The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.