Mozilla is now offering a browser-based proxy which they are calling Firefox Private Network. Despite the name, this browser proxy is not a VPN (virtual private network). Unlike Firefox Private Network, a true VPN will offer complete encryption for all traffic on your operating system. While Firefox Private Network only works within the browser, it still offers more security than no proxy.
For basic users who don’t mind the limitations of a browser proxy, this Firefox VPN extension may not be a bad idea. More serious users, however, may want to consider other options offering more security and online anonymity. Here are some of the drawbacks I found when testing and researching Firefox Private Network:
- Browser-only encryption: Only traffic through the Firefox browser is getting encrypted. All traffic outside of your Firefox browser remains exposed.
- Cloudflare: All traffic is being routed through Cloudflare, which has partnered with Mozilla to offer this service.
- US jurisdiction: Being based in the US, Cloudflare, Mozilla, and your data are all subject to US laws and data requests. This makes Cloudflare a target for US authorities demanding access to data, along with gag orders forbidding disclosure – like we’ve seen before with Lavabit and Riseup.
- Data collection (logs): When your traffic passes through Cloudflare servers, Cloudflare will be logging your IP address and the sites you visit. Mozilla is also recording technical, interaction, and registration data.
- No location selection: Unlike other browser-based proxies, Firefox Private Network (VPN) does not offer any location selection.
Firefox Private Network may be a good choice for some people, such as those wanting a basic level of security on public WiFi. For anyone seeking higher levels of security and anonymity, there are some better options to consider that we’ll discuss below.
What is a Firefox VPN and how does it work?
A Firefox VPN can mean different things to different people:
- Many people are calling Firefox Private Network a “VPN” – but it’s not really a VPN and we’ll explain why below.
- Others are simply looking to use a VPN with Firefox – or what some call a “Firefox VPN”. There are different options for doing this that we’ll discuss later.
As a general rule of thumb, any browser-based “VPN” is just a proxy that is routing your traffic through a proxy server. The same can be said of Opera’s free VPN, which is also just an extension within the Opera browser. Now let’s take a closer look at Firefox Private Network.
What is Firefox Private Network?
Firefox Private Network is a browser-based proxy that was officially launched in September 2019. Here are some key points from Mozilla’s announcement:
- Firefox Private Network is currently in beta (testing)
- It is only available for people in the United States. (But you can easily spoof a US IP address by connecting to a VPN server in the US.)
- Mobile versions of Firefox do not support this feature – just desktop Firefox.
You can install Firefox Private Network here. Before you do that, however, you may want to carefully read the Privacy Policy, which leads us to our next point…
Firefox Private Network and Cloudflare
The organization behind Firefox Private Network is Mozilla. Here at Restore Privacy we’re fans of Mozilla, which is increasingly offering products and services for privacy-conscious users. Firefox is currently our top recommendation in the secure browser guide. (See also the Firefox privacy guide for custom tweaks and setup options.)
To offer Firefox Private Network, Mozilla has teamed up with Cloudflare, one of the world’s largest CDN operators. The partnership with Cloudflare has both pros and cons. On a positive note, Cloudflare has a massive network of servers that can offer great performance for Firefox users who activate the Private Network feature.
There are also some drawbacks with using Cloudflare.
US jurisdiction
The United States has proven to be a very bad jurisdiction for privacy-focused servers. Examples of this can be seen with:
- Lavabit being forced to hand over encryption keys to give US authorities complete access to user data. Rather than comply, Lavabit was forced to shut down.
- Riseup, a VPN and email service based in Seattle, also received legal demands for access to customer data, as well as gag orders preventing any kind of disclosure.
Cloudflare is a large US company. With this latest move to route Firefox Private Network traffic through their servers, it will be a juicy target for data requests. So let’s examine the privacy policy.
Data collection (logs)
Firefox Private Network has its own privacy policy, which can be found here. Reading through it, I found some things worth noting:
Cloudflare receives your web browsing data to provide the Service: As you browse, Firefox will encrypt the data you send to websites and send it to Cloudflare. Cloudflare will also receive your computer’s IP address, the IP address of the site you are browsing to, the timestamp, and a unique identifier. Cloudflare does not share this data with others and deletes this after 24 hours unless necessary for its security or legal obligations. Learn more at Cloudflare’s Privacy Policy for Firefox Private Network.
