(Update 20141015: The recently disclosed POODLE attack reveals a severe flaw in SSL version 3. At this time every user should disable SSLv3 in their browsers to avoid having their encrypted data easily stolen. If you have previously followed the “Expert Steps” section of my recommendations in this post, you have already disabled SSL version 3 by setting the advanced preference security.tls.version.min to 1 in the about:config page. See below for details if you have not yet done so.)
(Update 20140730: If you disable RC4 ciphers as noted in the about:config section, Google’s YouTube product may no longer function. As of roughly March or April 2014, Google has forced HTTPS on YouTube while at the same time they have not deployed any alternative ciphers for RC4 on googlevideo.com. Respond to this issue as you choose; I generally do not use YouTube. You may create another profile that permits RC4, or enable it on an as-needed basis, remembering to disable it later. Perhaps an enterprising individual will create a plugin to do just that. Credit to @mincina for bringing this to my attention.)
(Update 20140110: Removed recommendation to enable security.ssl.enable_false_start, as it appears to be unsafe.)
(Update 20140107: Added recommendation to disable security.ssl3.rsa_des_ede3_sha.)
(Update 20131212: I have revised my recommendations. I now recommend Adblock Edge instead of Adblock Plus, and Disconnect instead of Ghostery, with the reasons noted inline below.
At this time Firefox has released version 26 which includes click-to-play functionality for Java and other plugin content. This change will greatly enhance your security. Upgrade now!)
Your web browsers implement poor security by default. They do this, in large part, for interoperability reasons; if your just-downloaded new browser can’t connect to the sites you like to use, you either won’t use the browser or you’ll complain to the developers, and they don’t want to spend the time walking you through how to disable the specific security settings keeping you from using some random website that hasn’t upgraded their SSL implementation since 2002.
With effort and testing, you can significantly improve your security. Don’t hold me responsible if this breaks your favorite site or eats all the food in your fridge, but if you want to step up and accept that security and convenience don’t go together, consider trying some or all of these steps to secure your Firefox browser. I have Windows in front of me at the moment, but if you use a real operating system you can figure out how to perform the appropriate changes there. Consider the fact that using Windows represents a greater security threat than almost anything else you can do.
Do note that even if you follow every suggestion I make on this page, you have not guaranteed security for yourself. These steps cannot protect you from foolish decisions. If, after doing all of this, you then proceed to visit some shady site and download a cracked version of some commercial software product, then execute it, you will get hacked, you will get compromised, you will get malware.
Only you know the adversaries you may have. The malware spewed across the internet presents a risk to us all and these steps can help protect you from it. But beyond that point, if you want to protect yourself from a determined adversary, then please only consider the steps I describe as a start. If you work with confidential corporate documents, or if you work to promote human rights in repressive countries, or if you write news articles disclosing secret government projects, or if you run a hidden site selling drugs for bitcoins, you have a threat model much more complex than the average user.
One could write a book to define the word security. Many have. For the purposes of this post, I define security as protection against your own accidental mistakes, protection against common malware techniques and protection against an attacker with access to your network or the internet path between you and the sites you visit. Further, I consider security to include not leaking unnecessary information about yourself or your browsing habits to third parties that want that information, such as advertisers.
Run A Current Browser
Using an old browser begs for trouble. Just don’t do it. For now I have Firefox 25 installed and everything I write here applies to this version and hopefully future versions. Go to the Tools menu, select Options, then click on Advanced and select the Update tab. Enable the radio button next to “Automatically install updates”.
The steps described here shouldn’t significantly degrade your web browser experience but will improve your security quite a bit. Everything in this section lives in the Tools->Options dialog box. Open it up now.
If checked, uncheck the box next to “Show tab previews in the Windows taskbar”. Windows has a history of buffer overflows in graphics handlers, and a specially crafted tab preview could potentially exploit this. I do not know of this ever happening but no need to take the risk simply for some eye candy.
Check the box next to “Block pop-up windows”. Compromised or otherwise malicious sites love to put up confusing pop-up windows saying “your computer has a virus” and other such nonsense. The next time you go to a site that attempts to raise a pop-up window, Firefox will ask if you wish to allow an exception for that site. If this happens on a site you need, allow the exception. If a bad site can’t pop up a window to attempt to fool you, you won’t click on their shady links.
Click the “Choose…” button next to “Choose your preferred language for displaying pages”. Make sure the contents of the language dialog box reflect only those languages you wish to read.
Click through every row of this screen and use the drop-down menu on the right-hand side to select “Always ask”, so that Firefox will prompt to ask how (and more importantly, if) you wish to access embedded content like videos, music, PDF documents, etc. This may get inconvenient over time if you access a lot of media, so later on, when prompted to select an application to view media, you may choose to select the “Do this automatically for files like this from now on” checkbox in the prompt but know that this reduces your overall security slightly.
Enable the radio button next to “Tell sites that I do not want to be tracked”. This will cause your browser to send the Do-Not-Track header. Few webservers will respect this setting, but some will, so you get some small value here.
