How to make Firefox the Fort Knox of browsers
Whenever you hop on to the Internet you are facing dangers. While it is relatively safe on popular sites such as Facebook or Google, it is possible that you are deceived even there. On Facebook, it may be a link that someone posted and that you are dying to follow (Justin Bieber did this, the Pope is dead), and on Google, you may for instance be deceived by advertisement. Once you wander off those well lighted paths on the Internet, things may turn to worse pretty quickly.
The following guide helps you improve the security of the Firefox web browser while you are on the Internet. As always, with better security come downsides, and while I'm happy to live with those you may not. It is up to you to implement these security related features, or skip them instead if you do not want to or can't live without a feature.
1. Up to date
The first thing you need to make sure is that Firefox is up to date. It does not really matter if you are running the stable version of the browser, or one of the development versions - Beta, Aurora or Nightly - as all should be updated when new versions come out.
Why? Because updates more often than not fix security issues found in the browser. They may also improve the overall stability of it, or add new features to the browser that you may benefit from.
To check for updates click on Firefox > Help > About Firefox. This runs a manual check for updates. Note that development versions of Firefox receive frequent updates while the stable build is only updated occasionally.
You may also want to check the update preferences in Firefox. To do so click on Firefox > Options > Advanced > Update. Here you find if and how automatic updates are configured in Firefox.
The recommended setting is to automatically installed updates. This may not always be possible though, for instance in company networks where updates need to be tested before they are deployed.
2. Plugins
Take a long hard look at the plugins that are installed in your browser. You can do so by loading about:addons in the browser's address bar and a click on the plugins listing on the left after the page has loaded.
Chance is, you do not really need most of them. You can disable plugins with a click on the disable button so that they are not executed automatically anymore when you visit websites that use them. I'd highly recommend disabling all plugins here, maybe with the exception of Adobe Flash if you make use of it.
It is also important to make sure you are running the latest version of plugins that you use in Firefox. Mozilla has created a plugin check website for that. Just visit the website and look at the information displayed here. If plugins are out of date, update them immediately.
You may also want to consider enabling click to play in Firefox. The feature has not found its way into the options of Firefox yet. To activate it, load about:config in Firefox and filter for the term plugins.click_to_play here. Double-click the parameter that appears to set it to true. This enables click to play in Firefox.
3. Passwords
If you are using the built-in password manager, make sure you set a Master Password to protect the account date from other users with access to the system. To do so click on Firefox > Options > Security and check the use a master password box there. This protects the password storage with the password you select here, so make sure it is reasonably secure and complex.
Using Firefox as your password storage is usually not the best idea. While it is reasonably secure once you have set a master password, you do not get features such as a secure password generator which you can make good use of. Extensions such as Last Pass or standalone programs like KeePass provide you with additional tools that help you in this regard.
4. Cookies
Cookies are related to privacy more than they are to security. What you may want to do is block third party cookies in Firefox to eliminate much of the tracking that is going on. To do so click on Firefox > Options > Privacy and switch from Remember history to use custom settings for history.
There you find then the accept third-party cookies menu which you can switch to never to block them outright, or alternatively configure Firefox to clear cookies on exit.
5. NoScript
NoScript is the essential security add-on for Firefox. It blocks all scripts - JavaScript and plugins for instance - from being executed when you open a website in the browser. It comes with options to whitelist scripts per session, or permanently. If you trust Facebook or Bing for instance, you can whitelist those domains in NoScript so that you do not have to do so every time you visit those websites in Firefox.
Many users do not like NoScript as it requires you to manage permissions whenever you visit pages that do not work properly without. While you can work just fine on many websites even with all scripts disabled, there are some that may not work at all or only with reduced functionality.
It takes a couple of clicks tops to enable scripts on a site that requires them to run properly, and with whitelisting, you should not really be overly concerned about that. Yes, it takes a while to get used to NoScript but the security it offers is well worth it in my opinion.
This is the one security related add-on that you should install in Firefox.
