LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox security add-ons

January 21, 2009

This article was contributed by Bruce Byfield

From a security perspective, Firefox add-ons are a nightmare. If you read the legal notice, even on the official download site, Mozilla neither reviews add-ons nor assumes any responsibility for the consequences of using them. Yet any add-on could open unexpected vulnerabilities — at times because of the unexpected consequences of using several in combination — and they provide a new door to your system for crackers. As if to mitigate such concerns, the last year has seen a steady trickle of of security-focused add-ons — and more are on the way. Some of these extensions control how you browse individual web pages, and others alter how Firefox uses passwords, cookies, and scripts, but, if you choose carefully, you should have no trouble finding several that can greatly improve your security while browsing.

Different security for different sites

One of the simplest security-oriented extensions is PrefSwitch. All PrefSwitch does is add a series of icons to the status bar at the bottom of the browsing window for changing existing Firefox preferences, such as the ones for handling javascript, frames, and images. Yet, by making these controls accessible, instead of buried several layers down in Edit -> Preferences, PrefSwitch makes it easier for you to change preferences for each web page. You will still want to add continually visited sites to the exceptions defined in Preferences, but, for on-the-fly browsing, PrefSwitch is more convenient.

By contrast, SecureBrowse takes a more organized approach, offering three sets of preferences for security and privacy that you can assign to each site. The add-on includes a pre-defined set of "Sensitive Sites" — mostly banks and popular sites such as Flickr and Slashdot — that you can edit and extend as you choose.

Still another approach is used by Karma Blocker, which rates the sites you visit according to how it accesses Mozilla's chrome files (so you can see if anything non-standard is happening), and the resources it uses from other sites (the apparent assumption being that a malicious script is likely to be hidden on another site, and, the more off-site resources are used, the more likely cracker activity might be happening). If a site is rated above a certain karma — the default is 100 — then Karma Blocker prevents access to it unless you specifically add the site to the extension's white list. To help you evaluate the automatic rating, you can monitor what Karma Blocker reports to decide whether a use is harmless or not. The monitoring is especially useful because, as you soon discover, many modern sites use off-site resources for harmless reasons — for instance, to link to a graphic on Flickr. One drawback is that Karma Blocker's configuration is a plain text file, which might intimidate more inexperienced users.

Passwords and cookies

If you are concerned about password security, an extension to start with is Master Password Timeout. Its sole purpose is to add a control that should have been in default Firefox long ago: An expiry time in seconds for the master password — set in Edit -> Preferences -> Security — which protects access to the site passwords stored by Firefox.

For more detailed control of passwords, you can install Password Hasher. Password Hasher replaces your password on sites with a master key and a hash; you enter the hash to prevent your key strokes from being monitored. It also obscures passwords as you enter them to prevent anyone who is physically present from learning any details about them, such as the number of characters. It also enforces a minimum size and contents for passwords, and, like the Master Password extension, limits the time that the master password remains in effect once entered.

Cookies are reasonably well handled by Firefox, though you will find a number of add-ons to make control easier. By using Cookie Watcher, you can view and edit cookies in more detail than when you click the Show Cookies button on the Privacy tab in Edit -> Preferences. By contrast, Extended Cookie Manager and Cookie Context take a different approach, adding pop-up controls directly on each web page.

However, none of the extensions for handling standard cookies is much good against the new generation of Super Cookies, such as the Local Shared Objects deposited on your system by Flash or click-pings (scripts that record when you select certain items on a web page, allowing your activities to be detected and logged). Both Local Shared Objects and click-pings are frequently used for reasons no more malicious than any cookie, but the point is that such items are generally stored outside Mozilla's usual cookie folders, and are therefore not removed when you remove cookies using Edit -> Preferences -> Privacy -> Cookies. Fortunately, you can remove Super Cookies with Better Privacy, which provides an insightful and rather alarming glimpse of what can creep into your home directory without your knowledge.

Script controls

Other extensions change how Firefox works with scripts. For instance, Controle de Scripts, which specifically targets Javascript, a language that is praised and discouraged in almost equal measure. The default Firefox preferences give you half a dozen options for specifying what you will allow Javascript to do to your browser window, but Controle de Scripts allows you to control another half-dozen basic Javascript actions, as well as the behavior of pop-up windows and the maximum time that a script is allowed to run. You can also set your own limitations, provided you are familiar enough with Javascript to know what you might want to prevent.

But by far the most comprehensive extension for controlling scripts is NoScript. NoScript is a detailed set of controls for Java, Flash, and Silverlight, as well as frame and iframe tags (both of which could potentially be used to embed a malicious script), and HTTPS-carried content. All these settings, as well as a whitelist, can be set globally from Tools -> Add-ons -> NoScript -> Preferences, or for individual sites from the icon in the lower right of the status bar at the bottom of the Firefox window.

