes. StevenBlack, on the other hand, has come out on Hacker News before and stated that he doesn't take any. It's unlikely Energized si taking any, and either way they still have a really good list so I'd go with either them or StevenBlack and only one of those sources alone. I use their Blu list but depending on what your privacy needs vs performance you can use other lists as well.< 7/31/2021 UPDATE: Energized.pro website is dead apparently, it's been this way for about 2 weeks. I'm not sure what the future of the project is, so just stick with StevenBlack.
Finally, don't feel obligated to use this alongside uMatrix. The two combined will drain performance notably and it's not like uBlock Origin really covers up for what uMatrix misses enough to be worth it.
The situation here is kind of messy. Basically, HTTPS is the more secure form of HTTP and while it doesn't encrypt everything it does prevent eavesdropping for the most part which is helpful. Not all sites use it, and not many use it well in spite of how easy it is these days to enable it (Let's Encrypt is 100% free and automated), so HTTPS enforcing addons are helpful to get you there.
There are only 2 that I really know of and have tried. Smart HTTPS automatically switches the initial connection to HTTPS if you disable whitelisting of sites in the settings. It only does the first connection, however, and not subconnections. To give an idea, Pokemon Showdown is a site that has many subconnections for its assets. Smart HTTPS would only cover the initial connection to the site and would not encrypt these secondary ones. HTTPS Everywhere is made by the EFF (read All EFF'd Up if you want to know why this is a bad thing) and works off of lists. This means it does not work with every site (DigDeeper says it does but I haven't noticed this). It also includes an option to only go for encryption - if an asset does not support HTTPS, it just is not loaded at all under this option. It does support subconnections - Pokemon Showdown would be fully encrypted, for instance. There's no middle ground between these two addons unfortunately, so just go with one or the other. I go for HTTPS Everywhere as it covers almost every site that I use and encrypting subconnections is important for me. Use what works for you though.
As seen here (I think some of his analyses are conceptually flawed but not this one) Firefox is really not very secure, especially on Linux (which is more secure on an actual desktop user scale than Windows madaidan! And either way there's no point to security wihtout liberty and privacy). Add that to Tor Browser only being an ESR release and only having 2 addons (albeit good ones) and there's an issue with using it for anonymity. Proxychains also doesn't work with Chromium for some reason. So how does one browse the internet anonymously with Tor and Chromium?
ProxySwitchy Omega is the answer. It allows you to switch between proxies that you've set up. For instance, to use Tor one would make a profile that would use SOCKS5 at 127.0.0.1:9050 and be set to use Tor. It also allows you to disable it for a site, which is helpful with Tor in particular. Granted, it won't let you change the Tor node on demand like Tor Browser would but the setup is otherwise leagues ahead in terms of security and privacy (and frankly anti-fingerprinting with the right addons) while still letting one use the addons they desire.
Since most browsers are pretty bare-bones, these add a pretty nice layer of functionality. Don't use too many though - they will slow your browser down with each one added.
Many sites rely on JS libraries such as jQuery, etc. but do not have the space/bandwidth to host it themselves. What's the solution? Daddy Google will host it for you! Granted, that comes with a connection to Google that does take data... oh oops! Fault here. Let's put a stop to that.
LocalCDN is a fork of the extension DeCentralEyes that actually is actively developed. It detects the connection to Google/M$/whatever else's site for the library, blocks it, and provides its own. These are kept up to date for the most part so it doesn't fall behind too badly. This, outside of protecting your privacy, improves speed and security. It also can break websites occasionally but I've rarely noticed that to happen.
Arguably the biggest part of the fingerprint of a user is their user agent. It alone can identify you very well - it includes a shit ton of information such as hardware, browser, compatiblity with Firefox, etc. that just gives you away. It is a noble idea in theory but the standard for it just gives away far too much information. Hell, (link here) even Google wants to get rid of these.
This addon allows you to switch user agents. It generally keeps them updated to the latest versions so you can disguise yourself. Be careful, however. Some sites that do first-party analytics will have a cumulative fingerprint that will notice that you're the only "Chrome on windows" user with the anti-fingerprinting measures you have. I actually recommend Firefox on Linux because most Linux users will be on Firefox and will ahve those features. Also note that it will break some sites that need to know your OS/browser for legitimate reasons, but it's easy enough to toggle that.
You know how Mac software has momentum based scrolling, where you can just continue to scroll and it builds momentum over time and then moves on its own? Linux Chromium doesn't have that. Instead, we rely on this extension. The defaults aren't great, but with configuration it does work really well. For some reason, blacklisting websites does not work for me, and you'll need the blacklist as it can REALLY slow down some sites (most notably YouTube history). But hey, its better than nothing! (heads up: if you find it bounces around too much, reduce step size)
YouTube is probably the biggest proprietary shitware site that I use. It's just something I cannot avoid. And while I have tried to cut down on the addiction by using mpv, it's not often enough. This extension allows you to block virtually every addictive element of YouTube. It works basically by implementing uBlock Origin rules in a nice UI. You can block comments, suggested videos, etc. This has helped me quite a bit.
