The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.

5 thoughts on “The Definitive Guide For Securing Firefox

  1. Pingback: Hardening Ubuntu Linux » InsanityBit InsanityBit

  2. Pingback: Why You Should Use NoScript - InsanityBit

  3. Hi there,

    thanks for your article! It is quite helpful already, but I would like to point you in yet another direction. To my understanding, security generally does not only concern confidentiality and integrity, but also (and increasingly) anonymity. In this respect, nowadays the standard browsers themselves are a complete mess, as they willingly deliver thousands of linkable user features by default. These are more reliable and more stable than the IP address itself. Therefore, besides using some anonymising proxy like Tor (onion routing) or JAP (mix cascades), one should carefully reconfigure the browser to restrict showing such features in an identifiable way. Following are two very successful examples of that careful configuration:

    https://anonymous-proxy-servers.net/en/jondofox.html
    https://www.torproject.org/projects/torbrowser.html.en

    The first, JAP’s Firefox profile (available as normal user or ESR configuration), also contains additional settings concerning confidentiality and integrity proper.

    Maybe you would like to mention or link to some of that…

    Best regards,
    Thorsten

    • Yeah, I’ve considered bringing in Privacy as it is fairly relevant, but I wanted the post to remain focused. I may bring in more privacy related information later.

      Thanks

  4. I have well gone off Firefox after finding that the android version without any plugins is listening in to DLNA broacast messages from devices like XBoxes and Samsung Smart TVs and then making a UPNP request to the devices to recive XML data back from these devices.

    In my case this not only includes the make and model of the TV but also the serial number and its not like my simple android device can steam to the TV or play XBox games.

    I know Google pays Firefox $50m a year and they don’t do that without getting something in return as you can see if you type About:config into the URL and search for Google but I will not put up with Firefox hacking my local area network to then upload all the device data back to central server.

    Shown below is both the request and reply I captured with some of the data replaced using XXX and I also had to tweak the HTML tags in the XML so it would post.

    GET /smp_24_ hxxp/1.1
    Host: X.X.X.40:7676
    User-Agent: Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    hxxp/1.1 200 OK
    CONTENT-LANGUAGE: UTF-8
    CONTENT-TYPE: text/xml; charset=”utf-8″
    CONTENT-LENGTH: 1167
    Date: Thu, 01 Jan 1970 03:59:18 GMT
    connection: close
    Application-URL: hxxp://X.XX.40:80/ws/app/
    SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0

    [?xml version=”1.0″?][root xmlns=’urn:schemas-upnp-org:device-1-0′ xmlns:sec=’hxxp://www.sec.co.kr/dlna’ xmlns:dlna=’urn:schemas-dlna-org:device-1-0′] [specVersion] [major]1[/major] [minor]0[/minor] [/specVersion] [device] [deviceType]urn:dial-multiscreen-org:device:dialreceiver:1[/deviceType] [friendlyName][TV]Samsung50[/friendlyName] [manufacturer]Samsung Electronics[/manufacturer] [manufacturerURL]hxxp://www.samsung.com/sec[/manufacturerURL] [modelDescription]Samsung TV NS[/modelDescription] [modelName]XXX9200[/modelName] [modelNumber]1.0[/modelNumber] [modelURL]hxxp://www.samsung.com/sec[/modelURL] [serialNumber]XXXXXXXXXX[/serialNumber] [UDN]uuid:0dbXXXXXXXXXXXX[/UDN] [sec:deviceID]XXXXXXOMKVUK[/sec:deviceID] [sec:ProductCap]Resolution:1280X720,Y2013[/sec:ProductCap] [serviceList] [service] [serviceType]urn:dial-multiscreen-org:service:dial:1[/serviceType] [serviceId]urn:dial-multiscreen-org:serviceId:dial[/serviceId] [controlURL]/smp_26_[/controlURL] [eventSubURL]/smp_27_[/eventSubURL] [SCPDURL]/smp_25_[/SCPDURL] [/service] [/serviceList] [/device][/root]

Leave a Reply

Your email address will not be published. Required fields are marked *