Networking

Firefox: Some security tips

There are several reasons why Firefox is the Web browser of choice for many of us. Providing a safe Web surfing experience is one of the more important ones. I'd like to offer some tips that will make surfing the Web with Firefox even safer.

It's important to easily determine whether a Web site that should be using https, actually is. When Firefox first came out it used a method that was easily discernible. The address bar would turn yellow and a lock icon would appear on the right-hand side of the address bar:

That feature was replaced by a small blue frame surrounding the Web site's favicon in the third version of Firefox. Additionally, clicking on the blue field reveals more information about the Web site's SSL certificate:

I'm not particularly convinced the new approach is better. It's easy to miss whether the site is using https or not, especially if the favicon is blue. Also, I've read that the blue frame and most favicons are easy to forge.

As to why the change, my guess would be that Firefox developers thought Extended Validation (EV) certificates were going to become the norm and focused on a way to better display the EV information. I think they succeeded, placing the Web-site's name in a green frame is very distinguishable:

It's a nice concept, but the use of EV certificates isn't that prevalent, which kind of defeats the whole purpose. If my memory serves me correctly, less than one percent of all Web sites using SSL have EV certificates. It's understandable though. By design, the vetting process is more in-depth, which drives up the cost of obtaining an EV certificate.

A well-kept secret

A good friend of mine let me in on what I'd call a hidden gem and I wanted to pass it along. It's not perfect, but it certainly helps increase awareness of whether a Web site is using https or not. Besides it's simple to do:

  1. Type about:config in the address bar.
  2. Firefox will display the following warning.
  3. Click on the "I'll be careful, I promise" button.
  4. Enter "browser.identity.ssl_domain_display" (minus quotes) in the Filter box.
  5. Double click on entry, which opens a dialogue box.
  6. Change the entry from zero to one.

What this does is change the appearance of how the address bar displays information for Web sites using regular SSL certificates. As you can see below, except for the frame being blue instead of green it looks identical to what's displayed by a Web site using an EV certificate. This should help reduce the risk of confusing secured Web sites with unsecured ones.

Revisit Perspectives

In August of 2008, I wrote an article about a Firefox add on called Perspectives. I'm not going to rehash the details; suffice it to say that I highly recommend installing it. Then forget about it. The application works quietly in the background making sure SSL certificates are valid. Now that I said that, I want to revise the configuration I used in the initial article, even though it makes Perspectives a bit noisier.

The two changes I'd like to propose are:

  • Uncheck the default setting of "Allow perspectives to automatically override security errors".
  • Change "When to Contact Notaries" from the default to "Contact Notaries for all HTTPS sites".

Perspectives isn't perfect and the above changes may give additional false positives, but using the new settings will increase security while surfing the Web.

SSL Blacklist

Firefox version three checks a certificate's revocation status using the online certificate status protocol. There's a problem with that though. Like EV certifications the use of this protocol is very limited. In a somewhat ironic twist, all SSL certificates do contain information about where to obtain a certificate authority's certificate revocation list, but Firefox isn't setup to use them. Hmmm, this means Firefox isn't capable of knowing whether a majority of existing SSL certificates are valid or not.

Màrton Anka seeing this deficiency developed the SSL Blacklist add on for Firefox. The application detects and reports on weak/revoked certificates or those that are still using the weak MD5 hash algorithm.

NoScript: a favorite

If you follow my articles, you will know that I think highly of Giorgio Maone's Firefox add on NoScript. Giorgio realized that a vast majority of malicious Web sites use JavaScript exploits to leverage control of a victim's computer. So he developed NoScript, which gives the user control on whether to allow or disallow execution of certain JavaScript code that NoScript deems as possibly harmful.

As you might guess, it's a fairly noisy add on. NoScript is going to ask you quite often on whether you trust the site enough to allow JavaScript code execution. If that's too granular, you have the option to change the setting "Scripts Globally Allowed (dangerous) from the default of disabled to enabled.

Doing so will make NoScripts considerably less intrusive, but any protection from JavaScript vulnerabilities is also removed. On a good note, even with scripts globally allowed you are still afforded protection from ClickJacking.

Final thoughts

There you have it, four tips that I use and recommend to all of my clients. None of them are perfect solutions, but they certainly elevate user security when surfing the Web with Firefox. Let me know if you have any favorite security add ons for Firefox that I may have missed. Also if you have started using Internet Explorer 8, I'd be curious to learn how it compares to Firefox security-wise.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

47 comments
Ron_007
Ron_007

Thanks for the tips, I'd caught most of them from earlier postings. But looking back at them I noticed something interesting. Gmail allows you to use HTTPS, both to protect login and in theory to protect browsing session. FF 3.5 highlights the certificate on sign-in, but at one point I noticed that the eamil session wasn't showing the EV indicator. When I clicked on the little icon it said the session was NOT encrypted. It was HTTPS, but not encrypted. A few minutes later the encryption "magically" reappeared. I'm not sure if it was something I did or not. But the EV indicator worked. I started the comment to mention that gmail wasn't fully encrypted, but when I went back to confirm the EV EVindicator was back and clicking on the icon said the session was encrypted.

saj2109
saj2109

Intersting & Informative

Ahmadko
Ahmadko

I think the NoScript is a one of the most greatest addons i've ever used, although it bothers a lot sometime, but it's pretty much usefull, specially while visiting adults sites :P

challigan3
challigan3

Very useful, Michael--I am having problems right at this moment with FireFox, this is helpful. Thanks.