Let's face it - CAPTCHAs are fucking annoying. They serve little actual purpose because you have other ways to deal with bots (Arch Linux has a good CAPTCHA, terminal based so its unlikely a bot could break past it unless it really tries) and if a bot wants to get past you it can probably find a way ot beat a CAPTCHA. They are inaccessible to many users who are disabled as well, all while training Google's AI to be better in their fight against our liberties. CAPTCHAs are awful.
Fortunately, this extension provides a way that breaks past them. You simply click on the icon when the CAPTCHA shows up, play the audio and bam! it's solved. This I've found has a decent, but not fantastic, success rate - sometimes Google does catch on to it. In general though, it works pretty well and more importantly - it feeds false data to the AI, hindering its development.
This site, and most sites, uses the CSS markup language to style itself. In general, most sites use a lot of CSS in many ways. It's even found its way onto desktops such as GNOME. What if you could change that CSS to make it look how you want? Thats the power of Stylus. A user can input custom stylesheets to change the look on many sites - for instance, adding a dark mode to YouTube or hiding certain elements. It makes the web a lot nicer to look at. Note that this is a fork of Stylish, which was caught siphoning user data. It works just as well.
This is one I used to use quite regularly. It allows you to archive the current page with the click of a button, to whichever service you desire - archive.org, archive.is, etc.. This is useful to archive sites that tend to burn through things quickly, as well as citations. Definitely worth using as a student if you do research papers a lot.
Ungoogled Chromium is fantastic and imo the best browser to use but it does make it hellish to try to install and update addons. Chromium Web Store makes this easier. It allows you to install extensions from the store directly (though you should just use the URL and have less spying JS running) and, more importantly, it allows for semi automatic updating. Just click the icon, have it check for updates and then click the link and then "Add to Chrome" etc. This makes life that much easier.
The Internet has quite a few addictive websites. Even outside of the standard stuff (YouTube, Facebook, etc.) it's quite easy to have information overload where you get addicted to, say, browsing Wikipedia articles mindlessly searching for some intellectual nourishment that you're 1000000x better off getting by actually doing something like learning a programming language or reading a book. It still is a bane to productivity, and it still must be addressed.
Of all of the site blockers I've used, LeechBlock is 1. the only FOSS one and 2. the only good one. It allows for easy creation of lists to block and versatile ways to block them - you can choose to block them within a time period *and* after the timer is finished, you can choose to redirect to another page to remind you to get back to work, etc.. It's a fairly simple extension, but it does what it should do and gives great features to do it with.
It's worth noting, however, that this will only really work if you have the discipline to make it work. It's very easy to disable this and many heavily addicted people will do so. This is not a treatment for actual internet or gaming addiction - if you have that, talk to a counselor or something. This works for those who realize that they are beginning to have a problem and have the power within themselves to make the change, and for that purpose, it bolsters productivity quite a bit.
I'm not expecting a beginner to be able to easily wean off of Google, seeing how good the search results are. Even at a later stage, I still find myself using Google for things I just cannot find otherwise. This makes Google's tracking a tiny bit less. Google's search results are actually redirects to its servers, where they collect a lot of the data. This bypass those redirects and is the only one I've seen that is still actively developed.
Unfortunately, the situation with Tor and VPNs are not great. Tor is blocked almost everywhere by Cloudflare and is generally extremely slow. VPNs only have a few servers so they're not doing much to hide your IP address and either way they tend to be shady as fuck. They also have DNS leaks that can reveal your true IP address. With that, what's one to do?
This extension allows you to edit your HTTP headers related to IP address to whatever you desire. You can edit more than just X-Forwarded-For, but the originating IP address etc.. This allows you to retain more privacy and works very well alongside Tor/VPNs. Granted, a lot of sites can detect your IP through more than just HTTP headers, which is why I only put this in niceties instead of essentials, but it will work for the most part and it's still something I highly recommend using. 7/31/2021 UPDATE: No longer seems to work.
The whole reason I'm writing this list is to help you choose the right extensions and avoid the bad ones. These are those bad ones.
And here we start with our biggest offender. Put simply, it is ineffective at blocking ads. It has what is considered an Acceptable Ad Initiative, where ads that it approves of are whitelisted. Companies can pay portions of their income to have it unblocked - Google did this. Yes, you read right, Google bribed AdBlock Plus to not block ads! This renders it entirely useless. uBlock Origin is generally more efficient and powerful anyways. Don't use AdBlock Plus lol.
Let's be real though - almost all adblockers are useless. Lists in general are a flawed concept - while most are generally effective, its not comparable to just blocking third party domains by default. Instead of having a ton of bandaids, why not actually have a real cure? Even then, uBlock Origin is the best of the software out there. It is the most efficient, iirc its been shown to be the lightest, it supports adding your own lists heavily, and it has a ton of other incredible features such as WebRTC disabling and element control. It and uMatrix really put the browser in your hands. No other content filter does the same.
And now we return to actively malicious extensions. Privacy Badger is an extension released by the EFF, which should already be a red flag if you've read "All EFF'd Up" (fairly long but worth the read) designed to protect against browser tracking. Does this work? That answer isn't just a no, it's "it actively makes it worse."
