An in-depth Firefox Security Guide is a guest post by written by Christopher Chambel.
Firefox is awesome! No, seriously, it is. Why? Countless add-ons, its open source, has many tweaks and most of all: the browser respects your privacy and dedicates a lot of effort to keeping the browser secure.
In this post, we will be talking about both the security and privacy side of the Firefox browser. First we will discuss general Firefox settings, then go “under the hood” and finally, recommend some extensions. The current version of Firefox is 11.0. I cannot guarantee all these tweaks will work in future versions.
General Firefox Settings
First, I will go over the basic privacy settings in general settings, which can be found in the options bar in Firefox 11 (Firefox > Options > Options) or for iOS, Preferences.
- Privacy: Enable the DNT (Do-Not-Track). For history, use custom settings. "Always use private browsing mode" should be enabled. "Remember my browsing history", "Remember download history" and "Remember search and form history" should be turned off. "Accept cookies from sites", but un-check "Accept third party cookies" as they aren't needed often. Location bar: select "Suggest nothing".
- Security: Enable "Warn me when sites try to install add-ons", "Block reported attack sites" and "Block reported web forgeries". Under Passwords, disable "Remember passwords for sites" and use a master password.
- Advanced - General - System Defaults: Disable "Submit crash reports and performance data".
- Advanced - Network - Offline Storage: Check "Override automatic cache management and limit cache to 0MB space". Further—you can un-check "Tell me when a website asks to store data for offline storage use".
- Advanced - Encryption: Ensure both "Use SSL 3.0 and Use TLS 1.0" are enabled. Then click validation > check "When an OCSP server connection fails, treat the certificate as invalid".
Under the Hood
For these settings, you will need to type "about:config" without the quotes into the URL bar to get the Firefox registry panel. This section is all thanks to JonDo—please give them full credit for the tweaks I’m about to mention here.
- about:config -> geo.enabled -> double click to false – what does this do? When this is enabled, websites will be able to identify your location based on your IP address.
- about:config -> browser.sessionhistory.max_entries -> change value to 2 – this increases your privacy.
- about:config -> dom.storage.enabled -> double click to false – this should always be set to false. Leaving this enabled lets the browser store data onto your computer.
- about:config -> browser.display.use_document_fonts -> change value to 0 – This limits the fonts it sends to websites you visit. The fonts on your computer can be very unique and it could identify your workplace.
- about:config -> browser.cache.offline.capacity -> change to 0 – without going into depth, this one is like the two below. It prevents the browser from storing local data.
- about:config -> browser.cache.offline.enable -> change to false – This prevents the browser from storing cache on your system.
- about:config -> browser.cache.memory.enable -> change to false – again this is better off left at false. It prevents the browser from storing cache memory on the computer.
To determine how well your browser is managing before and after these tweaks, go to JonDo and click on "anonymity test". You can also check your online fingerprint at the EFF (Electronic Frontier Foundation) project.
Firefox Recommended Extensions
- Adblock Plus—I recommend this extension for beginner to intermediate computer user. Adblock Plus is a useful extension that blocks annoying ads and prevents them from tracking you.
- NoScript—I recommend NoScript for advanced computer users as a replacement for Adblock Plus. This extension will block all scripts on a page to give you the maximum privacy and security possible.
- HTTPS Everywhere—This is a fantastic extension provided by the Electronic Frontier Foundation. Basically, HTTPS Everywhere enables a secure connection on pages that have SSLCertificates. For example, when you use Google search most people use the unencrypted version. This extension will force Google to use its SSL certificate.
- BetterPrivacy—This extension is pretty basic, but a must have. Basically, BetterPrivacy deletes flash cookies (LSOs/SuperCookies).
- MD5 Reborned Hasher—This one is for the nerds. MD5 Reborned Hasher ensures whatever you are downloading from the internet hasn't been tampered with. To make this work: copy the MD5, SHA1, SHA256 or the others, download the file, when complete, click "digest" then generate digest, then paste your code. It will then let you know whether the two match or not.
- KeyScrambler— another great extension for Firefox. When a hacker installs a keylogger onto your computer and you use this extension, your words will be scrambled into unreadable text.