Secure Firefox Browsing

Posted on the 17 October 2011 by Safegadget_com @safegadget

Firefox is one of the most popular web browser for Windows and other platforms. This makes it a large target for malware and cybercrime. We will focus on securing Firefox, and will significantly increase the browser’s security through add-ins and special hardening settings. We are avoiding earlier versions of Firefox and recommend users to upgrade to the latest version of Firefox. We also recommend running under Windows Vista or Windows 7, so if you are running under an older version of Windows, we recommend you to upgrade or buy a new computer. Older versions of Windows like Windows XP were not built with security in mind.

Secure your computer, web browser, Internet connection

Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.

We recommend booting from a Linux CD or USB key when performing mission critical applications such as online banking, online trading, or online shopping.

Firefox includes the following security oriented features:

  • Instant Web ID
  • Do not Track
  • Private Browsing
  • Clear Recent History
  • Customized Security Setting

The Golden rules of the Internet:

  • Do not trust anyone
  • If it is too good to be true, it probably is
  • Don’t install software from anonymous sources
  • Don’t automatically hit “yes” to any pop-up
  • If it looks suspicious, run

Before you make any changes to your system, always back it up.

Firefox Add-ons

Software that enhances Firefox can become targets of malware, adding new entry points into your computer. It is mandatory that you keep any third-party add-ons up to date, so allow Firefox to update plugins when necessary. Consider removing an add-on if it is rarely used, as you will also be increasing the security of Firefox through its removal.

  • Adobe Reader or Adobe Acrobat – This is a major source of internet threats, so consider using an alternative PDF reader such as Foxit Reader, or PDF-XChange.
  • Flash Player – This animation enhancement plug-in is widely used but full of security holes, leading to many updates. If you need Flash, you will have to update it contently.
  • Java - This language allows many cross platform programs to run in the browser, but is another huge target of malware. We recommend removing it unless you really need it for a particular application. This page checks if Java is installed.
  • Quicktime - Is installed when iTunes is added to your system. It is difficult to just remove it unless you stop using iTunes. The best bet is to update it whenever it tells you about a new version.

Hardening Firefox’s Settings

Firefox can be secured even more with several key changes to the browser’s settings.  We have selected all the Critical settings for Firefox.

1. Prevent Firefox from saving passwords

Firefox can save passwords for different websites. We recommend that you do not use this feature because it is not as secure or flexible as using a password management program.

  1. Launch Firefox
  2. Click on the Tools Menu
  3. Select Options
  4. Select Security Tab
  5. Make sure Remember password for sites and Use master password are not checked
  6. Click Saved Passwords
  7. Click Remove All to remove saved passwords

2. Mark Valuable Data Inaccessible to Firefox

Download chml.exe and run it to change the permissions on your valuable files and folders on your system as unreadable to Firefox. (Better yet, use Truecrypt and keep the volume unmounted!)
For example if your sensitive data is stored in the folder C:\Sensitive_Data – You would do:

  1. Press Start menu
  2. Go to All Programs
  3. Go to Accessories
  4. Right-Click on Command Prompt
  5. Select Run as Administrator
  6. Type “chml C:\Sensitive_Data -i:m -nr -nx -nw
  7. Press Enter to Execute the Command
  8. Type Exit to end the Command Prompt

3. Allow Firefox to update itself

Firefox automatically tries to update itself, which is a good thing, but it asks whether it is ok to install a newer version. Be sure allow Firefox to update itself tot he latest version available, so that you have all the latest security fixes.

4. Prevent Firefox from using a GPU

There have been several bugs related to using a Graphics processor or GPU. They were first supported in Firefox 4. This hardware level access can spell trouble. Disable GPU support to prevent this possible problem.

Helpful Firefox Add-ins

gPDF – Automatically sets links pointing to RTF, ODT, ODS, ODP, CSV files to open with Zoho Viewer; and links pointing to PDF, DOC, DOCX, XLS, XLSX, PPT & PPTX files to open with Google Docs. No worrying about poisoned PDF files because they will not be opened on your computer anymore.

NoScript – Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. By default, new websites that you visit will be loaded without scripting, maximizing safety. You can easily allow safe websites to allow scripting.

Certificate Patrol – Your browser trusts many certification authorities and intermediate sub-authorities quietly, every time you enter an HTTPS web site. This add-on reveals when certificates are updated, so you can ensure it was a legitimate change. SSL Certificates have been compromised recently, so this plug-in helps you fend off man in the middle attacks.