Agnostic_OS
Agnostic_OS

Other Add-ons I've found useful are - WOT - Web of Trust - a little treasure when surfing for the unusual. Surf Canyon - nice little search assistant.

techworxs08
techworxs08

I do wonder at the what seems to be basic with security settings in general. They are either mostly infective or bug the crap out of you. I am a avid Firefox user and I detest I.E. Thanks for the article. Very well done.

santeewelding
santeewelding

Change your photo to one wearing a Viking helmet with horns. Stop trying to look so introspective.

seanferd
seanferd

The first half of the article definitely explained a few things. I really want to thank you for mentioning that FF does not handle CRLs. What is with that? The funny thing about Perspectives: It always wants to do a query whenever I visit a secure Mozilla site, like Add-ons. Thanks for the information. I generally don't use FF, so I don't notice a lot of things like these. But I still get the golden address bar for SSL, so I don't need to worry so much about the tweaks, and I always check anyway.

Michael Jay
Michael Jay

er, Michael. Thanks so much for that gem, keep em coming.

boxfiddler
boxfiddler

I appreciate the tweaks. My favorite, handy-dandy tips for us noobs and semi-geeks. etu

santeewelding
santeewelding

I do have a favorite security add-on. Name is Michael.

Michael Kassner
Michael Kassner

Have Gmail setup so that it always uses HTTPS in the configuration? Otherwise it might be just encrypting the log on. If you do, that was a strange occurrence and I'd keep my eye on it.

Michael Kassner
Michael Kassner

I'm busy now, could you tell us specifically what these add on will help with?

Michael Kassner
Michael Kassner

Lots of people running around here looking like that, especially during the fall.

Ocie3
Ocie3

If you run Firefox much at all, then please upgrade to version 3.0.10. Previous version 3.0 releases have security exploits that have been fixed, and, if memory serves, some of those exploits are present in Firefox 2.x versions, which will NOT be repaired.

Michael Kassner
Michael Kassner

Thanks, Sean. Could you give me a URL for the site that triggers Perspectives. Also, what browser do you normally use? The version of FF you must be prior to 3.0. You may want to bump up to 3.0 as Mozilla mentions that earlier versions have issues, but they aren't going to fix any of them.

Michael Kassner
Michael Kassner

Thanks, Michael. Are you using any of the other add ons?

markyannone
markyannone

Firefox's update to 3.0.11 didn't break Flash this time, and the recent Flash update wasn't a mission from Hell either. But note that AOL is still using an antique, insecure version of Flash to make its broken interface work a little, speaking of a mission from Hell. Don't get me started. Mark Yannone yannone.blogspot.com

Twilight23
Twilight23

I used to use NoScript but the author modified (without notification) multiple other security add ons (Ad Block Plus and Ghostery at a minimum). He seemingly did this to make sure ads on his changelog were not blocked (generating more revenue). He also (reportedly - I haven't verified) white-lists several ad-spam sites (again to increase his ad revenue from his changelog page). The author has back-pedaled on some of the above but can not be trusted. Due to this heinous behavior, I would *not* recommend NoScript.

chucknite
chucknite

McAfee Site Advisor seems to keep me out of trouble. It does make it more difficult to screw with the phishing web sites. Any thoughts on this app.

markyannone
markyannone

After upgrading to version 3.0.10 I spent TWO DAYS uninstalling and installing Flash for Firefox and Flash for MSIE. Adobe needs to be taken to the woodshed for their Stone-Age approach to installations. And no thanks to Firefox and MSIE for breaking the installations either. I'm sick of it.

seanferd
seanferd

https://addons.mozilla.org/en-US/firefox/ AKA Help > Get more extensions Normally, I use the other Mozilla browser, SeaMonkey. Currently using 2.0a, but I rather liked the 1.x branch. SM 1.x had weird tabs problems, and copy/paste problems (which SM 2 shares to a lesser extent). I think they are probably add-on related, but the profile corruption or whatever it is happens over an indeterminate period of time, and is occasionally self-correcting. Personally, I thing they are merging the wrong aspects of FF into the SM 2 branch, but that's just my personal opinion. FF 3.0.8 - I haven't grabbed the latest updates.