In the History section, select “Use custom settings for history” from the “Firefox will:” dropdown menu. For the sake of convenience, go ahead and leave the checkboxes enabled for “Remember my browsing and download history” and “Remember search and form history”. I recommend disabling them, but the convenience of having recently visited sites available outweighs the risk of having to search for a site repeatedly and possibly clicking on a malicious search engine result.
Go ahead and leave the checkbox enabled for “Accept cookies from sites”, or very few websites will work. Set the “Accept third-party cookies” dropdown menu to “From visited”, NOT to “Always”. Many sites will not work if you set it to “Never”, nearly every site will still work fine with it set to “From visited”. “Always”, in this case, begs to be tracked by marketers.
In the “Keep until:” dropdown menu, select “they expire”. Some people would recommend deleting cookies every time the browser closes, but you will lose the convenience of having sites recognize you when you want them to. If you can tolerate that loss of convenience go ahead and select “I close Firefox”.
Check out the “Exceptions…” button near the “Accept cookies from sites” checkbox. Here you can add exceptions to specify sites always allowed to set cookies, or never allowed to set cookies. I love this feature. I coded this feature into the text-based Lynx web browser back in 1999 and it pleases me that the GUI browsers picked it up.
Check the checkboxes next to “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”.
Uncheck the “Remember passwords for sites” checkbox. If you permit the browser to store your passwords, anyone with access to your browser can retrieve your passwords. I suggest only enabling this if you have taken the further step of encrypting your hard drive. If you do enable it, make sure you also enable the “Use a master password” option and select a strong password.
Do not use Firefox Sync. This will simply spread your information out over more devices, increasing your risk.
On the “General” tab, check the box next to “Warn me when websites try to redirect or reload the page”.
On the “Data Choices” tab, uncheck everything. All of these options share information with Mozilla and you do not want that to happen.
On the “Network” tab, check the box next to “Tell me when a website asks to store data for offline use”. Most likely you do not actually want any sites to do this.
On the “Certificates” tab, click the “Validation” button and enable the checkboxes to use the Online Certificate Status Protocol to confirm certificate validity and to treat certificates as invalid when an OCSP server connection fails. While not foolproof, this can help protect against invalid or compromised server certificates.
If you have followed everything so far, you have improved your browser security. Not enough, in my opinion, but perhaps enough if you plan to hand this browser off to your tech-challenged grandparents to use to look up recipes and email pictures of their grandkids. If you have a decent comfort level with basic internet and browser concepts, continue on.
Numerous add-ons available for Firefox can further enhance your security. Here I will list the ones I consider most critical, along with some comments on configuration/usage for each of them.
Install Disconnect. This add-on identifies and blocks various web trackers embedded throughout the sites you visit. Mostly analytics and marketing, rather than anything truly security related, but you don’t want any part of those either. The developers have released the source code and development supported by donations. It takes note of sites that host trackers but also host page elements that may cause a page to function incorrectly if blocked.
I previously recommended Ghostery for this purpose. However, after witnessing a recent Twitter conversation involving one of Ghostery’s developers, I felt he represented the product poorly and lost faith in it. Further, the company behind Ghostery includes many former ad-agency employees, providing another strike against it on top of their opt-in data collection.
Adblock Plus Adblock Edge
Adblock Plus Adblock Edge. Ads on webpages may not represent an obvious security issue, but I still consider blocking them appropriate for a secured browser. When your browser loads an ad from a page the advertiser will know that somebody from your IP address viewed a page containing that ad, and depending on how the ad gets served up they may also learn the page you intended to view at the same time. Further, traffic analysis of specially placed ads may reveal information about the sites you visit as ads typically do not use https connections, and if somebody with access to your network sees that you repeatedly load some specific ad that only appears on a particular site, they would then have strong evidence that you visit that site repeatedly.
Within the Adblock
Plus Edge options, subscribe to EasyList EasyPrivacy+EasyList, Fanboy’s Social Blocking List and Malware Domains. , and uncheck the “Allow some non-intrusive advertising” checkbox. If you live outside the USA, subscribe to some of the additional filter lists dedicated to your region.
I have changed my recommendation as of December 12, 2013. Adblock Edge performs better and does not receive money from Internet advertisers to permit “some non-intrusive advertising”.
Install BetterPrivacy. This add-on removes persistent Flash cookies, for which browsers generally provide no control mechanism. Within the options screen, select the radio button for “Delete Flash cookies on Firefox exit”. Select the checkboxes for “Auto protect LSO sub-folders” and “Notify if new LSO is stored”. Check the box for “Disable Ping Tracking”.
Install Certificate Patrol. This add-on stores all SSL certificates you encounter when accessing https sites, and notifies you when a site you connect to has changed certificates since your last visit. A changed certificate may indicate an attempted man-in-the-middle attack that would compromise your encrypted session. I receive a lot of false positives with this add-on, which defeats its utility somewhat, but I review every single change. If you want to skip one of these add-ons, make it this one. I haven’t convinced myself that I take enough care to actually identify a man-in-the-middle attack, and I can’t exactly call someone at Google every time their cert changes to confirm they meant to do so.
