Posted by Bob Jonkman on 30th November 2011
Browser vulnerabilities are a common contributor to computer malware. Attacks have become so sophisticated that just viewing a Web page with an unsecured browser can infect your computer with malware. Fortunately, there are settings and extensions that will make surfing the Web a safer experience.
This article deals only with securing Mozilla Firefox. Firefox offers an wide selection of extensions that can help secure the browser. Google Chrome, Opera and Safari also offer some extensions, but I have not tested them. Microsoft Internet Explorer appears to support Add-ons, but Version 8 offers none for browsing security.
Internet Explorer is particularly vulnerable. In part, this is because IE is by far the most popular browser, and so it suffers the most attacks. Because it is the most popular browser it is especially targeted for attack by malusers. And compounding the problem, Microsoft has been slow to acknowledge vulnerabilities in its products, never mind fixing them.
Privacy is not so much about keeping your personal information secret, but about keeping control over your personal information. If I choose to tell Facebook my name, age and browsing habits that’s OK, but my privacy is violated if Facebook finds out about my browsing habits if I don’t tell Facebook myself.
To see your Firefox Privacy settings select
and click the
For maximum protection check
Tell Web sites I do not want to be tracked
Firefox will: Never remember history
. But having to type in all your passwords and data every time you access the same web sites can be inconvenient, so I actually browse with the setting
Firefox will: Use custom settings for history
Always use private browsing mode
unchecked. It is usually safe to have
Accept cookies from sites
turned on, with
Accept third-party cookies
turned off and
Keep until: I close Firefox
selected. Custom settings for
Clear history when Firefox closes
To see Firefox Security settings select
, then click on the
For maximum security, make sure all the checkboxes are checked.Warn me when sites try to install add-ons
Block reported web forgeries
do add some additional protection from malware sites, but potentially at some expense of your privacy. Every 30 minutes Firefox downloads a list of malware sites. If you browse to such a site then Firefox will check for that particular site immediately before blocking it. It uses Google’s malware list to do so, and will send Google’s cookies when checking.
will encrypt the list of passwords stored on your computer. This is mostly useful if your computer should get stolen or left on the bus, but without the Master Password it might be possible for a malware site to retrieve your list of passwords through some (as yet unknown) vulnerability.
Firefox’s extensive collection of extensions (Add-ons) make it my preferred browser.
NoScript has expanded its scope so that it now also checks for Cross-Site Scripting vulnerabilities, Application Boundary violations, and other esoteric security concerns.
Adblock Plus removes ads. That’s wonderful all by itself, but there’s more! When ads are blocked, you don’t waste any bandwidth downloading them. But there’s more! The hits from Web Bugs aren’t recorded and tracked. And blocked ads from third-party sites can no longer query third-party cookies, or enable cross-site scripting attacks.
When you install Adblock Plus you’ll be asked to subscribe to one of the pre-defined block lists. I usually choose
ForceTLS requests an encrypted page (https) when the server supports it. The functionality is now built into Firefox directly, but ForceTLS still provides a handy dialogue box to add Web sites for servers that don’t automatically switch to https.
HTTPS Everywhere forces a Web pages to use https, and can change the URL for those sites that use different URL paths for their secure content. HTTPS Everywhere only works for Web sites in its Preferences list:
HTTPS Everywhere is not maintained on the Mozilla Add-ons web site, so you have to download it from the EFF directly. Firefox will ask you to verify that you want to install an add-on from an unknown site. Click on the
button to install the HTTPS Everywhere add-on.
Security is not a single solution to a single problem. It is a constantly evolving process that tries to keep up with constantly evolving attacks. It is important to keep everything up-to-date.
Updating the Browser
To ensure that the browser and all its extensions stay up-to-date check all the boxes on the
Tools, Options, Advanced, Update
To update the Firefox extensions select
, click on the
Tools for all add-ons
button, and make sure there is a check mark beside
Update Add-ons Automatically
. If there is no check mark then click on
Update Add-ons Automatically
, and you should also perform updates manually by selecting
Check for Updates
. If there are any updates a
View all updates
link will be displayed, click on it, then click on the
button for each add-on in the list.
Updating the Operating System
Finally, no amount of browser security will keep you safe if your operating system is not safe. Be sure to activate Windows Updates (or Linux Updates, or AppleMac Updates), and keep your Anti-virus software, firewall, spam filters and other security software up-to-date.
Posted in Internet, security | 3 Comments »