RouteHardenHire us
← Back to blog
Anonymity Engineering··7 min read

Browser fingerprint hardening with Firefox, arkenfox, and uBlock Origin

How to reduce browser fingerprinting with sane Firefox settings, arkenfox, uBlock Origin, and Tor Browser when you actually need stronger cover.

Fingerprint hardening is about choosing a strategy, not collecting extensions.

That sounds harsh, but it is the fastest way to get rid of the worst advice in this space. A lot of browser privacy guides are just shopping lists: install three blockers, two canvas spoofers, a weird user-agent switcher, and one extension whose GitHub page has not been updated since the last US administration.

That is not hardening. That is entropy with branding.

If you care about fingerprinting, you need to decide which of three jobs you are trying to do:

  1. reduce ordinary tracking
  2. reduce how much information the browser exposes
  3. blend into a larger anonymity set

Those are related goals, but they are not the same goal.

What you are actually trying to minimize

Fingerprinting works by collecting many low-drama attributes and combining them into something distinctive:

  • screen size and window geometry
  • fonts and text rendering
  • locale and timezone
  • timer behavior
  • graphics and canvas output
  • browser feature availability
  • inconsistencies between headers and JavaScript-visible properties

The important word is combining. A single data point is often not impressive. The pile is the problem.

That is also why "I changed one setting" is rarely a complete answer. And it is why a heavily customized privacy setup can become more unique than the stock browser you were trying to improve.

This is the same theme that shows up in /blog/network-opsec-checklist and /blog/ja3-ja4-tls-fingerprinting: the easiest way to stand out is to be weird in multiple layers at once.

Firefox defaults are a decent baseline, not invisibility

Mozilla's current fingerprinting protection documentation is better than a lot of third-party writeups because it is specific about scope. Firefox's Enhanced Tracking Protection blocks known fingerprinters and limits data exposure to suspected fingerprinters, with stronger behavior in Strict mode and Private Browsing.

That is useful.

It is also not the same thing as "my browser now blends into a privacy crowd."

Default Firefox is best understood as a tracking reduction baseline. It blocks some bad actors, constrains some APIs, and generally behaves like a mainstream browser with sensible privacy posture. For most people, that is already a solid improvement.

What it does not do is promise that the browser will stop being identifiable as a particular browser running in a particular environment. It is a baseline, not a disguise.

Resist Fingerprinting is stronger, breakier, and more honest

Mozilla is explicit that privacy.resistFingerprinting is an advanced setting and can break websites. That warning is not legal padding. It reflects what the setting actually does.

When enabled, Firefox starts standardizing and distorting visible attributes:

  • timezone reported as UTC or Icelandic
  • locale standardized to en-US
  • timer precision reduced
  • some window and screen metrics fixed
  • canvas extraction perturbed with noise
  • devicePixelRatio forced toward a standard value

That is real anti-fingerprinting work because it reduces useful variance.

It also creates visible side effects. Sites may render differently. Timing-sensitive apps may behave strangely. UX oddities are not proof the setting failed. Often they are proof it is doing something real.

A minimal sanity check looks like:

# about:config
privacy.resistFingerprinting = true
privacy.resistFingerprinting.pbMode = true

But do not confuse "I turned on RFP" with "I now have Tor Browser behavior." You do not.

Where arkenfox fits

arkenfox user.js is useful because it is honest about what it is: a Firefox template designed to reduce tracking and fingerprinting aggressively, while accepting that breakage will happen.

That honesty matters. arkenfox is not pretending to be a frictionless consumer product.

It is a good fit when you want:

  • a stronger Firefox posture than defaults
  • a documented, maintained preference baseline
  • a setup that treats browser-side exposure as an engineering problem

It is a bad fit if you want zero maintenance or if you secretly mean "I want Tor Browser behavior without using Tor Browser."

The arkenfox README is explicit on that second point too: if your threat model truly calls for Tor, use Tor Browser. Do not rebuild an imitation on top of ordinary Firefox and then convince yourself it is equivalent.