6. Other options
To improve security further, you may want to consider running Firefox in a sandbox. A program you can use for that job is Sandboxie. What this does basically is put a shell around the browser that limits interaction of it with the underlying operating system.
Even if Firefox gets exploited somehow, the sandbox would protect the operating system from the fallout. That's of course only true if the sandbox itself is not attacked as well. Usually though that is not the case so that you are protecting your operating system while running Firefox in a sandbox.
You should also make sure to update your operating system and software that runs on it whenever updates become available.
Last but not least, you will find many security related extension for Firefox listed in Mozilla's official web store. Extensions like HTTPS Anywhere improve security further.
Did I miss something? Post your security tips below.
Advertisement
Martin, I got tired of certain plugins showing and being enabled by default in all of my Firefox profiles plus the ones that are disabled by Mozilla, etc, so I deleted them and haven’t had any issues at all.
The only plugin that I use anyway is Flash.
Go to about:config > plugin.expose_full_path toggle (to true).
Go to about:plugins > check out the path of the plugin file > locate it > delete.
Example:
File: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
It’s not a bad idea to save it somewhere if you’re unsure.
I’ve done this with Java plugins and others that I never use nor will need and haven’t had any issues.
The only problem is I have to repeat this when I update a program that jams it’s crap into my browser.
I’m running Firefox without plugins and it is working just fine as well.
I noticed nightly doesn’t like to update on some of my installs. But I just ftp it down and custom | upgrade that way.
Yes that is the right approach. Nightly sometimes refuses to update, and the way to solve that is to download the latest version and install it on the system.
I use NoScript and AdBlock. NoScript can be a nuisance, but that’s mostly because so many Web sites have SO MANY connections to other servers that things may not work even with the main site enabled. But if you mess around with porn sites, NoScript will save you from scripts that hijack your browser. Highly recommended to use it. It protects from a LOT of things.
Don’t use the password management features of browsers. In one examination of the data collected by malware, most of the passwords found came from the browser password cache. Use a third party password manager or manually manage passwords. It’s just too easy to crack the browser password management schemes in use.
I also set Firefox to delete all cookies when I close the browser. Rarely do I need to keep cookies around until they expire. In fact, I never have.
And finally, disable the Java plugin completely unless you frequently visit a Web site that requires it. Then enable it when you need to go there and disable it again when you leave. Java is just way too dangerous to have enabled these days where Java 0-days are a weekly event.
Keystroke encryption, using KeyScrambler Personal: part of this is an on-PC software that must start with Windows, and part is a browser add-on that attaches to Firefox, IE, Chrome, and variants of them.
It encrypts the keyboard’s output on its way into the browser, and then the browser decrypts to display and/or upload the keyed text. Generally no time lag is observable.
In my system, the idling memory usage (shown in the Windows Task Manager) runs around 750K (which is low).
The idea is to foil ‘keyloggers’ (text-stealing malware) potentially hiding in the system.
I’ve used KeyScrambler Personal for years. Sometimes it needs some fussing, a manual disable/re-enable via the system tray icon to clear the occurrence of scrambled text appearing onscreen. But all in all, I’ve thought it worthwhile – especially considering online shopping or banking.
See http://download.cnet.com/KeyScrambler-Personal/3000-2144_4-10571274.html
The company also makes a paid ‘Premium’ edition with extra features.
It won’t help you from hijacking your browser via wi-fi.
@TheRube
KS won’t protect you from wi-fi hijacks and shouldn’t.
@ilev says:
March 10, 2013 at 4:08 pm
“It won’t help you from hijacking your browser via wi-fi.”
ilev. That’s OK. I have used KeyScrambler (Premium version) for a LONG Time and I must say that this Application REALLY works verified not only by my own experience but through third-party testing!
It is true that it does not YET work when using wi-fi but any added layer of security is added piece of mind when in Cyber-Space.
(BTW. the founder hopes to have KS work with wi-fi sometime in the future. He is an affable fellow who always respond to my inquiries. He knows the value of giving Fine Customer Service!)
