How to Secure Firefox for Safe Browsing

Current trends in the IT Security industry show that at least 50% of all malware infections now happen through a user’s browser. While technologies such as ActiveX, Javascript and Flash have definitely enriched our web experience, they have also increased our attack-surface and made us much more vulnerable to malicious programmers as well.

For instance, in a practice known as drive-by downloading, websites can, in some cases install software onto computers without the users knowledge or consent, just by getting them to visit a particular page with an unsecured browser.

These types of browser attacks are very common and contrary to popular belief, you don't have to be lurking around the seedier side of the internet in order to encounter them either. Malware developers are becoming increasingly sophisticated and are finding ways to use more “mainstream” types of sites as distribution platforms. Just like many Bloggers, Malware creators tend to ride pop-culture waves and try to inject their code into websites with keywords and back-links that will get them good search-engine placement.

Google did some analysis a while back and issued a report stating that by early 2008 more than 1% of all Google searches were already returning harmful URLs in the first page of results (a figure that is surely much higher now). By some estimates, Google handles around 100 Million searches every day, which translates into around 10,000 possible malware infections daily, just from Google searches alone.

Another major security issue with browsers is the amount of information they can leak. So much information about your system’s configuration is available through your browser that your system leaves a virtual “fingerprint” with every web server you visit. This fingerprint can be used to track users across multiple sites, regardless of if they periodically delete or even disable their cookies. With so many billions of different computer configurations (and therefore computer "fingerprints") possible, the unique configuration of one system is often solid enough to stand up in court as a way to identify a particular user.

Panopticlick, a research project from the Electronic Frontier Foundation has studied browser fingerprinting pretty heavily. They have published a nice report on it (PDF available here) and also offer an online tool for you to see how much information your browser is leaking.

While Panopticlick’s online tool does a good job of exposing basic fingerprinting capabilities, keep in mind that the commercial versions of fingerprinting software go much, much further and can pull fairly intricate pieces of information. Some software even has the capability to analyze individual discrepancies in computer clock cycles (which for instance, can help in corporate environments where you can have multiple systems that are supposed to have identical configurations).

The web really is a dangerous place, and your browser is often your front-line of defense. While keeping your software updated is always a good idea, you cannot simply rely on software vendors to keep you safe from exploits. Most software vendors stay busy enough trying to keep up with published vulnerabilities for their software that they never have time to even think about researching and defending against unpublished ones. Learning how to secure Firefox (or whatever browser you use) is an extremely important step in maintaining the overall security of your system, and should be considered as important as having a good anti-virus.

Even with the multitude of browsers that have come and gone, Mozilla’s Firefox has long been my favorite. Besides Microsoft’s often lackadaisical approach to patching security vulnerabilities, Chrome’s Omnibox feeding Google’s all seeing eye and Safari, well, being Safari, I have always just liked the way Firefox looks and works.

Firefox is also Open-Source software, which gives you instant Karma points. Open-Source software means that the program code is shared for developers everywhere to learn from and work on. This type of arrangement means that security vulnerabilities in Firefox are discovered and patched fairly quickly, and that any other bugs or issues can be addressed by literally thousands of programmers simultaneously. Closed-Source browsers (like Internet Explorer and Safari), are limited in their development according to the resources that their profiteering owners spend on them. The result of this is that Firefox is updated much more often than a lot of other browsers and you can be fairly sure that the updates have been thoroughly tested and are nice and stable.

However, the real beauty and power of Firefox lies in the Add-ons that the developer community have created to extend its functionality. There are currently over 5,000 Add-ons publicly available for Firefox, and more being released on a regular basis. It seems that no matter what you do on the internet or with your computer (social networking, web design, writing, Etc.), there is probably a firefox Add-on that will make it more convenient. It is these Add-ons that have kept Firefox as my default browser, and these Add-ons that make it so easy to secure too.

Of course, in order to learn how to secure Firefox, you have to have a working copy of Firefox.

If you do not already have Firefox and you are comfortable installing software on your system, you can download it here.

If you could use a little help with the installation, you can view one of the following videos for assistance.

Before the creation of such a useful library of Add-ons, securing a browser often required a tedious process not practical for most users. It also usually meant giving up functionality in exchange for safety.

However, with just a handful of easy Add-On installations, you can be on your way to securing Firefox while not losing access to any of the cool parts of the web.

The process for installing Add-ons from within Firefox is pretty simple:

1. Start Firefox
   
2. Open the Tools menu at the top of the page, and select Add-ons.
   
3. Once the Add-ons window opens, select "Get Add-Ons" at the top. This brings up the screen where you can search for and install the various Add-ons that are available.
   

4. Once you find an Add-on that you like, you can simply click the "Add to Firefox" button to begin the installation.

5. After the Add-on is downloaded the installer will ask for permission to restart Firefox. If you allow it to restart, then Firefox will reload any pages you had open along with an information page about the Add-on(s) you just installed. If you choose not to allow it to restart, then the new Add-on(s) will not be available until you do.

