An in-depth Firefox Security Guide
An in-depth Firefox Security Guide is a guest post by written by Christopher Chambel.
Firefox is awesome! No, seriously, it is. Why? Countless add-ons, its open source, has many tweaks and most of all: the browser respects your privacy and dedicates a lot of effort to keeping the browser secure.
In this post, we will be talking about both the security and privacy side of the Firefox browser. First we will discuss general Firefox settings, then go “under the hood†and finally, recommend some extensions. The current version of Firefox is 11.0. I cannot guarantee all these tweaks will work in future versions.
General Firefox Settings
First, I will go over the basic privacy settings in general settings, which can be found in the options bar in Firefox 11 (Firefox > Options > Options) or for iOS, Preferences.
- Content: Enable block popup windows and disable Javascript when it isn't needed.
- Privacy: Enable the DNT (Do-Not-Track). For history, use custom settings. "Always use private browsing mode" should be enabled. "Remember my browsing history", "Remember download history" and "Remember search and form history" should be turned off. "Accept cookies from sites", but un-check "Accept third party cookies" as they aren't needed often. Location bar: select "Suggest nothing".
- Security: Enable "Warn me when sites try to install add-ons", "Block reported attack sites" and "Block reported web forgeries". Under Passwords, disable "Remember passwords for sites" and use a master password.
- Advanced - General - System Defaults: Disable "Submit crash reports and performance data".
- Advanced - Network - Offline Storage: Check "Override automatic cache management and limit cache to 0MB space". Further—you can un-check "Tell me when a website asks to store data for offline storage use".
- Advanced - Encryption: Ensure both "Use SSL 3.0 and Use TLS 1.0" are enabled. Then click validation > check "When an OCSP server connection fails, treat the certificate as invalid".
Under the Hood
For these settings, you will need to type "about:config" without the quotes into the URL bar to get the Firefox registry panel. This section is all thanks to JonDo—please give them full credit for the tweaks I’m about to mention here.
- about:config -> geo.enabled -> double click to false – what does this do? When this is enabled, websites will be able to identify your location based on your IP address.
- about:config -> browser.sessionhistory.max_entries -> change value to 2 – this increases your privacy.
- about:config -> dom.storage.enabled -> double click to false – this should always be set to false. Leaving this enabled lets the browser store data onto your computer.
- about:config -> browser.display.use_document_fonts -> change value to 0 – This limits the fonts it sends to websites you visit. The fonts on your computer can be very unique and it could identify your workplace.
- about:config -> browser.cache.offline.capacity -> change to 0 – without going into depth, this one is like the two below. It prevents the browser from storing local data.
- about:config -> browser.cache.offline.enable -> change to false – This prevents the browser from storing cache on your system.
- about:config -> browser.cache.memory.enable -> change to false – again this is better off left at false. It prevents the browser from storing cache memory on the computer.
To determine how well your browser is managing before and after these tweaks, go to JonDo and click on "anonymity test". You can also check your online fingerprint at the EFF (Electronic Frontier Foundation) project.
Firefox Recommended Extensions
- Adblock Plus—I recommend this extension for beginner to intermediate computer user. Adblock Plus is a useful extension that blocks annoying ads and prevents them from tracking you.
- NoScript—I recommend NoScript for advanced computer users as a replacement for Adblock Plus. This extension will block all scripts on a page to give you the maximum privacy and security possible.
- HTTPS Everywhere—This is a fantastic extension provided by the Electronic Frontier Foundation. Basically, HTTPS Everywhere enables a secure connection on pages that have SSLCertificates. For example, when you use Google search most people use the unencrypted version. This extension will force Google to use its SSL certificate.
- BetterPrivacy—This extension is pretty basic, but a must have. Basically, BetterPrivacy deletes flash cookies (LSOs/SuperCookies).
- MD5 Reborned Hasher—This one is for the nerds. MD5 Reborned Hasher ensures whatever you are downloading from the internet hasn't been tampered with. To make this work: copy the MD5, SHA1, SHA256 or the others, download the file, when complete, click "digest" then generate digest, then paste your code. It will then let you know whether the two match or not.
- KeyScrambler— another great extension for Firefox. When a hacker installs a keylogger onto your computer and you use this extension, your words will be scrambled into unreadable text.