Ghostery Install Ghostery. This add-on identifies and blocks various web trackers embedded throughout the sites you visit. Mostly analytics and marketing, rather than anything truly security related, but you don’t want any part of those either. Unfortunately some sites will not function properly with Ghostery installed, but it provides options to whitelist those sites or temporarily pause blocking so that you can easily determine if Ghostery has caused the page to fail. I end up having to whitelist bank sites, WordPress, a few others, but for just clicking through search results, I love it. It also has the ability to block advertising cookies.
I have changed my recommendation to use Ghostery as of December 12, 2013. Please see the “Disconnect” section above for details on why I no longer recommend Ghostery.
Long URL Please Mod
Install Long URL Please Mod. Shortened URLs suck. You don’t know where they will lead, and if you take security seriously you probably won’t click on them. This add-on expands short URLs for you so that you know where they lead and can make an educated decision as to whether or not you want to follow that link.
As a bonus, it also provides protection against cross-site-scripting and clickjacking (where a malicious site overlays an invisible object over a page element, intercepting a click on that element as a click directed at the malicious site, allowing it to load a page/code/etc).
NoScript has numerous configuration options. I recommend the following:
On the “Embeddings” tab, you can specify restrictions for untrusted sites that do not apply to whitelisted sites. This gives you a chance to use paranoid settings, as you can always whitelist a site later. I don’t want to make them so restrictive that I end up whitelisting every other site, so I don’t block frames, but I do block: Java, Flash, Silverlight, other plugins, audio/video tags, and font-face, and I also block every object coming from sites marked as untrusted. I also enable “Show placeholder icon”, “No placeholder for objects coming from sites marked as untrusted”, “Ask for confirmation before temporarily unblocking an object” and “Collapse blocked objects”. I also check the box for ClearClick (clickjacking) protection on untrusted pages. Some whitelisted pages don’t work if I enable ClearClick protection for trusted pages, so I leave that one off.
NoScript can do even more than this, and you should look into the other options. The configuration set I have described works well for my browsing habits.
Doing everything, or even some of the things, that I’ve listed to this point will greatly improve your browser security. But you can do more. At this point I will get into the weeds a bit and make some significant changes to browser operation. These changes may (and probably will) cause problems accessing poorly configured sites, but if you use sites configured so poorly, maybe you shouldn’t. I recommend, if you follow these suggestions, that you implement them one at a time, and test all the sites you consider most important. If you change a dozen things and suddenly some page stops working, you won’t know what to undo to restore it to functionality. As an example, while writing up this post I noticed that addons.mozilla.org started to throw intermittent SSL errors when I tried to connect to it. Hitting reload would usually load the page just fine. It turned out that disabling RC4 cipher suites for SSL negotiation caused that problem: apparently not all of the servers behind their load balancer have the same configuration, and some of them just don’t work if the client browser does not accept RC4.
Everything else happens in the about:config screen. If you haven’t used it before, type “about:config” into your address bar and hit enter. Click through the warning that says it might break stuff, but recognize they put it there for a reason.
The RC4 symmetric cipher contains significant failings. You should not use it. In fact, if you admin any webservers, leave this blog now and go figure out how to disable RC4 on them. Then come back and finish securing your browser. If you need convincing, read this: “Attack of the week: RC4 is kind of broken in TLS“.
In the about:config page, type “rc4” into the search bar and press enter. You will see several cipher suites listed (with names like “security.ssl3.rsa_rc4_128_sha”). Double-click on each of them so that the value field on the right reads “false”. Your browser will no longer advertise willingness to accept RC4 as a component in an SSL connection.
Type “tls” into the about:config search bar and press enter. Find the “security.tls.version.min” key, which defaults to 0, and change it to 1. Set the “security.tls.version.max” key, which defaults to 1, to 3. [EDIT 20131112: I previously recommended 2 here, for TLS 1.1, thinking it would cause fewer connection failures than 3 for TLS 1.2. This won’t be a problem once Firefox has fallback code from TLS 1.2. But if you are following these steps you should know how to debug and fix any connection problems you have.] For more information on these settings and what they do, see this link.
Disable additional insecure cipher suites
(Added 20140107) Type “rsa_des_ede3” into the about:config search bar and press enter. Find the “security.ssl3.rsa_des_ede3_sha” key and double-click it to set the value to false. This will remove SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA from the cipher suites for which your client will advertise support. Thanks to Jeff Hodges for creating howsmyssl.com through which I noticed this item.
Type “security” into the about:config search bar and press enter.
Find the “security.ssl.enable_false_start” key and double-click it to set the value to true. Do the same for “security.ssl.false_start.require-forward-secrecy”, “security.ssl.require_safe_negotiation”, and “security.ssl.treat_unsafe_negotiation_as_broken”. Read this link for more information about these settings.
If most of your web browsing still works after configuring all this stuff, congratulations. You probably browse safely enough that you don’t have much to worry about. If you run into sites that don’t work with these settings, consider whether or not you really need to visit them. Good luck!