The Best Firefox Security Add-Ons - gHacks Tech News

The Best Firefox Security Add-Ons

One of the biggest features and strength of the Firefox web browser is its extensions engine and the support it receives from the Firefox community. Users find thousands of different add-ons for virtually any purpose in the official extensions gallery over at Mozilla. Mozilla tries its best to promote popular and interesting add-ons, but the sheer amount makes that attempt more or less futile.

The best Firefox security add-ons is a guide for Firefox users who want to improve their web browser's security and protection from attacks on today's Internet. That does not necessarily mean that you need to install all of the add-ons to protect your browser from malicious attacks, as some may only be useful if you visit specific websites or types of sites regularly.

The list concentrates on security related add-ons, not privacy related. Only extensions that are compatible with at least Firefox 4 have been included in the list.

My Extensions

Those are extensions that I use on my private PC. I thought it would be a great way to start with a selection of add-ons that I personally use all the time, and list the remaining extensions in the second part of the article.

NoScript - Most malware and attacks are script based on the Internet. If a script cannot run, it cannot attack your computer. NoScript does exactly that. It blocks all scripts from running on all pages and websites on the Internet. You can whitelist scripts for a session or permanently if you trust a website.

A must-have extension and one of the main reasons that I'm still using the Firefox web browser and not another browser.

Alternative: YesScript, which allows all scripts and gives you the option to disable select ones.


LastPass Password Manager - LastPass is a password manager which makes the add-on security related. It stores the passwords online which means that you can access them from any PC that LastPass is installed on provided that you have an Internet connection on that PC. It features a secure password generator, form filler and note taking along with the usual options like automatically logging you in on websites or an on screen keyboard.

The company recently created a tool called LastPass Security Challenge which goes through your stored passwords to rate them individually and overall.

Firefox Security Add-Ons

BrowserProtect - Protects your web browser's settings and preferences from being tampered with. Some programs that you install on your computer change Firefox settings either automatically or if you do not pay attention to the installation dialog. Browser Protect for Firefox shields the browser by monitoring the browser configuration. It is for instance effective against homepage hijacking or search engine provider changes.

browser protect

HTTPS Finder - It is always safer to use https when available, as it protects the information from network snooping and other possible attack forms. HTTPS Finder informs you if a website supports HTTPS, with an option to automatically switch to the HTTPS protocol. A similar feature is provided by NoScript. [Update: no longer available, use HTTPS Everywhere instead]

Master Password+ - Passwords stored in Firefox's default password manager are not secured at all by default. Anyone with access to the computer can access both usernames and passwords for all sites. The Master Password is a way to protect the password list in Firefox. Master Password+ improves that feature, for instance by prompting for the master password on browser startup or locking up the browser window if the master password is not supplied.

Whois Lookup - It sometimes pays to know who owns and administrates a website. This is done with a Whois Lookup, which you can do manually on many whois related sites on the Internet, or semi-automatically with the Firefox extension Whois Lookup. [Update: no longer available, try DT Whois instead]

whois lookup

Host Permissions - Allows you to disable permissions for individual hosts. Permissions include images, redirects, plug-ins, JavaScript and frames).

host permissions

Alternative: Bookmark Permissions, does the same, only for bookmarks.

FEBE - Firefox Environment Backup Extension allows you to backup Firefox data, including extensions, themes, preferences, passwords and cookies regularly. I personally prefer MozBackup for this, but this extension is a solid alternative.

Perspectives - Aids Firefox users securely identify Internet servers by verifying certificates using a collection of Network Notaries.


NoRedirect - Gives you back the control over HTTP redirects. Many ISPs these days redirect you to their own search page if you mistype a web address in a browser. NoRedirect in addition offers previews for shortened urls and stops the redirection of smart error pages and more.

Dr. Web Anti-Virus Link Checker - Send files that you want to download with an online virus scanner before you do so. This can be done without downloading the file first to your computer.

Alternative: VTZilla (Caution: Not hosted on that sends files to Virus Total where they are checked against 40 different antivirus engines.

Web of Trust - Displays rating symbols for websites that you visit. Ratings include trustworthiness, vendor reliability, privacy and child safety.

web of trust

Alternative: LinkExtend - Uses eight safety services instead of just one to rate links before you visit the web sites.

Search Engine Security - Changes the referrer when visiting web pages from search engines to protect against some forms of malicious redirects.

Closing Words

Firefox users can improve the security of the web browser significantly with add-ons. Many add additional layers of protection to the browser, which can keep you safe, or at least safer, on the Internet.