The first Add-on we will discuss is Web of Trust from WOT Services Ltd. WOT is my favorite Add-on for Firefox and has also proven to be one of the most useful over time. As a Computer Consultant/Technician, WOT has single-handedly reduced the number of virus removals I do since I started installing it for my customers.

WOT is a community-based application that relies on input from users combined with data from other sources to warn you about potentially harmful websites before you visit them. Using a simple color-coded system, WOT rates websites on several factors ranging from trustworthiness to child safety. It even places a colored icon next to search engine results indicating a sites safety rating before you even click the link.

If you do inadvertently start to navigate to a malicious website, WOT will still protect you by stopping it from loading and presenting you with a warning instead.

While you do have the option of ignoring any warnings and visiting the page anyway, that is generally not recommended.

There is not any configuration that is required for WOT (unless you choose to use it as a child-safety filter), and it will start protecting you the instant you have it installed. I do recommend creating a free account with them however, which you can do from the page that will load once you install WOT and restart Firefox. Creating this free account allows you to rate and comment on websites yourself while browsing. Since WOT is primarily a user-supported safety system, anyone benefiting from the protection it provides is encouraged to contribute as well.

WOT can be installed by searching for it from Firefox's Add-on window, or by using Firefox to navigate here.

NoScript is my second favorite security Add-on for Firefox.

The main way that websites attack computers is by running pieces of code called scripts. While Web of Trust tries to keep you from navigating to sites with malicious code, NoScript keeps that code from running on the pages that you do visit.

NoScript can be installed by searching for it from Firefox's Add-On menu, or by using Firefox to navigate here.

A Word of Warning:
Scripts can be dangerous, but they also deliver the majority of the rich content that is found on the web. Once you install NoScript, it will start to block all scripts by default, meaning a lot of websites will not function properly (such as YouTube and Facebook). However, NoScript makes it simple to allow scripts to run for websites that you trust.

Down at the bottom-right of your browser window, you will see the NoScript logo. Clicking on this logo brings up a context menu where you can control which scripts are being blocked. For sites that you know you can trust, you can select "Allow all this page" to let all of the scripts run. Occasionally, you will have to do this more than once, because sometimes scripts will actually start or "call" other scripts. So once you allow them to run, you also have to allow the scrpits that they start as well. Once you make this change for a website however, NoScript will remember it and allow them automatically in the future.

When you click the NoScript icon and bring up the context menu, you can select individual scripts to allow, instead of setting permissions for the entire page as well. This can be confusing to some users, since not all scripts have properly descriptive names to help identify which is which. To help with this problem, scripts that are blocked will also show the NoScript logo on the webpage where their content is supposed to be. Simply clicking in this content area will tell NoScript to run the code within that element.

For example, say you are attempting to view a web page with a video on it. Then say instead of seeing a video you see a NoScript blocking icon where the video should be. Clicking on the NoScript icon will then allow that script to load, which in turn will allow the video to play.

While this is about all you need to know to get started, NoScript is an extremely powerful program that offers many features for customizing how scripts are handled on your system. In order to get the most out of NoScript, I recommend doing some additional reading about it here.

Adblock Plus is another excellent extension that not only increases security, but also enriches your web experience as well. Being able to surf without all those annoying flash ads along the side distracting you, or screaming out "Congratulations! You've won an iPad!" is a great thing.

While it is true that NoScript does block most ads as a side effect, I still recommend using both due to the finer level of control present in Adblock Plus (as do the creators of NoScript)

Similar to NoScript, Adblock Plus puts their logo onto your browser window, giving you the option of clicking it to bring up a context menu where you can control the program's settings.

Adblock Plus can be installed by searching for it from Firefox's Add-on window, or by using Firefox to navigate here.

While these Add-ons will do wonders securing Firefox and keeping you safe while browsing, you still need to be cautious. Winding up at a site that is not in WOT's directory and then allowing scripts could still land you with an infection. It is always advisable to be careful which websites you visit, and to keep a good Anti-virus program running on your system.

Also, these Add-ons do nothing to hide your identity when you are surfing the internet. While the reasons why this is important and how you can accomplish this are out of the scope of this article, you can check the following page for more information: Hide your IP - Anonymous Browsing Using the Tor Browser Bundle

All of the Add-ons discussed here are completely free. I do recommend however, that once you start using them you consider making a donation to their creators. Those programmers have worked long and hard to produce excellent products that help make the web a safer place, and they would appreciate your support.

Also, advertising is one of the fuels that helps drive content creation on the web. Many writers and website owners that create content generate revenue solely off of the advertisements that exist on their pages. If you visit a web page that you find useful (such as this one, for instance), you should consider allowing their ads to display in your browser. Using the "Disable on whatever-domain.com" option in AdBlock Plus in addition to the "Allow all this page" option in NoScript will accomplish this. This is an easy way to support those that work to bring you the content that you ingest on the web. As a reminder though, you should only allow scripts and ads to run on web pages that you trust not to infect your computer.