In the past few years I’ve switched web browser quite a few times, usually using either Firefox, Safari, or Google Chrome. One of the reasons I’ve recently switched back to Firefox 4 is the quality of add-ons aimed at keeping the user secure and protecting their privacy on the web. I’ve browsed multiple lists purporting to contain the best add-ons for security & privacy, but almost all of them are either out of date, or contain add-ons that simply do not work with the latest builds of Firefox. To that end, I have compiled a list of add-ons that I personally believe are the best around, and which all work with the latest Firefox build (at this moment in time, that would be the official release of Firefox 4).
Firstly though, readers should be aware that although I’ve made sure all these add-ons work with the latest release of Firefox, they may not be “compatible” according to the add-on author. This means you may have to disable the compatibility check that Firefox does when installing the add-on. Be warned that this can cause Firefox to become unstable, and although my installation of Firefox seems to work fine with the incompatible add-ons, it may not be the same for you. If you want to take the risk, follow this tutorial (it can easily be reversed if things go wrong). If not, be patient and wait for the add-on authors to update their add-ons to be compatible with your version of Firefox.
Without further ado, here is my list (in alphabetical order):
Websites have always been able to track users; some do it for legitimate reasons (i.e. using login cookies, form referrals, etc), but other sites do it to try and learn more about a user’s web browsing habits, in the hopes of presenting them with targeted ads. With the invention of the evercookie, that tracking has become much easier, even when using Private Browsing.
Anonymizer Nevercookie is an add-on that extends the Private Browsing mode of Firefox, keeping an eye out for evercookies. When an evercookie is detected, it is quarantined, and then deleted when you close Firefox. In addition, the add-on makes sure to differentiate between malicious evercookies and necessary cookies that keep users logged into websites. Anonymizer Nevercookie is a must have for anyone concerned about their privacy, and requires absolutely zero configuration; just install and start using Private Browsing.
BetterPrivacy is a bit like Anonymizer Nevercookie, in that it monitors for evidence of evercookies and then quarantines and removes them at the end of a browsing session. However, the two add-ons both do different things to protect your privacy. Whilst Anonymizer Nevercookie only works in Private Browsing mode, BetterPrivacy works in both, giving you protection from evercookies even if you are browsing normally. BetterPrivacy also allows you to view the current suspected cookies, and to either remove or protect them manually; it also comes with a lot of configuration options that allow you to adapt the add-on to your needs.
So why not just install BetterPrivacy and forget about Anonymizer Nevercookie? Well, BetterPrivacy currently only protects against some of the storage options that evercookies have, focusing mainly on Local Shared Objects (LSOs) and DOM Storage. Anonymizer Nevercookie covers both of these, as well as Microsoft Isolated Storage (MIS), a feature of Silverlight. Now, BetterPrivacy may protect against this in the future, but for now, if you are concerned about the evercookie threat, I’d advise installing both.
Not all threats to security and privacy come from the web. There are newer and more dangerous threats to your web browsing in the form of software that alter your browser configurations. These changes (“hijacks“) are present in numerous pieces of software, and all re-configure your browser for their own benefit, whether by changing your homepage, or adding a new default search provider.
BrowserProtect monitors your Firefox configuration, alerting you if a rogue piece of software tries to hijack your browser.
Every website that has HTTPS enabled requires a Certificate Authority (CA) to sign a certificate that verifies the public key used is valid. Every CA has the power to create an intermediate CA, who in turn can create other intermediate CAs (ad nauseam), all of whom can issue and sign certificates. Whilst Firefox has a built-in list of trusted Certificate Authorities (CAs) who can issue valid certificates for HTTPS enabled websites, it also trusts any certificate that is signed by an intermediate CA, as long as the certificate chain links back to one of the trusted CAs in the built-in list.
The unfortunate side-effect of this is that some intermediate CAs might be trusted by Firefox, but may well be rogue and attempt to impersonate legitimate websites using a Man-in-the-Middle attack. Certificate Patrol is an add-on that tries to help the user out by giving them information about specific changes happening to certificates. Every time you visit a HTTPS enabled website, it will store information about the certificate, and whenever this information changes, it will alert you. This isn’t an add-on for regular web users; you should really only use it if you understand how digital certificates work, but it may be helpful if you want to see how often websites change their certificate details.
No, this is not the lovable character from Sesame Street, but rather a very powerful add-on that lets you control your cookies in much the same way that NoScript lets you control your JavaScript. Clicking on the icon in the Firefox Add-on Bar will bring up an intuitive menu that shows you all the domains that have cookies active on the current webpage, allowing you to block, reject, or temporarily allow each of them. Additionally, session cookies are separated from regular cookies, meaning you can allow session cookies (so you can use login functionality) whilst blocking all others.