Did I miss a security add-on that you use all the time? Let me know about it in the comments.

  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:


    1. Vineeth said on May 1, 2011 at 12:09 pm

      Awesome article !!
      A couple more which i use are

      1. Adblock Plus with Malware Subscription ( at the bottom, under Miscellaneous category.

      2. Https Everywhere by EFF

      1. Jyo said on May 1, 2011 at 7:39 pm

        Thanks! I never knew ABP could be useful for blocking malware domains. Do you know if this blocks the whole site? or the actual malware itself when visiting those sites?

        1. Vineeth said on May 2, 2011 at 3:57 am

          A long but interesting read :)

          In short, the malware subscription blocks ALL content from malware hosting sites.

          @Martin Brinkmann: You could spread the news of the malware subscription ;)

        2. Martin Brinkmann said on May 2, 2011 at 8:18 am

          Vineeth good addition, I did not think about that.

      2. Gary M. Mugford said on May 2, 2011 at 8:34 pm

        I was a little surprised HTTPS-Everywhere didn’t make the initial cull. It, NoScript, AdBlock and some common sense are just about the right solution set … except an issue that I have seen cropping up with HTTPS-Everywhere in this 0.9.5 version (and the ‘a’ update doesn’t fix the issue for me). I couldn’t complete any searches at Google Images Search. Putting in something non-threatening like “royal wedding” results in: Your search – royal wedding – could not be completed with the requested search options. Any search term fails similiarly. You have to go into the HTTPS-Everywhere options and deselect Google Search to get around the issue. At least that’s the case on my XP machine running FF 3.6.17. Still, I wouldn’t dream of turning off the add-on over that single issue.

        1. Martin Brinkmann said on May 2, 2011 at 9:44 pm

          Gary it was not added because it is not hosted on I know that I made an exception for VTZilla but I have added a big warning to it. That, and you can use NoScript for that as well.

        2. Gary M. Mugford said on May 3, 2011 at 1:05 am


          That’s fair. The article is excellent in its scope and just following your recommended course would lessen the amount of after-disaster support I have to offer friends and family who don’t see the need for comprehensive security protocols. I have bookmarked the posting and emailed the link to my family group in the hopes one or two will actually follow it up (g).

        3. Martin Brinkmann said on May 3, 2011 at 9:40 am

          Lets hope they do ;)

    2. Pete said on May 1, 2011 at 12:10 pm


      It does exist a same add-ons than HTTPS Finder, it’s HTTPS everywhere which is develop by the EFF ( Flagfox ( is the same than Whois Lookup
      And I’m using also, Ghostery against trackers ( and BetterPrivacy against cookies LSO (
      And there is also Perseus ( which is interesting.

      Great blog and job, it’s always interesting.

    3. me said on May 1, 2011 at 1:27 pm

      Hi. What about Chrome extensions?
      and why dint you write about staying annonimous online not just how to protect from malware?

      1. Richard Jones said on May 1, 2011 at 3:27 pm

        “Hi. What about Chrome extensions?

        Look at the subject line of the article.
        It is called topic.

        “and why dint you write about staying annonimous online not just how to protect from malware?”

        Look at the subject line of the article. That was not the scope of this article.

        1. me said on May 1, 2011 at 5:08 pm

          i know that but want to ask when ghacks will write something about Chrome extensions and staying annonimous.

    4. anon said on May 1, 2011 at 1:32 pm
    5. fox on fire said on May 1, 2011 at 1:54 pm

      Sorry Martin but this tsunami of Firefox topics is a bit too much. All this plugins and security issues are plain pain. I’ve been using Opera for good 6 years now with no security issues and no need for plugins, it’s all included. Well, most of it… ;)

      1. Jojo said on May 2, 2011 at 5:03 am

        That’s wonderful for you…

    6. -e!- said on May 1, 2011 at 3:58 pm

      Regarding Passwords i would recommend PasswordHasher – no passwords are stored any longer, as they are generated on the fly.

    7. Ken Saunders said on May 1, 2011 at 8:37 pm

      I don’t think many people realize how much work it is to consistently produce fresh content (unless they do it themselves). There’s research, gathering links, creating screen shots, writing and proofreading, coding it all, uploading everything, checking your work several times before pushing it live, and then moderating and replying to comments.

      Martin, you’re great at what you do and I find your content to be useful and informative. That’s why I’m a frequent visitor.
      Thanks for the -FREE- service.

      I suppose that you could have included some privacy and cookie add-ons here and EasyPrivacy for Adblock Plus. I feel that privacy falls under security. Perhaps that would make for another good article(?).