While there are some VPNs that keep connection logs, very few VPNs keep usage logs – i.e. the sites you are visiting. This is the opposite of privacy. The logging of timestamps and unique identifiers is also concerning, especially since this information could potentially be kept beyond the 24 hour window if deemed “necessary” by Cloudflare.
In addition to Cloudflare, Mozilla is also collecting some data:
Technical data. Firefox sends Mozilla data about your device, operating system, version, and a unique identifier that Mozilla connects to your Firefox Account.
Interaction data. Mozilla receives data about when you install Firefox Private Network, when you use the service, and engagement with our surveys and Firefox.
Registration data. This service requires a Firefox Account, which sends Mozilla your email address, locale, and IP address. Learn more about Firefox Account data practices.
There is more information about Mozilla telemetry data collection here.
While I understand this product is geared more toward a general audience that may be less privacy-conscious, I do not like how Cloudflare is logging usage data (the sites you visit).
Firefox Private Network testing
Firefox Private Network is very easy to start using, but you need to be on a desktop version of Firefox with a US source IP address for access. This brings up a confirmation window discussing permissions and the data collection:
At this point, to actually use Firefox Private Network, you’ll need to create an account with Firefox.
To create a Firefox account, you’ll need to provide a valid email address, confirm your email, and create a password. This will be linked up to your “unique identifier” that we covered earlier. Once you do this, you can sign in through the browser extension and start using it.
To activate the “Firefox VPN” you simply need to toggle the switch and you should be connected in a few seconds to a nearby Cloudflare server.
As you can see above, there is no ability to select the proxy location you’ll be using. It’s only On or Off.
Is the Firefox VPN fast?
In running some basic tests, I found Firefox Private Network to be fast. But this is not surprising given that:
- It’s a lightweight proxy extension using HTTPS encryption.
- It’s running on Cloudflare infrastructure, a large global CDN network with high-bandwidth capacity.
To test Firefox Private Network, I used the VPN client on my computer to connect to a server in New York. (I’m currently in Europe and otherwise wouldn’t be able to use this.) My baseline speed for these tests was around 100 Mbps. Then I connected the Firefox VPN extension, which gave me good speeds close to my baseline.
Notice above that the server I tested is being recognized as belonging to Cloudflare Warp. Warp is the VPN that Cloudflare is building, which it announced last April. This project is separate from the Firefox partnership, but appears to share the same server infrastructure.
VPN for Firefox: different options
Aside from Firefox’s VPN browser extension project, there are some other options available.
1. Free proxy extensions (generally not recommended)
In the “free” category we see dozens of free VPN extensions that proxy traffic through the browser. However, these dubious free services are often data collection tools in disguise. The risks and dangers are the same as using free VPN services.
There are many malicious free browser extensions, so this category should probably be avoided.
2. Paid Firefox VPN proxy extensions
Another Firefox secure proxy extension I’ve tested (and liked) is the one from VPN.ac (a paid VPN service based in Romania). The VPN.ac browser extension also uses the same HTTPS (proxy) encryption as before, but it gives you access to a large selection of servers around the world.
There are other good VPN services that offer proxy browser extensions. NordVPN is one such option (based in Panama).
Note: VPN.ac and NordVPN offer standard VPN clients for your operating system, in addition to browser proxy extensions.
3. VPN client running on your operating system
Lastly, you can always run a VPN client (app) on your operating system. This will route all traffic through the VPN server, including everything in Firefox (and any other browser/app).
Given our discussion of Cloudflare’s extensive logging policy, there are a handful of no logs VPN services that have been verified either through audits or other external events. Unlike with Cloudflare, none of the VPNs recommended on Restore Privacy collect usage data (the websites you visit).
And lastly, good VPNs are also not free (if something is free, you may just be the product).
Who should use Firefox Private Network?
In their official announcement, Mozilla highlighted three “key features” of Firefox Private Network:
- Protection when in public WiFi access points
- Internet Protocol (IP) addresses are hidden so it’s harder to track you
- Toggle the switch on at any time.