This add-on also has quick links to the cookie viewer that is built into Firefox, meaning the viewing and deleting of individual cookies is easier than ever.
A lot of your private information is typed into forms via our web browsers, and although standards exist to stop potential private data from being recorded (such as the HTML input “autocomplete” attribute), there is no guarantee that the website you are on actually uses it. Disabling autocomplete globally can be a real pain, as it is useful to have some of our regular inputs stored for later use, which is where Form History Control comes in.
This add-on will display every input that your browser has recorded for you, whether it was your username in a website, or your age in some online form. Not only that, but it will tell you the name of the field you entered it, the first and last times you used it, and how many times you’ve used it in total. If that wasn’t good enough, it also provides a much better method for deleting these entries, as you can delete based on total usage rather than the last time they were used.
Using a proxy is good practice if you want to protect your privacy and do some anonymous browsing, and whilst Firefox has built-in proxy settings, you have to change them manually every time you want to use a new proxy server. This can be a real pain if you have a long list of them, or if you use programs like Paros or WebScarab to look deeper into HTTP connections (both of which require the browser to use local proxies to work).
FoxyProxy Standard is a great add-on that allows you to add multiple servers which you can easily switch between, and also lets you set up proxies that are used automatically on certain URL patterns.
Ever wondered how many tracking methods are installed on the websites that you visit? Ever wanted to block them all and protect your privacy? Then Ghostery is the add-on for you. Using a large database of over 500 trackers, web bugs, pixels, and beacons that are all used to track your web activity, Ghostery analyses each webpage you visit and displays a list of all detected tracking methods that are installed. You can then easily block the ones that you don’t want tracking you, or unblock any that you determine are “harmless” (FeedBurner, Google Analytics, etc).
In addition, Ghostery allows you to view information about tracking companies that it identifies, including their privacy policies, to help you make a decision on whether to allow or block the tracker. Other features include the ability to block the creation of cookies based on company identification (which is a highly experimental feature, and should only be used with moderation), and the “whitelist” feature, which overrides any blocks for sites that you trust completely.
HTTPS Everywhere is an add-on that I mentioned in a previous blog post, and it is one of my favourite add-ons for Firefox, not just because it makes your web browsing much more secure, but also because it is so simple. Many popular websites are served over HTTP, but actually support HTTPS, which encrypts all data sent between the web browser and the server. This means that anyone sniffing your network traffic won’t be able to recover sensitive data (such as passwords, cookies, etc). The reasons why HTTPS isn’t enabled by default on many popular websites are numerous (and are covered in the blog post I mentioned), which is where HTTPS Everywhere comes in.
Once installed, HTTPS Everywhere will force the use of HTTPS on popular websites that are known to support it. The add-on comes with a long list of supported websites, most of which are enabled by default (although you can enable / disable websites manually in the add-on preferences). In the latest version, you can even add your own rules for websites that are not on the default list.
So you’ve got HTTPS Everywhere up and running, and a lot of your favourite websites are being served over HTTPS, but what about websites not on the default HTTPS Everywhere list? You can add your own rules, as mentioned previously, but before you can do that, you need to know which of the websites you frequent support HTTPS. That isn’t very easy to do from a web browser, which is where HTTPS Finder steps in.
HTTPS Finder sends a quick (and small) request to each website you visit, determining if the site supports the HTTPS protocol. If the response is positive, HTTPS Finder displays a message at the top of your browser, asking you whether you’d like to switch over to HTTPS. If you choose to make the switch, a new rule is automatically created for the HTTPS Everywhere add-on as well, saving you from having to write the XML rules yourself (which is a real pain). Simply put, if you have HTTPS Everywhere installed, make sure you get HTTPS Finder as well, and start surfing the web over HTTPS easier than ever before.
Most of us are terrible at using passwords on the web. We don’t want to remember long strings of letters, numbers, and symbols, so we choose shorter ones that are easier to remember. Not only that, but we often use the same short password for multiple accounts across the web, meaning that if one account is compromised by an attacker, it is very likely that multiple other accounts could be compromised too.
Enter LastPass, which is in essence, a better password manager for Firefox. LastPass requires you to register an account (which is free), which is protected by your username (email) and your chosen “master” password. LastPass then monitors all your logins, and asks you whether you’d like to save the username / password combination. If you browse to a website which you are not signed into, and which LastPass detects a login for, it will alert you of the stored login, and you can simply click a button to login automatically.