seanferd
seanferd

NoScript is still the best addon, hands down, IMO. Very few devs, if any, write and update such good code so quickly. Nothing else does anything remotely like NoScript. Now, if Maone actually starts putting out malicious code, he and his company will be screwed. It's not like he's some anonymous cracker. But so far, he hasn't even come close. How often do you visit the NoScript site? Minimal effects to your browsing, even with the controversial code active. Software that you actually pay for does much worse. I do agree that Maone should have been up front about it. The first I heard of it was when I got a second update in two days, where Maone removed the code and apologized. I had to do some extra research just to find out what the big deal was, and concluded it wasn't a big deal at all. On the other hand, I don't want FF telling me which one or three search engines I can have integrated, while defaulting to an FF-branded Google page. Used to be you could add as many engines as you liked into the search panel. Now even SeaMonkey 2 has the same crappy behavior, via sharing the same crappy code. Oops, I didn't mean to rant. But there are all sorts of crappy behaviors exhibited by various software and operating systems, qand to pick out NoScript for such a backlash is nuts. Yeah, tell Maone you don't like the "feature" ;) , but why throw out the baby with the bathwater?

Michael Kassner
Michael Kassner

Is it possible for you to give more details about the issues? I'd like to look into them and even quiz the developer about your concerns.

markyannone
markyannone

I didn't consider your response to be derogatory. I'm not thin-skinned, as most abused Americans are trained to be these days. Mark Yannone yannone.blogspot.com

Michael Kassner
Michael Kassner

Anything derogatory by it. I actually have the same thing occur to me quite regularly. That's quite a story. I'll remember the install sequence though. Thanks for sharing.

Michael Kassner
Michael Kassner

I've not seen that or heard of anyone having your problem. Can you explain in more detail? I'm interested in learning about it, just in case. Thanks.

seanferd
seanferd

When I was messing around with Perspectives, I set it to query all SSL sites, and always ask.

Michael Kassner
Michael Kassner

I never considered your points before. I will have to check Sea Monkey out. As for the Add on site. I don't get the warning. In fact it mentions that the key for the site has been seen consistently for 188 days. SSL Blacklist says certificates are consistent and not on any lists. Strange.

seanferd
seanferd

@ Wilcoxon: It is odd, as the SM 1.x branch allows manual addition. I can't understand what happened to it. Just strikes me as weird. But I think I'll have a look into the format of the add-ons and see what is going on there. @ gretpass: I found mycroft long ago, but a lot of that stuff is not updated, doesn't work with SM, and the engines I'm looking for have no add-ons offered. Otherwise, it is really cool that someone keeps track of these.

Michael Kassner
Michael Kassner

I certainly appreciate the link. It will make life a lot easier for many users I know.

Twilight23
Twilight23

As far as I can tell, the default search engine is plain Google (unless I did something I'm not remembering to change it). I hadn't even noticed that you can't add a search engine manually (have to get an add on). It should be pretty easy to look at what the search engine add ons are doing and manually whip one up. I assume it's the typical pseudo-url with variable-like-things for where the search string goes.

seanferd
seanferd

I'm a fan of about:blank myself, but I meant the default search engine, not home page. If you know how, please let me know how to easily add a search engine URL for which they do not have an extension. Actually, I don't want an extension for this type of thing at all. I should be able to enter a URL in a text box, like I used to be able to do in older incarnations of Mozilla browsers. Maybe, since I used to hack the registry to alter IE search engines, I could download an add-on and hack it to load other search URLs. It is nice that I can at least easily delete search engines I don't want, like Amazon or Ebay.

Twilight23
Twilight23

I'm using the latest FF (3.0.10) and there doesn't seem to be a limit on search engines. I had 7 defined and just added 3 more to test. I never notice the default page as I always set it to about:blank.

Michael Kassner
Michael Kassner

I was not aware of that problem. I've know the developer for awhile now and I think I'll give him a second chance. His explanation is sufficient for me. I'd thought I had better also mention that I have no affiliation with the product other than several e-mail exchanges I needed to fully understand the product for a NoScript article.

Twilight23
Twilight23

There's a fair bit of comments on addons.mozilla (https://addons.mozilla.org/en-US/firefox/addon/722). The full info on Ad Block Plus is at http://adblockplus.org/blog/attention-noscript-users. The full info on Ghostery is at http://news.ghostery.com/post/103180001/attention-all-noscript-users. Some additional info is http://yardley.ca/2009/05/04/when-blockers-block-the-blockers/. This was a little different as it was a CSS rule on the NoScript site (as opposed to actually part of the NoScript add on) but it still was designed to specifically disable Ghostery (very bad). And an apology from the NoScript author (http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/). It explains some things and apologizes but I will probably still not use NoScript in the future as I no longer trust the developer.