Posted by Bob Jonkman on 30th November 2011
Browser vulnerabilities are a common contributor to computer malware. Attacks have become so sophisticated that just viewing a Web page with an unsecured browser can infect your computer with malware. Fortunately, there are settings and extensions that will make surfing the Web a safer experience.
This article deals only with securing Mozilla Firefox. Firefox offers an wide selection of extensions that can help secure the browser. Google Chrome, Opera and Safari also offer some extensions, but I have not tested them. Microsoft Internet Explorer appears to support Add-ons, but Version 8 offers none for browsing security.
Internet Explorer is particularly vulnerable. In part, this is because IE is by far the most popular browser, and so it suffers the most attacks. Because it is the most popular browser it is especially targeted for attack by malusers. And compounding the problem, Microsoft has been slow to acknowledge vulnerabilities in its products, never mind fixing them.
Privacy is not so much about keeping your personal information secret, but about keeping control over your personal information. If I choose to tell Facebook my name, age and browsing habits that’s OK, but my privacy is violated if Facebook finds out about my browsing habits if I don’t tell Facebook myself.
To see your Firefox Privacy settings select Tools, Options and click the Privacy icon.
For maximum protection check Tell Web sites I do not want to be tracked and select Firefox will: Never remember history. But having to type in all your passwords and data every time you access the same web sites can be inconvenient, so I actually browse with the setting Firefox will: Use custom settings for history, leaving Always use private browsing mode unchecked. It is usually safe to have Accept cookies from sites turned on, with Accept third-party cookies turned off and Keep until: I close Firefox selected. Custom settings for Clear history when Firefox closes has only Cookies and Active Logins checked:
To see Firefox Security settings select Tools, Options, then click on the Security icon.
For maximum security, make sure all the checkboxes are checked.
Block reported attack sites and Block reported web forgeries do add some additional protection from malware sites, but potentially at some expense of your privacy. Every 30 minutes Firefox downloads a list of malware sites. If you browse to such a site then Firefox will check for that particular site immediately before blocking it. It uses Google’s malware list to do so, and will send Google’s cookies when checking.
Use a master password will encrypt the list of passwords stored on your computer. This is mostly useful if your computer should get stolen or left on the bus, but without the Master Password it might be possible for a malware site to retrieve your list of passwords through some (as yet unknown) vulnerability.
Firefox’s extensive collection of extensions (Add-ons) make it my preferred browser.
NoScript has expanded its scope so that it now also checks for Cross-Site Scripting vulnerabilities, Application Boundary violations, and other esoteric security concerns.
Adblock Plus removes ads. That’s wonderful all by itself, but there’s more! When ads are blocked, you don’t waste any bandwidth downloading them. But there’s more! The hits from Web Bugs aren’t recorded and tracked. And blocked ads from third-party sites can no longer query third-party cookies, or enable cross-site scripting attacks.
When you install Adblock Plus you’ll be asked to subscribe to one of the pre-defined block lists. I usually choose EasyList or Adblock.org.
ForceTLS requests an encrypted page (https) when the server supports it. The functionality is now built into Firefox directly, but ForceTLS still provides a handy dialogue box to add Web sites for servers that don’t automatically switch to https.
HTTPS Everywhere forces a Web pages to use https, and can change the URL for those sites that use different URL paths for their secure content. HTTPS Everywhere only works for Web sites in its Preferences list:
HTTPS Everywhere is not maintained on the Mozilla Add-ons web site, so you have to download it from the EFF directly. Firefox will ask you to verify that you want to install an add-on from an unknown site. Click on the Allow button to install the HTTPS Everywhere add-on.
Security is not a single solution to a single problem. It is a constantly evolving process that tries to keep up with constantly evolving attacks. It is important to keep everything up-to-date.
Updating the Browser
To ensure that the browser and all its extensions stay up-to-date check all the boxes on the Tools, Options, Advanced, Update screen:
To update the Firefox extensions select Tools, Add-ons, click on the Tools for all add-ons button, and make sure there is a check mark beside Update Add-ons Automatically. If there is no check mark then click on Update Add-ons Automatically, and you should also perform updates manually by selecting Check for Updates. If there are any updates a View all updates link will be displayed, click on it, then click on the Update now button for each add-on in the list.
Updating the Operating System
Finally, no amount of browser security will keep you safe if your operating system is not safe. Be sure to activate Windows Updates (or Linux Updates, or AppleMac Updates), and keep your Anti-virus software, firewall, spam filters and other security software up-to-date.
Posted in Internet, security | 3 Comments »