It’s 2016, Firefox is @ v46.0.1…this article NEEDS updated.
Good information never the less ;)
ayesh, you have no clue.
Don’t take this offensive but I’m wondering why are you dear friends keep doing all of this.
Basically these features are for the users to make their lives easier. Remembering the passwords, history, caches, etc.
I will never turn off these features in my private computer.
But I’m concerned about fb like buttons and other third party poppers who keep tracking all my page visits. I have blocked analytics, fb like buttons and I’m confident that I’m secured.
Gmail forces the browser to load the page when browser start but many of the sites ask the browser nicely if they don’t won’t to cache the site.
Images, Css and javascripts, what’s the problem with them?
Someone who steel my laptop can get caches css files from the disk cache and they will find it useful?(assuming I have setup firefox sync and aa master password. )
As always …. thankfully …. there is a Firefox addon that allows you to sort and manipulate the entries in the memory cache called CacheViewer Continued. Found it after I had posted the comment about it would be a nice thing to be able to manipulate the contents of the cache to see which were the largest files, and what files came form particular sites. This addon seems to provide all of that
Michael
Martin,
I think there is an unintended side effect to the piece of advice
Advanced – Network – Offline Storage: Check “Override automatic cache management and limit cache to 0MB spaceâ€
Whilst from a security perspective, setting the cache limit to 0Mb does mean that no-one can glean or modify data for web pages you have visited, since none of them will be cached on your system, there is a practical downside to this. Since a previously visited page has not been cached, when you go back to the page, as you may do when working on a web site, the entire page will have to be downloaded again rather than re-loaded from cache. if you are moving around a complex news site this can be quite an additional overhead and bouncing around anything with video is costly.
This is obviously not a problem if you have an unlimited download plan from you ISP, but if you have a cap on your download then this additional overhead can be potentially annoying. With my capped plan I work on the assumption that my normal monthly usage would account for 30-40% of my plan, leaving a reasonable amount for downloading linux operating systems and programs and the odd video during the month.
Fortunately, I checked my current monthly usage, since I discovered that I had used 66% of my cap in less than 50% of the period and that my daily usage, with no change in usage pattern, was three to four times my usual usage pattern. There was a busy day of downloading but nothing to account for the overall increase in usage.
I have now reverted to 100 Mb cache and my daily usage has dropped back to its normal level. Pages are now re-loading faster, since they are been drawn from the cache rather than from the web. There may be an additional security risk associated with this approach, but since I automatically clear my cache whenever I close Firefox I believe the problem is minimised. Certainly the slight security risk is better than being dropped from 4G wirelss speeds to 64k shaped usage speed because I have been unwittingly downloading more web pages than I thought
Regards
Michael
Michael, you are right, obviously, in that eliminating the cache, you will always download the website on every visit again. One option that you might want to consider is to use a ramdisk, and set it as the cache of your browser. This saves the cache in the RAM, and while it is gone when you turn off the PC, it may still mean that you will save bandwidth after all, without interfering with the security aspect.
Martin
You can also get Firefox to write the cache to memory rather than to disk with the following settings in about:config
browser.cache.disk.enable;false
browser.cache.memory.capacity;102400
browser.cache.memory.enable
there may be a need to alter the following setting and increase the size of the stored entry above 5 Mb but I can’t see the real necessity at the moment.
browser.cache.memory.max_entry_size;5120
These settings and others can be alter “more easily” via the firefox addon gui:config which takes the angst out of trying to remember what the relevant Preference Name is in about:config and also provides additional help notes as to the particular settings and what they do
One can of course use about:cache to see how much cache is being utilised at a particular time and you can also “list the cache entries” to see what entries are stored in the cache, their size and also the number of times a particular element has been referred to, the “Fetch Count” which is relevant in terms of this discussion.
The cache can be cleared at any time by utilising Clear Now button in Preferences – Advanced – Network or by double clicking the value of browser.cache.memory.enable from true to false to true. It would be great if the entries in list could be sorted by Key ( since keys form a particular site are scattered throughout the list, which makes analysis rather tedious) Size and Fetch Count. Perhaps something we may get in the future
Regards
Michael
Michael, thanks for posting the instructions. You are right of course, and this should definitely help users who are looking for clear instructions. I think I have published a guide here on Ghacks in the past as well.