Thank You for Listening,
TheRube
Northeastern United States
If Noscript is too painful to use, Avast free antivirus has a scriptshield that scans all scripts for IE, Firefox, and Chrome. And yes it works, used it over the years, and I have seen it block some scripts.
Good article…I do all that. I also followed Kreb’s advice and signon as a limited user. This is an additional safeguard that prevents scripts from running without the approval of the administrator, me. Everytime there is a download or script to run, there is an interruption asking for adm permission. Works so far.
EB
Ad Block Plus is the first thing you should add to Firefox if you want to secure it. I don’t need to go into why, it should be obvious why to any one.
In one important way NoScript is pointless, because that one site you whitelist or temporarily allow can have malware too. Especially – but not exclusively – with today’s 0 day exploits, even ‘trust’ can be dangerous
NoScript is not pointless. I usually allow top-level site by default, and this indeed could become a problem if the site itself is hacked and a malicious javascript is injected into it. Also, you are right that a whitelisted site could also contain malicious code. But, NoScript reduces the number of scripts loaded from external sites, and this in turn reduces the probability of getting infected. It is just an additional security measure, and not to be used just by itself.
Martin, OpenDns is blocking your page with the following message:
“Sorry, but http://www.ghacks.net is blocked on this network.”
I had to switch to google dns to regain acess.
I just tested it and it is not blocked on my end when I use Open DNS in the default configuration. Are you sure that the message is by Open DNS and not another security application?
Thanks for the answer.
Switching again to Opendns fixed the problem, weird.
I only use default Opendns servers.
It is actually not that weird. I have issues regularly with services like Open DNS. It is usually either when someone flags Ghacks on those networks, or if the networks just use a wordlist approach, e.g. hack = evil, to filter sites.
I’ve tried NoScript the same way I’ve tried to stop smoking, unsuccessfully. Not that my opinion had changed but simply that I couldn’t endure any further the pain :)
AdBlock Plus (or AdBlock Edge) depending on the filters can do much more than stopping ads. Also, system wide, adequate sources combined to compose a pertinent updated HOSTS file is remarkable in preventing ads, trackers and malware.
NoScript, as you see, is being dismissed with a whole lot of (good) reasons :)
A moderate solution exists!
Type “about:permissions” in the url bar. Then where it says “Plugins” choose “always ask”.
This will block all plugins and accomplish about 50% of what NoScript does. (You can whitelist youtube and others by navigating to the sites on the side)
It still wont block scripts from running but will block a large class of exploits from plugins loading willy nilly. I believe Mozilla has plans to begin turning this on for out of date plugins but why wait?
Next, if you run Adblock Plus it will protect you from many 3rd party scripts that dont add content.
Finally if you have the WOT addon (Web of Trust), it will tell you many sites that are known to not be untrusted and will protect you from going to 1st party websites that are shady.
Still this is not as compete as NoScript but should get you 80% of the way there without the annoyance.
Also, try nicorette. Good luck!!
A moderate solution exists!
Type “about:permissions” in the url bar. Then where it says “Plugins” and choose “always ask”.
This will block all plugins and accomplish 50% of what NoScript does. (You can whitelist youtube and others by navigating to the sites on the side)
It still wont block scripts from running but will block a large class of exploits from plugins loading willy nilly. I believe Mozilla has plans to begin turning this on for out of date plugins but why wait?
If you run Adblock Plus it will protect you from many 3rd party scripts that dont add content.
Finally if you have the WOT addon (Web of Trust), it will tell you many sites that are known to not be untrusted and will protect you from going to 1st party websites that are shady.
Still this is not as compete as NoScript but should get you 80% of the way there without the annoyance.
Also, try nicorette. Good luck!!
Sometimes updating everything isn’t the best way to go… On a clean install of WinXP SP3, with latest Firefox ESR, the latest Flash Player was freezing the browser completely.
While I admit that it might be happening on my computer for some unknown reason unrelated to Flash/Firefox (even though I found the problem described on many forums), it is still a warning sign that updating every piece of software to its latest version can sometimes have negative consequences.
From a security point of view though, I agree that keeping software up to date is a great idea.