HTTPS Finder – Automatically detects and enforces HTTPS connections when available. It also provides one-click creation and in-browser editing for HTTPS Everywhere rules. Other features include an ignore-domain ‘whitelist’ and an alert-only mode.

HTTPS Everywhere – Automatically makes Firefox try to use https secure connections whenever available.

Force-TLS – Allows web sites to tell Firefox that they should be served via HTTPS in the future; this helps secure you from accidentally negotiating an insecure session with certain sites. Force-TLS is also compatible with Strict Transport Security.

Long URL Please – Replaces short urls with the originals so you can see where links actually link to. Essential for Twitter.

WOT – Know Which Websites to Trust – Shows you which websites are trustworthy based on millions of users’ experiences.

Flashblock – Blocks Flash so it won’t get in your way

Adblock Plus – Block those pesky banner ads.

Qualys BrowserCheck – Performs a security scan on your browser and its plug-ins (Windows)

Cocoon – All-in-one plugin that tunnels your traffic through a SSL-encrypted proxy for privacy and security.

Helpful Internet Security Add-ins

Phising Toolbars – Firefox already includes the SmartScreen Filter that detects dangerous websites and warns you. If you would like to install a supplemental toolbar add-in, see our Free Internet Security Software article. BitDefender TrafficLight works with Firefox to secure your browsing.

Internet Security Software – Supplemental internet security software including Anti-Virus and Anti-Spyware software is a necessity when surfing on the Internet. See our Free Internet Security Software article for links to various free software utilities.

Password Managers – It is critical that you generate, store, and use secure passwords on the Internet. See our How to Create, Store, and Use Secure Passwords article for details on several password management programs.

Sandboxie - Creates a sandbox or safe environment in which programs execute. This sandbox is a isolated space which prevents programs like Firefox from making permanent changes to other programs and data in your computer. Free for 30-days, then 29 euros.

Other Firefox Security Enhancements

Google Public DNS – A high performance domain name server (DNS) replacement for your ISP’s DNS. Protects against Spoofing attacks and DoS and amplification attacks. Be sure to write down your existing DNS settings before changing them.

Norton ConnectSafe for Home - Similar to Google DNS, but includes options to filter porn or be family friendly.

Dyn Internet Guide – Free Web content filtering.

Microsoft Virtual Machine – Designed for web developers to test compatibility with different versions of Firefox, these Virtual Machines for Microsoft’s Virtual PC allow you to run a Virtual computer on your desktop with Internet Explorer and Firefox pre-installed. If you mess up the Virtual computer, you can just delete it and start fresh from a new image. Keep in mind some malware is capable of detecting virtual machines and acting innocent until you move into your main system.
If you use VMware Player, you can add the following line to your .vmx file so that it writes all changes to a temporary file, which will be deleted when you power off the virtual machine.:ide0:0.mode = “independent-nonpersistent”

Dell KACE – has a free secure browser based on a virtualized and contained Firefox Browser with Adobe Reader and Flash plug-ins.

Secure Web Browsing with HTTPS

Normal website access using HTTP:// causes information to be sent and received in plain text. This type of connection is not secure; a hacker could capture all the information being transferred and steal your data. While this is not important when you are casually surfing, you do not want your email or online trading information to be captured by others.

Force websites to use secure connections – It is important to utilize secure connections or HTTPS whenever possible. Several large websites have configuration options to force these secure connections. Here is more information on configuring HTTPS with: Gmail, Facebook, Twitter, Google. Google.com defaults to HTTPS if you are signed into your Google Account, if you are not, just manually add the s after http to force a secure connection ie -  https://www.google.com

HTTPS causes a secure connection to be made using SSL security. Certificates are digital documents that verify a site’s identity. They are sold by certificate authorities. If a certificate is not signed correctly, your browser will pop up a warning. Recently, a Dutch certificate authority got breached, causing forged certificates to be created. To workaround issues like this, Internet browsers are updated to remove the forged SSL certificates. It is crucial that you keep your browser up-to-date.

If you have applications other than your web browser accessing the Internet (FTP client, desktop mail client, etc.), make sure you enable SSL secure connections within each application.

Use a password manager to create, use, and store passwords for websites. See our password manager guide for details.

By applying special Firefox settings, we can significantly increase the security of our Windows notebook and desktop PCs.

This concludes our How to Secure a Windows based personal computer article. Other articles on Safegadget.com help you secure the other aspects of your personal computer, including How to Set up a Secure wireless Internet Router, and How to Secure Internet Explorer article, or How to Secure Firefox Article. Please see our other articles on security tips for your e-mail, iPad, online banking, online shopping, smart phones, and more.