That is one of the most important corrections in this whole area.

uBlock Origin's real job

uBlock Origin is excellent. It is also one of the most misunderstood privacy tools on the internet.

The uBO README describes it as a wide-spectrum content blocker. That framing is exactly right. Its core value is reducing third-party script execution, tracker load, ad-tech junk, and general data collection opportunities.

That helps fingerprinting indirectly because fewer hostile scripts get to run.

What uBO is not is a complete anti-fingerprint engine. Its own wiki says that plainly in Does uBO protect against fingerprinting?. It has a few limited relevant tools, but it is not a replacement for browser-core anti-fingerprinting design.

So the correct mental model is:

  • Firefox or Tor Browser shapes the fingerprint surface
  • uBO reduces who gets to measure it and how much hostile code runs

That is a valuable job. It is just not the same job.

Brave is a different strategy

Brave is worth mentioning because its current fingerprinting protections wiki reflects a different philosophy from Tor Browser.

Tor Browser tries to reduce the number of distinguishable buckets by standardizing users aggressively. Brave mixes blocking, API modification, and randomization, with randomization changing per session and per site.

That is not automatically better or worse. It is a different tradeoff:

  • Tor Browser emphasizes shared sameness
  • Brave emphasizes harder cross-site and cross-session linking

What matters is not cheering for a team. What matters is understanding that these are different strategies, and mixing strategy language carelessly leads to bad decisions.

Tor Browser is the answer when the goal is the anonymity set

If the real goal is identity resistance against browser fingerprinting, stop trying to turn ordinary Firefox into Tor Browser with vibes and extra add-ons. Use Tor Browser's own fingerprinting protections.

Tor Browser's design is unusually disciplined:

  • standardized user-agent behavior
  • letterboxing to reduce screen-size uniqueness
  • constrained customization
  • deliberate resistance to user-controlled weirdness

The Tor Project is also blunt that extra add-ons are discouraged because they can make you more trackable, not less. See the Tor guidance on plugins and add-ons.

That advice annoys power users because it removes toys. It is still correct.

The entire point is to avoid becoming the person whose browser looks like "Tor Browser plus five cute personal modifications." That is not an anonymity set. That is a custom build.

This is also why Tor Browser pairs naturally with /blog/tor-technical-users-guide and poorly with the urge to install every privacy extension you have ever heard of.

Verification matters, but scanner scores are not gospel

You should test. You just should not worship the test page.

A decent verification loop is:

# Compare two sessions, not one page load
open https://coveryourtracks.eff.org/
open https://browserleaks.com/canvas
open https://browserleaks.com/webrtc

Check whether properties remain stable across sessions, whether WebRTC behavior changed in ways you expected, and whether your browser posture looks less distinctive or merely differently distinctive. This also pairs with /blog/webrtc-ip-leak-fix, because browser network leaks and browser fingerprinting are adjacent, not separate.

But remember that a demo score is one signal, not a certificate of invisibility.

The opinionated answer

Use this decision rule:

Firefox + ETP: lower tracking
Firefox + arkenfox/RFP: lower exposure, more breakage
Tor Browser: larger anonymity set
uBO: less data collection, not full fingerprint resistance

For most people who want reasonable privacy without a fragile setup:

  • Firefox with its existing protections
  • uBlock Origin
  • restraint

is a very good answer.

For people who actually need stronger reduction in browser-exposed variance:

  • Firefox plus RFP or arkenfox
  • willingness to accept breakage
  • regular testing

is the next step.

For people whose real goal is blending into an anonymity set, not just blocking trackers:

  • Tor Browser
  • as shipped
  • without cute modifications

is the honest answer.

The sharpest mistake is mixing strategies. A customized Firefox full of privacy theater can be more unique than stock Firefox, and much more unique than Tor Browser. The goal is not to look "privacy serious." The goal is to be harder to distinguish.

Those are not the same thing.

// need help shipping this?

We do this kind of work for hire.

Network architecture review, self-hosted privacy stacks, zero-trust corporate VPNs. →