Privacy Badger uses AI to learn how to block trackers. This AI is really bad, because I noticed it took forever for it to ever block anything. DigDeeper noticed it took a few weeks, I noticed it just straight up never happened for some of them. It also tries to stop canvas fingerprinting, which is really bad actually - it only worsens your fingerprint because you're likely the only person who's stopping it. A full paper was done on these addons and it found that Privacy Badger makes your fingerprint worse. Privacy Badger just messes with things it really shouldn't be. Just use uMatrix, which will actually do its best in blocking what can track you (and what uMatrix can't block probably is what you will lose to regardless). Privacy Badger is actively malicious, however, and should be avoided like the plague.
This is gonna be a hot-button topic for a lot of people. What is LibreJS? Simply put, it describes what Stallman calls the JavaScript trap. That JS of the ads you see are really running and compiling in your browser. You are actively running that spyware on your machine. The FSF has tried to fix this with LibreJS. Needless to say (since we're in the useless section), they failed and quite miserably too. (wip: i blame FSF for their arbitrary interpretation of nonfree JS and this shitty, slow addon for settings us years back in the battle against proprietary web services)
First off, the definition of nonfree JS is completely arbitrary. What happened to the hardline stance of "if its free its free if not its nonfree"? LibreJS has to check if JS does those arbitrary things, and this slows it down to unusable levels. It'd be genuinely good if it didn't do that but instead it slows you down. It's also only on Firefox, which is quite constricting to say the least. Finally, it checks for license labels instead of if the library is free or not, forcing every website owner to comply with this shitty standard or be labeled as nonfree which isn't fair in the least. This is monopolizing the Internet.
Granted, LibreJS does have some use. In terms of individual script blocking, it is unrivaled in power, even moreso than uMatrix. You can block any part of the script that you desire so long as it detects it. That actually makes it worthwhile for extreme cases, but on a day-to-day basis it just gets too tedious. It'd be perfect in theory but it's really not worth the trouble.
Regardless, I would sitll like to call out the FSF for handling the JS Trap terribly and setting us over a decade back in the fight against it. Get it together. LibreJS is a horrible extension, and if you care about freedom, you'll do what's right and boycott LibreJS until the FSF fixes it.
And now for a difficult topic. Fingerprinting is the act of using any data you send over to uniquely identify you, similarly to how putting your fingerprint irl identifies you uniquely. This is a disaster for privacy and is something we are fighting a battle against.
And that fight is an absolutely losing one. You can be tracked for almost everything - imagine getting identified by where your cursor is on the screen, or just for having a basic feature enabled in your browser. New ways to do this come out on the regular and it's just impossible to cover them all.
So how do we protect ourselves, with what we can do? Let's try our best. Remember, the goal is to not be unique and identifiable. You want to be the generic John Smith dude with 2 kids and a wife living in NYC, not someone that actually is unique. Who's gonna remember John Smith from the other 500000000000 John Smiths? With that:
Avoiding fingerprinting is honestly pretty difficult, and it gets difficult to really fight that fight all the time. I myself have burned out of it pretty quickly. Just remember, it's mostly a passive battle outside of uMatrix and is just having the right settings and refraining from using bad sites. Ironically, I've found that people who put little to no effort in this are the ones best off. Luke Smith, for instance, is a YouTuber on minimalism. He lives a simplistic life and nowadays he rarely uploads because he's usually spending his time off of his computer. He doesn't visit very many sites and while he's careful about what he shares he doesn't put in a ton of effort over things (he just uses Brave for instance). He has a lesser fingerprint than I do with all the effort I put in, because in the end I spend several hours a day online and on JS heavy websites. The real lesson of this is that there's no way to avoid it without not playing the game altogether.
This is honestly only a review of things I've actually used in the past. I haven't really tried any new extensions for the sake of this article, though I won't rule out trying that. With that, I'll list the ones I haven't used but seem interesting:
Feel free to try those out, or really anything. I'm not on XMPP frequently but you can ask me questions at magus@snopyta.org there. I cannot guarantee I'll actually respond in a timely fashion though.
Frankly, I'm not sure whether to be positive about this or not. On one hand, the extension ecosystem is thriving quite well. There's a lot of really good extensions out there and they all have unique functions that enhance the browsing experience. On the other hand, shouldn't some of this stuff be done by the browser? Why doesn't the browser have HTTPS enforcement on by default? Why can't most have a content filter that actually allows for custom filters? It's sad to see just how many addons are required to get basic functionality out of a browser, and how even more are required to combat fingerprinting.
With that, though, experiment! The browser addon ecosystem is quite large and full of new stuff to mess around with. Make use of it! Who knows when Google decides to axe most of it... after all, they are axing the webRequest API soon and most content filters and addons in general require it. That's I guess one reason to go for Librewolf.
Finally, I'm aware that my article output has been much less recently. I have not had the motivation nor the inspiration to write too many, but that will change soon. I hope to get a larger audience. Feel free to share with who you'd like!