      1. Martin Brinkmann said on May 1, 2011 at 8:41 pm

        Ken I was thinking alone the same line, will do a second article that deals with privacy and anonymity exclusively.

    8. boris said on May 2, 2011 at 1:56 am


      You really do not need anymore if you have these five.

    9. AnonCoward said on May 2, 2011 at 2:43 am

      Karma Blocker ( ) – the only addon I truly miss after making the switch to Opera.

    10. JC said on May 2, 2011 at 3:14 am

      Or ….

      Get a MacOS (maybe Linux, too?) computer with the browser of your choice (and Last Pass) and you will be just as invulnerable to malware, which is 99.999% Windows.

      I find it interesting that you don’t mention this in such a comprehensive article.


      1. Martin Brinkmann said on May 2, 2011 at 8:20 am

        Well I did not mention operating systems because the guide is about security add-ons in Firefox.

      2. Jojo said on May 2, 2011 at 9:51 am

        Sigh. The only reason we don’t hear much about attacks on Apple & Linux is that relatively few people use those OS’s. If you are a hacker, why waste time developing malware for systems with no users (and those OS’s DO have holes and have been hacked)? Here are the latest stats on OS usage:


        MacOSX has 6.5% and Linux LESS THAN one%! [lol]

    11. Luis Gonzalez said on May 2, 2011 at 5:25 am

      I for one like this FF articles. but would love to see different ways (out of firefox) for privacy and anonymity.

    12. Thomas said on May 2, 2011 at 11:31 am

      I’d like to add the addon RequestPolicy that I’m using together with lots of mentioned addons here. I gives you control over cross-site requests.

      1. kktkkr said on May 3, 2011 at 6:39 pm

        I only use RequestPolicy. (I find Noscript/WOT a bit too intrusive in browsing experience). It only does half the job of NoScript and Adblock, but it can be powerful combined with common sense. The whitelist model can get annoying though.
        I would use anti-LSO addons if not for the risk of destroying data from flash games. Besides, that falls more in the realm of privacy addons.

    13. Deborah said on May 2, 2011 at 6:13 pm

      Thank you, Martin, for including WOT among the top security add-ons. Our Web of Trust (WOT) add-on has experienced remarkable growth having just crossed the 20 million downloads mark over Easter weekend. More and more web surfers are counting on WOT to help them avoid clicking on risky sites.

      In the next weeks, we’ll be expanding our crowd-sourced protection to help millions of others stay safe while sharing links. Watch for announcements. Meanwhile we invite all readers of Ghacks to join WOT and add your voice to the reputation ratings of over 31 million unique sites on the web.

      Safe surfing,
      CMO | WOT Services Ltd.

      1. Jojo said on May 2, 2011 at 7:14 pm

        Here’s a tip for NoScript users that people may not know about.

        When you are on a website and are selectively deciding what sites to allow to run scripts, often you don’t really know anything about some of these sites (the list can be very long!) but want/need to learn more before you choose to allow their script to run.

        So while looking at the NoScript list, (mouse onto the NoScript icon in the add-on bar and the list will pop up), if you middle mouse click on an entry, you will be taken to a new page titled “Security and Privacy Info”. WOT is the first entry of the four listed (and IMO, the only really useful one).

      2. boris said on May 3, 2011 at 12:09 am

        WOT creates too many false negatives when browse filesharing websites.

    14. Bangre said on May 3, 2011 at 10:40 am

      KeyScrambler is also good add-on for firefox. It protects user from keyloggers.

    15. Aaabbcde said on May 7, 2011 at 10:58 am

      trade in spare

    16. addingug said on August 1, 2011 at 2:17 pm

      bb.txt open error

    17. Thrawn said on May 30, 2012 at 2:51 am

      @Martin: VTZilla is now (2012-05-30) hosted on, currently in Experimental status.

      @kktkkr: You should at least leave NoScript installed, because even when you allow all scripts by default, it still protects you from things like cross-site scripting, clickjacking, some types of CSRF, etc, and lets you blacklist sites. You could also try the ‘Temporarily allow top-level sites by default’ mode, allowing first-party scripts but not third-party. Or you can tell it to ‘Apply these restrictions to whitelisted sites too’ to get click-to-play for all plugins (like Flashblock, but more reliable).

      @Thomas: I too use & like RequestPolicy. However, if you’re really into controlling cross-site requests, you might want to examine NoScript’s ABE module, which gives you a much more flexible engine, allowing you to create carefully-tailored rules to protect sensitive sites. Currently it requires writing rules by hand, but I’m trying to help with that;

    Leave a Reply