I think the biggest use case for this Firefox VPN is simply a basic level of protection on public WiFi. If you don’t care about Cloudflare recording your source IP address and every website you visit, it may be a good fit. But this is also a drawback, since the “privacy” tool is recording your activities – even if for only 24 hours.
Now to the next question.
Who should NOT use Firefox Private Network?
- Those who do not want their browsing activity being collected and logged by Cloudflare.
- Anyone wanting a VPN in a safe privacy jurisdiction (outside of the 5/9/14 Eyes countries).
- Users who want the ability to select which location they route their traffic through.
- Anyone who wants traffic on their entire operating system encrypted (rather than just through Firefox browser).
And if you are still confused about exactly how a VPN differs from a proxy, see my guide explaining what is a VPN.
Conclusion on Firefox VPNs
Like any other privacy tool, Firefox Private Network comes with both pros and cons. It’s great to see Mozilla catering to privacy-conscious users with this latest development. And we can conclude that this is a step in the right direction.
For basic users in the United States who want more security on public WiFi, this Firefox VPN extension may not be a bad choice. In fact, it may just be one of the best “free” options out there, despite some of the limitations and drawbacks.
For those seeking a high standard of security and online anonymity, I’d recommend a good VPN service that will encrypt all traffic on your operating system.
I’m writing here about this so people can check the settings in their browser themselves:
Recently installed the browser Basilisk, which is a fork of Firefox (version 52, I think). Because I liked using the add-on no-script over on Firefox, tried to install it on Basilisk, which requires the version for ‘legacy’ browser. Basilisk blocked this installation, so pressed ‘allow’, which directed me to make an exception for no-script in the security settings under ‘Warn me when sites try to install add-ons’. So I pressed to make the exception for no-script, and found listed there something that made me think it could be related to firefox private network. I copied the link in a new window, which took me to the firefox private network blue window, which explained it was only available in the US, with a button underneath to get into line to get it when available. So I deleted this link from the exceptions because I do not want to give permission to install it.
I find it strange that Basilisk, being a fork of Firefox ver. 52, would automatically include a link to Firefox private network to make an exception to install add-ons.
So then, now I checked what was going on in the Firefox browser security settings in said exceptions section, and found two(!) links that had to do with Firefox private network. Deleted only those two, because I don’t want to give permission to installing Firefox private network add-ons. – Maybe I thought having those exceptions in settings would mean Firefox private network would automatically install by itself, but maybe they put it there so people wouldn’t have to make the exception if they want it, not sure. In my opinion, for people who don’t want it the exception shouldn’t be there without the user having put it there themselves.
Facebook VPN ?
Facebook is at least transparent about Onavo’s data-collection goals. The VPN’s privacy policy states, “We may use the information we receive to provide, analyze, improve, and develop new and innovative services for users, Affiliates and third parties.” It also reserves the right to use customer information to “Comply with applicable laws and assist law enforcement.” Privacy-focused VPNs may comply with law enforcement requests, but if they don’t keep logs, they’re unable to do so helpfully.
Unlike other providers, Onavo Protect tries to keep the VPN connected all the time, and channel all internet traffic,” says Ankur Banerjee, a security researcher who focuses on digital infrastructure. “Even turning the VPN off is buried deep inside the settings of the app rather than making it front-and-center on the app home page.
https://www.wired.com/story/facebook-onavo-protect-vpn-privacy/
Project Atlas
TechCrunch recently received a tip that despite Onavo Protect being banished by Apple, Facebook was paying users to sideload a similar VPN app under the Facebook Research moniker from outside of the App Store. We investigated, and learned Facebook was working with three app beta testing services to distribute the Facebook Research app: BetaBound, uTest and Applause. Facebook began distributing the Research VPN app in 2016. It has been referred to as Project Atlas since at least mid-2018, around when backlash to Onavo Protect magnified and Apple instituted its new rules that prohibited Onavo.
Previously, a similar program was called Project Kodiak. Facebook didn’t want to stop collecting data on people’s phone usage and so the Research program continued, in disregard for Apple banning Onavo Protect.
https://techcrunch.com/2019/01/29/facebook-project-atlas/
Way too late from FF, even without issues. I agree that Cloudflare MIGHT not be good option as well.