Thanks for the about:config suggestions!
As you said, there are stacks of security-related Firefox addons, some of which you’ve covered, including NoScript, which is arguably the #1 security extension that everyone should install & learn to use (if only in its more permissive modes). However, here are some more of my favorites:
HTTPS Finder is a great companion to HTTPS Everywhere. It probes the sites you visit for HTTPS support, and can automatically swap you over to HTTPS (and write HTTPS Everywhere rules for you).
Certificate Patrol will record which security certificates sites use, and warn you if they change when they weren’t due to expire. Unfortunately various sites (Google) have a naughty habit of doing that *regularly* – but you can tell Certificate Patrol to ignore them if you want.
RefControl will allow you to spoof – or simply remove – the ‘Referer’ header, so sites have a harder time figuring out where you’ve been.
And I second Roy’s mention of RequestPolicy :). It’s in the ‘advanced user’ league, like NoScript, but very valuable for privacy, and as a security complement to NoScript.
How to “edit” information that a browser sends about installed plugins and extensions? Also the “HTTP_accept” feature.
I don’t see mentioned one of the first things I do to a fresh Fx install to increase privacy and my own peace of mind: DISABLE search suggestions (“Manage Search Engines…” from the search bar drop-down list > uncheck “Show search suggestions”). Perhaps doing so isn’t necessary when private browsing mode is enabled.
I would add Ghostery, which is a privacy extension with security features, perhaps disabling sending of the refererr, and Advanced Onion Router for using Tor.
Disabling Geo location is a good idea in particular for desktops. If enabled it’s possible for websites to get your home address if you give them permission.
To the font hack. Once I changed it to 0, I knoticed font size changes on some websites. Maybe just my problem.
Nice post, although I don’t use every suggested setting, eg. i don’t like private browsing, lack of convenience ;)
BetterPrivacy isn’t a must-have anymore since version 5 of Firefox. The developer itself said so on his homepage back then (it’s mentioned in the faq). It is however still very useful if one likes to exclude certain cookies from deletion.
I have Applied all of the Recommended Setting above and failed miserably at the Jondonym website any ideas why?
Joseph Potter – doing the above configurations won’t turn them all green. But here are some more that should help.
browser.cache.disk.enable -> false
browser.cache.memory.enable -> false
browser.display.use_documents_fonts -> change value to 0
You can also change your User Agent on Firefox. Install the following:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
Then create a new user agent to:
Mozilla/5.0 (windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
For those who like DuckDuckGo, change the default Firefox search engine (Google).
keyword.URL then put this in the box “https://duckduckgo.com/?q=”
It isn’t currently possible to have them all green. But using the above methods, both in my article and in this comment will improve your privacy and security online.
To hide your IP address you can you can use TOR, JonDo or Spotflux.
Thanks for the Quick Response I really Appreciate it …I definitely feel more secure but not quite ready to go to a a service like Tor…GREAT ARTICLE
You are mentioning the program keyscrambler, do you mean the program from qfx software KeyScrambler 2.9.1?
http://www.qfxsoftware.com/download.htm
Corrected.
Indeed. I will contact Martin to have the link fixed. Thanks for pointing that out.
Martin, there’s a typo! browser.sessionhistory.max.entries should be browser.sessionhistory.max_entries!
A warning though, if you use the back/forward buttons a lot, this will leave you with just 2 URLs if you set it to 2, default is 50 which is quite excessive anyway, I just lower it.
geo.enabled is always opt-in, Fx will always ask you if sites wanted to use that location awareness stuff. I set it to disabled anyway.
Also, might want to add RequestPolicy in your extension list! Works great hand in hand with NoScript! And some cookie management addon so you can entirely reject everything if you’re into that, and use a whitelist instead.
Not my article, but corrected it. Thanks.
But cache is needed for faster loading of previously visited sites :/
I just noticed you meant the other one, and I just thought you meant the offline one! I’m sorry! :(
That cache.offline is not the same as the disk cache Fx uses (browser.cache.disk.enable). I honestly haven’t come across any site that uses that. Then again, I don’t use many web apps.