Malware optimize

10 Firefox extensions that enhance security

Compromising Web sites has become cybercriminals' favorite method of getting malware installed on computers. Here are 10 ways to beef-up Firefox, making it more difficult for the bad guys.

Compromising Web sites has become cybercriminals' favorite method of getting malware installed on computers. Here are 10 ways to beef-up Firefox, making it more difficult for the bad guys.


Mozilla Firefox is a good browser to start with, but third-party extensions make it great. That's especially apparent when it comes to Web browser security, as shown by the following add-ons.

Note: This article is also available as a download that includes a PDF version and a PowerPoint presentation.

1: NoScript

If you install only one extension, make sure it's NoScript. By default, it blocks all scripts -- a good thing. That's because bad guys love to use scripts to install malware. This way, you decide whether JavaScript, Java, and other content are allowed to run.

2: BetterPrivacy

Several members recommended BetterPrivacy as the best way to control Flash cookies. Flash cookies are difficult to remove, do not expire, and can re-create deleted HTTP cookies. After much testing, I know BetterPrivacy works, whereas controlling Flash cookies using Adobe's Web site is questionable.

3: AdBlock Plus

I must confess, AdBlock Plus is not a security add-on. But I would not surf the Web without it. It's awesome, blocking all ads, especially those bandwidth-hogging banner ads. Web pages pop up almost immediately. Try it once and you will be convinced.

4: Perspectives

Chad Perrin and I, along with many other security advocates have written about Perspectives. Anything that reduces the likelihood of TLS/SSL "Man-in-the-Middle" attacks (think identity theft) is important. It's not perfect, but it should be in your arsenal, warning you when something is not right.

5: SSL Blacklist

SSL Blacklist segues from Perspectives, helping to keep your TLS/SSL experience (again, think identity theft) safe. It does this by detecting weak or revoked certificates. Both of which should be a concern. SSL Blacklist also checks if the certificate was built using the vulnerable MD5 hash algorithm, another huge security weakness.

6: WOT

WOT is an add-on from Web of Trust Services. It is an up-to-date aggregation of spam and phishing blacklists. WOT ranks search entries according to their trustworthiness, vendor reliability, privacy, and child safety. Bottom line: If WOT flags a Web site as bad, you should take notice.

7: PhishTank SiteChecker

PhishTank SiteChecker is a Firefox add-on using an API provided by PhishTank and its active anti-phishing community. Once installed, the add-on will block access to what PhishTank considers potential phishing Web sites, giving the user the option to continue or not.

Note: WOT and PhishTank SiteChecker are similar in what they do. Yet they do not always agree. I don't see a problem using both; more information permits better decisions.

8: TrackerWatcher

Privacychoice has developed Trackerwatcher, an add-on that allows you to see what's going on behind the scenes. Trackerwatcher will tell you which advertising networks are providing ad content to the Web site you are currently visiting, if they are using behavioral targeting, and how to opt out.

9: BugMeNot

BugMeNot is a unique add-on. Its main purpose is to eliminate advertising spam from Web sites that require registering. If a Web site requests information, activate the add-on. It will check BugMeNot.com's extensive database. If registration information is available, BugMeNot will populate the form, allowing you to continue while remaining anonymous.

10: Xmarks

Xmarks is not a security extension, but it is one helpful add-on. Trying to keep bookmarks synchronized on several computers is a pain. Xmarks does it for you. Install it and get rid of the frustration.

Final thoughts

Firefox is my Web browser of choice. I also use all of the extensions I recommended. If pushed, I would admit that NoScript, BetterPrivacy, and AddBlock Plus are the ones I consider most important. If I missed your favorite security extension, please let me know.


Check out 10 Things... the newsletter

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

73 comments
deepsand
deepsand

1) Too many user ratings there are either wholly uninformed or deliberately biased. 2) Sites are reported as being sources of malware when such sites do not even offer any downloads! In short, WOT is prone to resulting in tyrannies of the majority born of ignorance and/or malice. Use WOT, if you must; but, do not blindly trust it.

