My Firefox Security Profile

Posted by Martin in Browsing, firefox  Tags: , ,

28

May



I explained in the article Working With Several Firefox Profiles how I’m using several Firefox profiles for certain tasks like normal surfing, testing and visiting secure websites. I’m using one profile to visit my bank’s website and any other secure site related to finance and personal information. That approach makes sure that I cannot land on a site that is using a browser exploit to grab the data from those sites. It’s basically whitelist surfing.

I only visit those x sites and none other using that profile. Several users have asked me in the original article to list the security add-ons that I’m using in that plugin and I finally found the time to list them here. Please don’t be disappointed when you see the low number of plugins that I’m using, each additional plugin increases the risk of a security vulnerability and I like to minimize that possibility as much as possible.

The main add-on that I’m using for the whitelist approach is NoScript which allows me to define exactly which websites are allowed to execute scripts. Since I’m only visiting the same x websites I make sure that they have the permissions they need to work properly. Every other website is blacklisted so to speak.

NoScript takes care of scripts on webpages but ignores cookies. I’m using the same whitelist approach to manage the cookies. CS Lite is the add-on that I’m using for that purpose. Cookies are only enabled on the sites in my whitelist and disabled for every other website.

Those two are sufficient to get rid of most of the dangers that lurk on the Internet. I visit those websites manually all the time which gets rid of most phishing attempts or altered bookmarks. Passwords are never saved for obvious reasons.

I have been using several additional add-ons in the past to increase the security even further. Those are View Dependencies and Show IP but decided to reduce the number of add-ons to decrease the chance that one of them poses a security risk. I can still manually check a website if I suspect it to be a forgery. (Using Opera)


Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!

11 Users Commented In This Post

Subscribe To This Post Comment Rss Or TrackBack URL
Using Different Firefox Profiles For Various Purposes says, May 28th, 2008   

[...] you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!Martin at ghacks wrote an interesting post on how he uses a different Firefox profile for logging in to his [...]

darkkosmos says, May 28th, 2008   

If I have a firewall like nod32 (lastest version) together with CS light do I still need noscript?

Martin says, May 28th, 2008   

yes

darkkosmos says, May 28th, 2008   

Please explain further :)

Martin says, May 28th, 2008   

Well a Firewall does not protect against all the attacks that can be started from a website. Take phishing for instance, or vulnerabilities in Flash.

darkkosmos says, May 28th, 2008   

Well phishing doesn’t need javascript and I’ve already got flashblock. Thank you for your help :D

Martin says, May 28th, 2008   

Well how about Java then, or Microsoft Silverlight, Adobe PDF, Apple Quicktime or any other plugin installed ?

Digitarius says, May 29th, 2008   

Not a bad setup. I always have Adblock Plus, Flashblock, CS Lite, and Noscript going, a HOSTS file that has a huge blacklist, and OpenDNS.

That cuts down the risk by a lot, but it doesn’t really comp for friendly sites being compromised, like when the Dept of Homeland Security’s site was pushing malicious javascript. The multiple profiles is a great idea, but seems a little hard to use since you have to shut down your normal browsing.

If you want to be paranoid, run a Virtual Machine in VMWare Player. Totally free, and they have “appliances” geared toward exactly this. Browse in the (Linux based, so fairly light) VM and never save its state… doubt you’ll run into problem that way.

Run Multiple Firefox Profiles Simultaneously says, May 29th, 2008   

[...] post is a direct response to a comment from the user Digitarius on the post where I detailed my Firefox Security Profile. He assumed that it is not possible to run multiple Firefox profiles at the same time and I would [...]

Martin says, May 29th, 2008   
darkkosmos says, May 29th, 2008   

@martin I don’t have silver light, java will ask for confirmation, PDF is taken care of by nod32 and I don’t have quicktime (anymore) :)

But I got noscript back after I got attacked by rickrolls XD

Leave Your Comments Below
Hello, please leave your thought below

Please Note: Each comment will be manually approved by an admin. There is no guarantee that a comment will be posted. Please do not submit the comment multiple times.