Firefox security add-ons

From a security perspective, Firefox add-ons are a nightmare. If you read the legal notice, even on the official download site, Mozilla neither reviews add-ons nor assumes any responsibility for the consequences of using them. Yet any add-on could open unexpected vulnerabilities — at times because of the unexpected consequences of using several in combination — and they provide a new door to your system for crackers. As if to mitigate such concerns, the last year has seen a steady trickle of of security-focused add-ons — and more are on the way. Some of these extensions control how you browse individual web pages, and others alter how Firefox uses passwords, cookies, and scripts, but, if you choose carefully, you should have no trouble finding several that can greatly improve your security while browsing.

Different security for different sites

One of the simplest security-oriented extensions is PrefSwitch. All PrefSwitch does is add a series of icons to the status bar at the bottom of the browsing window for changing existing Firefox preferences, such as the ones for handling javascript, frames, and images. Yet, by making these controls accessible, instead of buried several layers down in Edit -> Preferences, PrefSwitch makes it easier for you to change preferences for each web page. You will still want to add continually visited sites to the exceptions defined in Preferences, but, for on-the-fly browsing, PrefSwitch is more convenient.

By contrast, SecureBrowse takes a more organized approach, offering three sets of preferences for security and privacy that you can assign to each site. The add-on includes a pre-defined set of "Sensitive Sites" — mostly banks and popular sites such as Flickr and Slashdot — that you can edit and extend as you choose.

Still another approach is used by Karma Blocker, which rates the sites you visit according to how it accesses Mozilla's chrome files (so you can see if anything non-standard is happening), and the resources it uses from other sites (the apparent assumption being that a malicious script is likely to be hidden on another site, and, the more off-site resources are used, the more likely cracker activity might be happening). If a site is rated above a certain karma — the default is 100 — then Karma Blocker prevents access to it unless you specifically add the site to the extension's white list. To help you evaluate the automatic rating, you can monitor what Karma Blocker reports to decide whether a use is harmless or not. The monitoring is especially useful because, as you soon discover, many modern sites use off-site resources for harmless reasons — for instance, to link to a graphic on Flickr. One drawback is that Karma Blocker's configuration is a plain text file, which might intimidate more inexperienced users.

Passwords and cookies

If you are concerned about password security, an extension to start with is Master Password Timeout. Its sole purpose is to add a control that should have been in default Firefox long ago: An expiry time in seconds for the master password — set in Edit -> Preferences -> Security — which protects access to the site passwords stored by Firefox.

For more detailed control of passwords, you can install Password Hasher. Password Hasher replaces your password on sites with a master key and a hash; you enter the hash to prevent your key strokes from being monitored. It also obscures passwords as you enter them to prevent anyone who is physically present from learning any details about them, such as the number of characters. It also enforces a minimum size and contents for passwords, and, like the Master Password extension, limits the time that the master password remains in effect once entered.

Cookies are reasonably well handled by Firefox, though you will find a number of add-ons to make control easier. By using Cookie Watcher, you can view and edit cookies in more detail than when you click the Show Cookies button on the Privacy tab in Edit -> Preferences. By contrast, Extended Cookie Manager and Cookie Context take a different approach, adding pop-up controls directly on each web page.

However, none of the extensions for handling standard cookies is much good against the new generation of Super Cookies, such as the Local Shared Objects deposited on your system by Flash or click-pings (scripts that record when you select certain items on a web page, allowing your activities to be detected and logged). Both Local Shared Objects and click-pings are frequently used for reasons no more malicious than any cookie, but the point is that such items are generally stored outside Mozilla's usual cookie folders, and are therefore not removed when you remove cookies using Edit -> Preferences -> Privacy -> Cookies. Fortunately, you can remove Super Cookies with Better Privacy, which provides an insightful and rather alarming glimpse of what can creep into your home directory without your knowledge.

Script controls

Other extensions change how Firefox works with scripts. For instance, Controle de Scripts, which specifically targets Javascript, a language that is praised and discouraged in almost equal measure. The default Firefox preferences give you half a dozen options for specifying what you will allow Javascript to do to your browser window, but Controle de Scripts allows you to control another half-dozen basic Javascript actions, as well as the behavior of pop-up windows and the maximum time that a script is allowed to run. You can also set your own limitations, provided you are familiar enough with Javascript to know what you might want to prevent.

But by far the most comprehensive extension for controlling scripts is NoScript. NoScript is a detailed set of controls for Java, Flash, and Silverlight, as well as frame and iframe tags (both of which could potentially be used to embed a malicious script), and HTTPS-carried content. All these settings, as well as a whitelist, can be set globally from Tools -> Add-ons -> NoScript -> Preferences, or for individual sites from the icon in the lower right of the status bar at the bottom of the Firefox window.

As you might expect from the name, NoScript begins with the sound security practice of forbidding scripts on every site except for those entered by default on the whitelist. That means that you need patience to bring NoScript to a state with which you can live, especially since the white list is all or nothing — either you allow all types of scripts to be run on a site, or none. Still, the Preferences tab in Tools -> Add-ons links to clear and comprehensive help, and the end results will be peace of mind if you persist.

These are just the most useful security extensions I've encountered. If you check under Privacy and Security on the Add-on site, you can find dozens more. You might especially want to note some of the extensions currently marked as experimental, such as Content Security Policy, Policy Manager, Magic Password Generator and Startup Master. These extensions are not quite ready for you to rely on them, but together they suggest that even more security options will soon be available for Firefox users.