Fionnmaccumhailus
Fionnmaccumhailus

Cookiesafe is the same concept as Noscript, but for cookies. LinkALert tells you what is and/or where a link is going (same domain, new domain, new window/tab and other things).

turtlewalker
turtlewalker

On the advice of a friend I am trying Trusteer. What do you think of it?

lldice
lldice

Key Scrambler seems like a good add-on for password protection too.

rngunter
rngunter

Back in the days of dial-up I found Firefox (which inherently helped load pages faster) but, then I found AdBlock and WOW, I could actually surf the web again without taking a day and a half for pages to load! AdBlock does a wonderful job at removing content and it's very easy to add your own filters specific to what you DON'T want to see. I like that you can block just one ad or, if you choose, block the domain where the ad is based, which helps eliminate you seeing more ads of similar content.

alewisa
alewisa

Wow,TechRepublic loads sooo much quicker now. Without those annoying adverts ;-)

mirossmac2
mirossmac2

AddBlock Plus should be AdBlock Plus

ChromeToaster
ChromeToaster

Got a script warning using NoScript about this very page.

emgub
emgub

Definitely will +1 you on this. WOT is good for identifying poor sites. However, don't just discard a site because WOT says so. When WOT says poor on a site, I'll usually follow up with a google search to verify. For example, a well-known/trusted site was hacked and site's address re-directed to a porn site for half a day. Following this, WOT ignorant masses were able to drop this sites listing from Good to poor status, and there were 500+ comments of idiots saying it's a XXX site, beware. Even though they've never been to the site before that day.

JCitizen
JCitizen

At least with LinkAlert you know pretty much where you're going. Seems like Michael featured another one in a previous article about one that alerts you when your being redirected to another URL too. Can't remember the name of it, but I wished IE would do it without needing trusted zone settings. That would cut down on cross-scripting wouldn't it? (edited) Verify-Redirect - that was it!

Michael Kassner
Michael Kassner

But, I may be saving all of these for another article instead. Will that work?

Michael Kassner
Michael Kassner

The financial institution has to belong as well. That is one problem I see. What are your thoughts?

JCitizen
JCitizen

LastPass, the last password vault you'll ever need!

Michael Kassner
Michael Kassner

I may have the makings of another 10 article. Thanks.

K12Linux
K12Linux

At least where I moved to three years ago. Wireless Internet wasn't an option there until then. I was lucky to get 28.8 kbps. AdBlock, NoScript, Flashblock and disabling auto-loading of images made general surfing bearable (if a bit ugly.)

PhilippeV
PhilippeV

Personnaly, I don't want to block ALL ads from sites, I just want to block ads that slow down our navigation considerably (because they are delivered by unspecified alternate third sites, most often very slow to render) or that are very intrusive (such as overlaid layers). Ads that are inserted responsibly by web sites themselves are essential for the sites, it's normal that sites want to get paid for the contents they create themselves, provided that they are using their own bandwidth, but also delivered to visitors in their OWN privacy policy and without denying their OWN responsibility. Responsible advertizing that respect visitors, is a good practice to follow. Because this also allows the editors of websites to keep control themselves of the practices followed by each of their advertizers, exactly like normal printed medias, or TV. Such controls allow ads with much better quality, and we are still free to not follow its banner by a click on their link. I really urge advertizers to adopts responsible behavior, and work better with the web sites on which they will appear. Web agencies must also change their practices, by correctly identiying their clients (announcers) and working better with the websites that will accept their content, using a site-specific API (managed by site servers and their editors, that can still filter the ads that may be damageable for their reputation). What I'm fed up is to see that very questionable ads are inserted everywhere, and delivered through third parties that continue to track visitors from site to site (or with the assitance of the sites that are forwarding the ads to their visitors). That's why I want an ad blocker, but a smarter product that will: * block all ads coming from third parties (on distinct domains) * will not block the content correctly identified as ads. * will block third party cookies * will block intrusive ads like overlaid layers appearing on top of the site content and blocking the navigation actively. * block ads whose origin is not identifiable. * block ads from networks that fail to correctly identify the products or services that they are supposed to publicized, because they use deceptive messages (the web agencies are the most guilty for not controling this and not offering warranties to the sites on which they propose their feeds) On the opposite, ads that follow good practices, and bringing visitors to other sites that use good privacy policies matching the policy, and the subject of the visited site, are not that bad and I still think that many sites depends on ads for financing the rest of their contents or services. Under these conditions, I will LIKE and the ads because they will participate to the usefulness and adequation content of the sites. Am I a fool for wanting such ads ?

Michael Kassner
Michael Kassner

I like the fact that you have the option to release them if you want.

Michael Kassner
Michael Kassner

Thanks, that is embarrassing. Especially, when the correct spelling is in the slide. Thanks for pointing that out.

Fionnmaccumhailus
Fionnmaccumhailus

and I tell them they need to answer two questions when a site doesn't work because of the noscrip/adblock combo. 1. Do you trust the site? This is generally no. 2.Do you really need it to work? Almost everything that gets done with the geewhiz of scripting can be done with DHTML and/or CSS. So, I generally say no to scripts if the site is not something I deem trustworthy by very broad untrusting criteria.

artlife
artlife

As the other poster said- disallow everything and just let run what's absolutely needed for the content you want. I think it's an eye-opener for the average user. It won't take long for you to start recognizing the good from the bad and the necessary from the unnecessary.

seanferd
seanferd

Assuming you leave warnings on. This means nearly all websites. I just leave everything disallowed unless some functionality, or something I want to see, is missing. Temporarily allow items until you get what you want. Revoke allowances you don't need. Permanently allow domains which are needed for sites you visit regularly. Works great alongside AdBlock Plus. (But don't forget to allow some ads at sites you like!)

Michael Kassner
Michael Kassner

NoScript is very noisy. It will inform you if any scripting is being used. That said, it is virtually impossible to determine goodscripts from bad. What NoScript is attempting to do is give you an idea of all the scripts that are running. As well as the opportunity to decide whether to allow the script to run or not. I hope that make sense.

JCitizen
JCitizen

I've been trying to reacquire that link for years now, put it on my XP laptop, then promptly forgot about it. Seems like you can choose a mirror to auto-update it too. If I remember correctly it does this in the background silently. Hence why I forgot about it. Probably why I've never been drive-by'd on that PC, even while using IE! THANK YOU m@!!!!

Michael Kassner
Michael Kassner

Using the host file is a good option. Thanks for mentioning it

Fionnmaccumhailus
Fionnmaccumhailus

I generally post to be immediately helpful to someone. Which is why you don't see me flogging any issues :) Looking forward to your next article (looks like it will be 25 security related addons)!

rname
rname

Since many attacks are now coming from ads NOT seeing them does enhance the browser's security.

JCitizen
JCitizen

how many businesses still use Fortran, but YUK! I had to deal with punch cards in the Army long after their obsolescence! I just LOVED filling out those HUGE state punch card reader sheets! NOT! The funny part about it, was I learned to fill them out with a computerized typewriter automatically; which was lightyears ahead of the very system I was supporting! HA! DA Form 2765-1. Ahh! Ya had to love it!

Michael Kassner
Michael Kassner

You can turn any add back on that you want with AdBlock Plus. Just click the ADP stop sign.

DavidPh
DavidPh

I generally like Adblock Plus but found that it seemed (couldn't always be sure) to block desirable content. I switched to Privoxy http://www.privoxy.org/, and it seems as effective and less intrusive, with fast, easy bypass if you really want to see something.

JCitizen
JCitizen

I noticed in your previously mentioned article about extensions; in that article you mention your doubts about whether AdBlock Plus was really considered a security feature; and I'd just like to put in a FYI. For Internet Explorer SpywareBlaster uses host files to block bad servers that host malware vectors. I noticed the amount of adds that are allowed on my IE sessions is cut by two thirds at least! I know of at least three attacks on clients that came through as flash adds, this SB feature reduces the chances of opportunity as an attack vector. I would say AdBlock Plus is even more effective at this, as it trusts no ad server. Since even legit ad servers are being compromised every day, I say this is a good thing. Web advertisers need to clean up their act.

JCitizen
JCitizen

too bad more site designers don't listen to this wise advice.

Michael Kassner
Michael Kassner

Promote the use of temporarily allow. As well as slowly allowing one at a time. Seeing if that provides the necessary parts of the Web site.

Michael Kassner
Michael Kassner

When I began testing the beta version, I was amazed at what NoScript was telling me.

JCitizen
JCitizen

2005 to now; that one is as good as AdBlock Plus. Especially since I'm the only one I know in my circle of clients/friends that hasn't been attacked by some ad or ad link of some kind. I say that by meaning successful attack, I may have been on my new PC, but everything happened so fast I don't really know if it was a Google link or flash ad that unsuccessfully tried to place a vector and take over my Vista PC. It is good to see they have Vista instructions now!

JCitizen
JCitizen

an article on ZDNet on Ad Words related attacks? Seems bad servers were "botted" and Google was once again trying to clean up their servers,and links. I've found if AdBlock blocks it, it is a good bet it needs blocking until the lazy administrators clean up their act, and quit letting their servers get rooted! Besides, you can always put any domain, ect. in the trusted part of the host file that AdBlock Plus uses.

JCitizen
JCitizen

Sorry I didn't see this post sooner, I wouldn't have commented with my FYI earier!

Michael Kassner
Michael Kassner

Thanks for taking the time to explain your experiences. I have had similar results.

rname
rname

First let me say that I install FireFox on every one of my customers' computers, and then I immediately install AdBlock. I strongly feel AdBlock is the best ad-on out there because if people can't SEE the ad to click on it they can't be hurt by it. Hence my observation that I consider it a security feature. In answer to your question of whether AdBlock has ever caused an issue: When researching AdWords (either their's or their competition) I realized that my display was different from what my customer saw. Since I still saw AdWords I cannot imagine that AdBlock was the problem, and knowing how Google tries to hone the ads you see to your 'traits' I can understand how the root cause of NOT seeing what my customer saw for the same search probably was NOT AdBlock. Still, to be proactive on behalf of my clients, I now have AdBlock OFF for Google, which only presents some minor issues e.g. opening Google images without it on. Thus, I would say the answer to your question is No, I have NOT had any adverse experiences because of AdBlock. (No Pun Intended but hey...) All in all though, after years of using AdBlock (from back when you had to ADD the server addresses yourself by right-clicking on the ads [Thank You Easylist!!!]) it is still my #1.

JCitizen
JCitizen

I don't recommend the paid versions unless you completely trust their anti-virus to do the job; or at least use a good non-resident scanner to back it up. AdAware used to be the best adblocker, but I'm not sure they do an adequate job of it anymore, so I recommend using SpywareBlaster in conjunction with the free version on AdAware Aniversary Edition. This did the best job of blocking some of the pesky cookies and server signals that gum up you Internet Explorer and FireFox browsing sessions. You will notice a download speed up, and still see quite a few of the more trustworthy adds. MBAM is pretty good too and even if it is running in protected mode, it gets along nicely with AdWatch, AdAware's hueristic engine. But I think it only blocks bad cookie requests and IP attacks; you will find many cookies left over time. I used to think it blocked cookie downloads, but I was mistaken. Browser download performance is greatly enhanced with MBAM! S-B also blocks Active X attacks in real time with absolutely no hit in performance. These are all x64 capable and are fully modern too. (edited) Sorry Michael, I meant to put this post below PhilippeV!

JCitizen
JCitizen

You will notice trusted ad sources. Malware is known to change this file, so beware. I would advise you not to be so trusting of ad servers, unless you personally know the administrator and whether he is doing his job right. Best estimates are that up to 10,000 new ad servers are being bot infected every quarter, with no end in sight so far. The security field is in chaos right now, and crime crackers are in full swing to change tactics daily. In fact; because file definitions are obsolete; if you don't have at least one HIPs enabled AV and AS solution on you PC/Server, you're wide open for attack in my not so humble opinion.

Michael Kassner
Michael Kassner

I have no problems allowing content to show using AdBlock.

JCitizen
JCitizen

that is for sure! And of course thanks for the zillionth time!!! I do fear that a general route of business could result eventually when, advertisers realize how popular these could get. This could hurt web-business. But if the dad-gummed advertisers would clean up their act, maybe we could take them off the host file?!?

Michael Kassner
Michael Kassner

I also get to change my mind, right? I would not surf without it.

JCitizen
JCitizen

on the item you want to enable as safe as right clicking? Just curious to see if anyone knows. I haven't noticed that it enables too many controls.