My Firefox Security Profile - gHacks Tech News

My Firefox Security Profile

I explained in the article Working With Several Firefox Profiles how I'm using several Firefox profiles for certain tasks like normal surfing, testing and visiting secure websites. I'm using one profile to visit my bank's website and any other secure site related to finance and personal information. That approach makes sure that I cannot land on a site that is using a browser exploit to grab the data from those sites. It's basically whitelist surfing.

I only visit those x sites and none other using that profile. Several users have asked me in the original article to list the security add-ons that I'm using in that plugin and I finally found the time to list them here. Please don't be disappointed when you see the low number of plugins that I'm using, each additional plugin increases the risk of a security vulnerability and I like to minimize that possibility as much as possible.

The main add-on that I'm using for the whitelist approach is NoScript which allows me to define exactly which websites are allowed to execute scripts. Since I'm only visiting the same x websites I make sure that they have the permissions they need to work properly. Every other website is blacklisted so to speak.

NoScript takes care of scripts on webpages but ignores cookies. I'm using the same whitelist approach to manage the cookies. CS Lite is the add-on that I'm using for that purpose. Cookies are only enabled on the sites in my whitelist and disabled for every other website.

Those two are sufficient to get rid of most of the dangers that lurk on the Internet. I visit those websites manually all the time which gets rid of most phishing attempts or altered bookmarks. Passwords are never saved for obvious reasons.

I have been using several additional add-ons in the past to increase the security even further. Those are View Dependencies and Show IP but decided to reduce the number of add-ons to decrease the chance that one of them poses a security risk. I can still manually check a website if I suspect it to be a forgery. (Using Opera)


We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Previous Post: «
Next Post: »


  1. darkkosmos said on May 28, 2008 at 5:49 pm

    If I have a firewall like nod32 (lastest version) together with CS light do I still need noscript?

  2. Martin said on May 28, 2008 at 6:51 pm


  3. darkkosmos said on May 28, 2008 at 8:04 pm

    Please explain further :)

  4. Martin said on May 28, 2008 at 8:39 pm

    Well a Firewall does not protect against all the attacks that can be started from a website. Take phishing for instance, or vulnerabilities in Flash.

  5. darkkosmos said on May 28, 2008 at 8:42 pm

    Well phishing doesn’t need javascript and I’ve already got flashblock. Thank you for your help :D

  6. Martin said on May 28, 2008 at 8:45 pm

    Well how about Java then, or Microsoft Silverlight, Adobe PDF, Apple Quicktime or any other plugin installed ?

  7. Digitarius said on May 29, 2008 at 2:03 pm

    Not a bad setup. I always have Adblock Plus, Flashblock, CS Lite, and Noscript going, a HOSTS file that has a huge blacklist, and OpenDNS.

    That cuts down the risk by a lot, but it doesn’t really comp for friendly sites being compromised, like when the Dept of Homeland Security’s site was pushing malicious javascript. The multiple profiles is a great idea, but seems a little hard to use since you have to shut down your normal browsing.

    If you want to be paranoid, run a Virtual Machine in VMWare Player. Totally free, and they have “appliances” geared toward exactly this. Browse in the (Linux based, so fairly light) VM and never save its state… doubt you’ll run into problem that way.

  8. Martin said on May 29, 2008 at 2:18 pm
  9. darkkosmos said on May 29, 2008 at 6:28 pm

    @martin I don’t have silver light, java will ask for confirmation, PDF is taken care of by nod32 and I don’t have quicktime (anymore) :)

    But I got noscript back after I got attacked by rickrolls XD

  10. sarah said on January 25, 2009 at 3:10 am

    please some 1 tell me how to cancel firefox… pls email me where to find the option to cancel coz i cant get any videos while i have it installed

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!