Ok, so now we’ve sorted out the “management” part of LastPass, we can talk about the cool part. All encryption / decryption and hashing of passwords is done locally, on whichever computer you happen to be using at the time. So when you register your account for the first time, the master password you enter is encrypted and hashed in your browser, and the resultant hash is sent and stored on the LastPass servers. Similarly, when you record a new username / password combination, the data is encrypted locally using 256-bit AES and then sent to the LastPass servers. At no point is any of your sensitive data viewable or retrievable by anyone with access to the LastPass servers, not even when it is being sent (all connections to LastPass use SSL for an additional layer of protection). When you open your browser and login to LastPass, all your encrypted logins are downloaded and stored on your computer in a local cache, and as mentioned before, all decryption of your login credentials is done in your web browser.
Of course, there are still some security issues that you should be vary of when using LastPass. Obviously, the master password used to protect your passwords should be secure (i.e. longer than 8 characters, containing letters, numbers, and possibly symbols), but you should also configure LastPass so that it automatically logs you off after a certain amount of time, or when the browser is closed. This is so that if you leave your laptop unattended, an attacker can’t just open up your browser and have access to all of your logins. For additional protection, LastPass also has a secure password generator built-in, which means you can create unique passwords for each of your logins without having to remember them all.
No list containing the “Best Security Add-ons” for Firefox would be complete without one of the first (and most popular) security add-ons out there. NoScript has grown and grown over the past 6 years, adding more and more filters for executable content that runs within webpages. NoScript does exactly what the name suggests; it disallows all scripts that are trying to run on the page (that includes JavaScript, Java, Flash, and Silverlight). Scripts can then be “allowed” by marking them as such in the context menu that appears in the Add-on Bar.
The one downside of NoScript is that it will disable a lot of features for most modern websites, since the use of JavaScript (especially through AJAX) is very popular. As such, “training” NoScript to allow perfectly valid and safe scripts will take a while when you first install it, but if you can bear it, you will be protected from a lot of scripting attacks.
Whilst Certificate Patrol only gives information to the user based on changes in certificates, Perspectives goes one step further, and attempts to determine the likelihood of the certificate being signed by valid Certificate Authority (CA). Each time an invalid certificate is detected in Firefox, Perspectives contacts one of many network notary servers, which also downloads the certificate and sends it back to Perspectives for comparison. If the two certificates are the same, then the likelihood is that it is valid, and not generated as part of a Man-in-the-Middle attack.
Users can configure the add-on so that it checks multiple network notary servers, which will all send back the certificate for comparison, adding more assurance of the certificate’s validity. In addition, the servers store cached certificates and check them periodically to see the frequency at which they change (another factor in determining the likelihood of an attack).
I’ve left Certificate Patrol on this list for the simple reason that it is very good at displaying useful information about certificate updates. Certificate Patrol isn’t an addon for regular web users, but with its automation features, Perspectives is.
Each time you click on a link, your browser will send a “Referer” header field in the HTTP request. This field is set to the URL of the page on which the link was displayed, which means that the site you’ve clicked to will know exactly where you came from. In most cases, this might be quite harmless information (for instance, if you came from a Google Search), and most websites probably do not even record it or use it (although it is used extensively in any website that has some form of web statistics or analytic program). However, if you are paranoid about privacy, RefControl is for you. It will allow you to block the Referer header field from all requests, set the field as something completely arbitrary, or you can set up filters so that these actions can be applied on a per-site basis.
Quite a few attacks on the web can come not from malicious cookies or scripts, but from simple requests made by your browser following HTTP specification. When parsing HTML, a browser might come across an image tag, and so will have to send a HTTP request to the source URL of the image tag in order to display the image to the user. The problem is, the source URL might not lead to an image, but instead could make a request to another website, making it appear as if the user themselves had made the request. This type of attack is known as Cross-site Request Forgery (XSRF), and I’ve used it before in my exploit of the About.com poll system.
RequestPolicy is yet another add-on (along with Cookie Monster) that takes advantage of the familiar and easy to use interface that originated in NoScript, and also provides a powerful method that blocks all requests made to websites external to the one you are currently browsing. The user can then choose to allow certain requests, or keep them blocked. When testing this add-on, some parts of the web were instantly affected for me; for instance, when making a Google search from the Firefox address bar, the redirect from google.com to google.co.uk was blocked by RequestPolicy. This was easily fixed, but users should be wary that as with NoScript, once installing this add-on, you may have to build up a good whitelist before it stops annoying you!
Well, that concludes my list of what I consider the Best Security & Privacy Add-ons for Firefox. I hope it is of use to some people out there, and I of course encourage everyone to try these add-ons and take more proactive steps to securing themselves online. Please discuss these add-ons in the comments section below, and feel free to suggest add-ons that I may have missed; if I think they are important enough, I’ll add them to the post.
Update: Added “Perspectives” thanks to a suggestion by Reddit user badblock.
Update #2: Added “HTTPS Finder” thanks to a suggestion by the Reddit user (and add-on developer) httpsfinder.
Update #3: Added “RequestPolicy” thanks to a suggestion by the Reddit user maxlevchin.