As you might expect from the name, NoScript begins with the sound security practice of forbidding scripts on every site except for those entered by default on the whitelist. That means that you need patience to bring NoScript to a state with which you can live, especially since the white list is all or nothing — either you allow all types of scripts to be run on a site, or none. Still, the Preferences tab in Tools -> Add-ons links to clear and comprehensive help, and the end results will be peace of mind if you persist.

These are just the most useful security extensions I've encountered. If you check under Privacy and Security on the Add-on site, you can find dozens more. You might especially want to note some of the extensions currently marked as experimental, such as Content Security Policy, Policy Manager, Magic Password Generator and Startup Master. These extensions are not quite ready for you to rely on them, but together they suggest that even more security options will soon be available for Firefox users.

(Log in to post comments)

Firefox security add-ons

Posted Jan 22, 2009 13:22 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

Even if those extensions help for security. Installing them is not without consequences. Most of them are NOT signed, which means (combined with the autoupdate feature) it is quite easy to replace them with malicious code.

I think mozilla should make signing mandatory to allow distribution on addons.mozilla.org.

Firefox security add-ons

Posted Jan 22, 2009 14:13 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Signing by who, exactly?

Firefox security add-ons

Posted Jan 22, 2009 14:33 UTC (Thu) by dion (subscriber, #2764) [Link]

No problem, I can do that.

I will need to charge a small fee for the trouble, but I'm sure no-one will mind.

Firefox security add-ons

Posted Jan 22, 2009 15:10 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

Signed by the developers themselves at least, it is better than nothing.

Firefox security add-ons

Posted Jan 22, 2009 15:40 UTC (Thu) by badhack (guest, #55092) [Link]

I have found the Web Of Trust add on to be very useful. It adds a user
supported rating to each link in the form of a small image and allows you
to avoid lame websites:

http://www.mywot.com/

Firefox security add-ons

Posted Jan 23, 2009 5:47 UTC (Fri) by gerv (subscriber, #3376) [Link]

Doesn't the first paragraph of this article contain an enormous non sequitur? Yes, installing malicious addons opens up your system to crackers, but what does that have to do with e.g. adding master passwords to your Firefox or deciding whether or not to run script?

Gerv

Firefox security add-ons

Posted Jan 23, 2009 16:47 UTC (Fri) by kov (subscriber, #7423) [Link]

What actually strikes me is that people seem to think that leaving security in the hands of users, and
making it their responsability is a good idea. Geek users will probably browse extensions, yeah, but
most users will depend on the browser's ability of defending itself.

I'm not saying the browser should be trying to shield users from any conceivable unsecure behavior
they may have, but basic stuff such as the ones covered by the addons mentioned should be basic
browser functionality (not options!).

"Permit Cookies" is another good one

Posted Jan 24, 2009 7:55 UTC (Sat) by JesseW (guest, #41816) [Link]

I use and value the add-on Permit Cookies, which simply adds a option to whitelist (or blacklist) sites on your cookie list in one click, rather than having to go into Prefrences. It's simple, but useful.

Firefox security add-ons

Posted Feb 1, 2009 10:01 UTC (Sun) by muwlgr (guest, #35359) [Link]

The problem is that everyone and their dogs are starting to develop Mozilla addons and force them on the visiting user. Just like it was earlier with IE. They could well become a vector of insecurity and instability for Mozilla browsers. Soon, the inability of browser to support Mozilla addons could become a virtue equal to inability to support ActiveX. Like, in Opera browser.

You know, Adobe had ported their "download manager" to Firefox. When you are going to download Adobe Reader, they offer you to download it through their addon. Earlier this happened only when you used IE. With Opera, fortunately, it does not happed still. Anyway, this is a sadness to know about Firefox.

The really useful addons are very few in count. But how many addons a typical user would install in their Firefox, you could easily imagine. The time is coming.

oh to be less insecure

Posted Oct 29, 2009 7:47 UTC (Thu) by doGoodWell (guest, #61669) [Link]

>Content Security Policy,
> Policy Manager

If, as one commenter phrased it: "I hope this is updated and escapes the sandbox. We really NEED a comprehensive, and less hellish interface for managing site security policies"

So true.

The addition of ABE to NoScript is a great plus. For more security please also review:

RequestPolicy
BetterPrivacy
RefControl

=D

Karma Blocker would do well by the community to adopt a filter subscription model akin to AdBlock Plus... moreover some kind of (I haven't give this much thought yet) system for dealing with redundancy in multiple subsciptions.. weightyness?

SSL

Posted Oct 29, 2009 7:49 UTC (Thu) by doGoodWell (guest, #61669) [Link]

But wait, there's more

SSL blacklist
http://codefromthe70s.org/sslblacklist.aspx

http://sethwisely.wordpress.com/2009/09/30/firefox-ssl-ch...

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds