Improving security in your web browsers: Firefox

(Update 20141015: The recently disclosed POODLE attack reveals a severe flaw in SSL version 3. At this time every user should disable SSLv3 in their browsers to avoid having their encrypted data easily stolen. If you have previously followed the “Expert Steps” section of my recommendations in this post, you have already disabled SSL version 3 by setting the advanced preference security.tls.version.min to 1 in the about:config page. See below for details if you have not yet done so.)

(Update 20140730: If you disable RC4 ciphers as noted in the about:config section, Google’s YouTube product may no longer function.  As of roughly March or April 2014, Google has forced HTTPS on YouTube while at the same time they have not deployed any alternative ciphers for RC4 on googlevideo.com.  Respond to this issue as you choose; I generally do not use YouTube.  You may create another profile that permits RC4, or enable it on an as-needed basis, remembering to disable it later.  Perhaps an enterprising individual will create a plugin to do just that. Credit to @mincina for bringing this to my attention.)

(Update 20140110: Removed recommendation to enable security.ssl.enable_false_start, as it appears to be unsafe.)

(Update 20140107: Added recommendation to disable security.ssl3.rsa_des_ede3_sha.)

(Update 20131212:  I have revised my recommendations.  I now recommend Adblock Edge instead of Adblock Plus, and Disconnect instead of Ghostery, with the reasons noted inline below.

At this time Firefox has released version 26 which includes click-to-play functionality for Java and other plugin content.  This change will greatly enhance your security.  Upgrade now!)

Your web browsers implement poor security by default.  They do this, in large part, for interoperability reasons; if your just-downloaded new browser can’t connect to the sites you like to use, you either won’t use the browser or you’ll complain to the developers, and they don’t want to spend the time walking you through how to disable the specific security settings keeping you from using some random website that hasn’t upgraded their SSL implementation since 2002.

With effort and testing, you can significantly improve your security.  Don’t hold me responsible if this breaks your favorite site or eats all the food in your fridge, but if you want to step up and accept that security and convenience don’t go together, consider trying some or all of these steps to secure your Firefox browser.  I have Windows in front of me at the moment, but if you use a real operating system you can figure out how to perform the appropriate changes there.  Consider the fact that using Windows represents a greater security threat than almost anything else you can do.

Do note that even if you follow every suggestion I make on this page, you have not guaranteed security for yourself.  These steps cannot protect you from foolish decisions.  If, after doing all of this, you then proceed to visit some shady site and download a cracked version of some commercial software product, then execute it, you will get hacked, you will get compromised, you will get malware.

Why Security?

Only you know the adversaries you may have.  The malware spewed across the internet presents a risk to us all and these steps can help protect you from it.  But beyond that point, if you want to protect yourself from a determined adversary, then please only consider the steps I describe as a start.  If you work with confidential corporate documents, or if you work to promote human rights in repressive countries, or if you write news articles disclosing secret government projects, or if you run a hidden site selling drugs for bitcoins, you have a threat model much more complex than the average user.

Security Defined

One could write a book to define the word security.  Many have.  For the purposes of this post, I define security as protection against your own accidental mistakes, protection against common malware techniques and protection against an attacker with access to your network or the internet path between you and the sites you visit.  Further, I consider security to include not leaking unnecessary information about yourself or your browsing habits to third parties that want that information, such as advertisers.

Run A Current Browser

Using an old browser begs for trouble.  Just don’t do it.  For now I have Firefox 25 installed and everything I write here applies to this version and hopefully future versions.  Go to the Tools menu, select Options, then click on Advanced and select the Update tab.  Enable the radio button next to “Automatically install updates”.

Simple Steps

The steps described here shouldn’t significantly degrade your web browser experience but will improve your security quite a bit.  Everything in this section lives in the Tools->Options dialog box.  Open it up now.

Options: Tabs

If checked, uncheck the box next to “Show tab previews in the Windows taskbar”.  Windows has a history of buffer overflows in graphics handlers, and a specially crafted tab preview could potentially exploit this.  I do not know of this ever happening but no need to take the risk simply for some eye candy.

Options: Content

Check the box next to “Block pop-up windows”.  Compromised or otherwise malicious sites love to put up confusing pop-up windows saying “your computer has a virus” and other such nonsense.  The next time you go to a site that attempts to raise a pop-up window, Firefox will ask if you wish to allow an exception for that site.  If this happens on a site you need, allow the exception.  If a bad site can’t pop up a window to attempt to fool you, you won’t click on their shady links.

Click the “Choose…” button next to “Choose your preferred language for displaying pages”.  Make sure the contents of the language dialog box reflect only those languages you wish to read.

Options: Applications

Click through every row of this screen and use the drop-down menu on the right-hand side to select “Always ask”, so that Firefox will prompt to ask how (and more importantly, if) you wish to access embedded content like videos, music, PDF documents, etc.  This may get inconvenient over time if you access a lot of media, so later on, when prompted to select an application to view media, you may choose to select the “Do this automatically for files like this from now on” checkbox in the prompt but know that this reduces your overall security slightly.

Options: Privacy

Enable the radio button next to “Tell sites that I do not want to be tracked”.  This will cause your browser to send the Do-Not-Track header. Few webservers will respect this setting, but some will, so you get some small value here.

In the History section, select “Use custom settings for history” from the “Firefox will:” dropdown menu.  For the sake of convenience, go ahead and leave the checkboxes enabled for “Remember my browsing and download history” and “Remember search and form history”.  I recommend disabling them, but the convenience of having recently visited sites available outweighs the risk of having to search for a site repeatedly and possibly clicking on a malicious search engine result.

Go ahead and leave the checkbox enabled for “Accept cookies from sites”, or very few websites will work.  Set the “Accept third-party cookies” dropdown menu to “From visited”, NOT to “Always”.  Many sites will not work if you set it to “Never”, nearly every site will still work fine with it set to “From visited”.  “Always”, in this case, begs to be tracked by marketers.

In the “Keep until:” dropdown menu, select “they expire”.  Some people would recommend deleting cookies every time the browser closes, but you will lose the convenience of having sites recognize you when you want them to.  If you can tolerate that loss of convenience go ahead and select “I close Firefox”.

Check out the “Exceptions…” button near the “Accept cookies from sites” checkbox.  Here you can add exceptions to specify sites always allowed to set cookies, or never allowed to set cookies.  I love this feature.  I coded this feature into the text-based Lynx web browser back in 1999 and it pleases me that the GUI browsers picked it up.

Options: Security

Check the checkboxes next to “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”.

Uncheck the “Remember passwords for sites” checkbox.  If you permit the browser to store your passwords, anyone with access to your browser can retrieve your passwords.  I suggest only enabling this if you have taken the further step of encrypting your hard drive.  If you do enable it, make sure you also enable the “Use a master password” option and select a strong password.

Options: Sync

Do not use Firefox Sync.  This will simply spread your information out over more devices, increasing your risk.

Options: Advanced

On the “General” tab, check the box next to “Warn me when websites try to redirect or reload the page”.

On the “Data Choices” tab, uncheck everything.  All of these options share information with Mozilla and you do not want that to happen.

On the “Network” tab, check the box next to “Tell me when a website asks to store data for offline use”.  Most likely you do not actually want any sites to do this.

On the “Certificates” tab, click the “Validation” button and enable the checkboxes to use the Online Certificate Status Protocol to confirm certificate validity and to treat certificates as invalid when an OCSP server connection fails.  While not foolproof, this can help protect against invalid or compromised server certificates.

Intermediate Steps

If you have followed everything so far, you have improved your browser security.  Not enough, in my opinion, but perhaps enough if you plan to hand this browser off to your tech-challenged grandparents to use to look up recipes and email pictures of their grandkids.  If you have a decent comfort level with basic internet and browser concepts, continue on.

Install Add-Ons

Numerous add-ons available for Firefox can further enhance your security.  Here I will list the ones I consider most critical, along with some comments on configuration/usage for each of them.

Disconnect

Install Disconnect. This add-on identifies and blocks various web trackers embedded throughout the sites you visit.  Mostly analytics and marketing, rather than anything truly security related, but you don’t want any part of those either.  The developers have released the source code and development supported by donations.  It takes note of sites that host trackers but also host page elements that may cause a page to function incorrectly if blocked.

I previously recommended Ghostery for this purpose.  However, after witnessing a recent Twitter conversation involving one of Ghostery’s developers, I felt he represented the product poorly and lost faith in it.  Further, the company behind Ghostery includes many former ad-agency employees, providing another strike against it on top of their opt-in data collection.

Adblock Plus Adblock Edge

Install Adblock Plus Adblock Edge. Ads on webpages may not represent an obvious security issue, but I still consider blocking them appropriate for a secured browser.  When your browser loads an ad from a page the advertiser will know that somebody from your IP address viewed a page containing that ad, and depending on how the ad gets served up they may also learn the page you intended to view at the same time.  Further, traffic analysis of specially placed ads may reveal information about the sites you visit as ads typically do not use https connections, and if somebody with access to your network sees that you repeatedly load some specific ad that only appears on a particular site, they would then have strong evidence that you visit that site repeatedly.

Within the Adblock Plus Edge options, subscribe to EasyList EasyPrivacy+EasyList, Fanboy’s Social Blocking List and Malware Domains., and uncheck the “Allow some non-intrusive advertising” checkbox.  If you live outside the USA, subscribe to some of the additional filter lists dedicated to your region.

I have changed my recommendation as of December 12, 2013. Adblock Edge performs better and does not receive money from Internet advertisers to permit “some non-intrusive advertising”.

BetterPrivacy

Install BetterPrivacy. This add-on removes persistent Flash cookies, for which browsers generally provide no control mechanism.  Within the options screen, select the radio button for “Delete Flash cookies on Firefox exit”.  Select the checkboxes for “Auto protect LSO sub-folders” and “Notify if new LSO is stored”.  Check the box for “Disable Ping Tracking”.

Certificate Patrol

Install Certificate Patrol. This add-on stores all SSL certificates you encounter when accessing https sites, and notifies you when a site you connect to has changed certificates since your last visit.  A changed certificate may indicate an attempted man-in-the-middle attack that would compromise your encrypted session.  I receive a lot of false positives with this add-on, which defeats its utility somewhat, but I review every single change.  If you want to skip one of these add-ons, make it this one.  I haven’t convinced myself that I take enough care to actually identify a man-in-the-middle attack, and I can’t exactly call someone at Google every time their cert changes to confirm they meant to do so.

Ghostery

Install Ghostery. This add-on identifies and blocks various web trackers embedded throughout the sites you visit.  Mostly analytics and marketing, rather than anything truly security related, but you don’t want any part of those either.  Unfortunately some sites will not function properly with Ghostery installed, but it provides options to whitelist those sites or temporarily pause blocking so that you can easily determine if Ghostery has caused the page to fail.  I end up having to whitelist bank sites, WordPress, a few others, but for just clicking through search results, I love it.  It also has the ability to block advertising cookies.

I have changed my recommendation to use Ghostery as of December 12, 2013.  Please see the “Disconnect” section above for details on why I no longer recommend Ghostery.

Long URL Please Mod

Install Long URL Please Mod.  Shortened URLs suck.  You don’t know where they will lead, and if you take security seriously you probably won’t click on them.  This add-on expands short URLs for you so that you know where they lead and can make an educated decision as to whether or not you want to follow that link.

NoScript

Install NoScript. Perhaps the most important add-on to use. This add-on provides the ability to permit or reject active scripting to run on a per-domain or per-host basis.  It will, initially, block all JavaScript on every site, which will break large portions of the web for you.  In this case, as you find sites that don’t work, you use the button it adds to the browser bar to enable scripting (temporarily or permanently) for that particular site, reload the page, and everything should then function as intended.  Sites get classified into trusted (whitelisted), untrusted, and those that you haven’t yet evaluated.

As a bonus, it also provides protection against cross-site-scripting and clickjacking (where a malicious site overlays an invisible object over a page element, intercepting a click on that element as a click directed at the malicious site, allowing it to load a page/code/etc).

NoScript has numerous configuration options.  I recommend the following:

Do NOT check the “Scripts Globally Allowed” box, as this essentially disables the add-on and leaves you back in the usual situation of freely running all JavaScript submitted to your browser.

On the “Embeddings” tab, you can specify restrictions for untrusted sites that do not apply to whitelisted sites.  This gives you a chance to use paranoid settings, as you can always whitelist a site later.  I don’t want to make them so restrictive that I end up whitelisting every other site, so I don’t block frames, but I do block: Java, Flash, Silverlight, other plugins, audio/video tags, and font-face, and I also block every object coming from sites marked as untrusted.  I also enable “Show placeholder icon”, “No placeholder for objects coming from sites marked as untrusted”, “Ask for confirmation before temporarily unblocking an object” and “Collapse blocked objects”.  I also check the box for ClearClick (clickjacking) protection on untrusted pages.  Some whitelisted pages don’t work if I enable ClearClick protection for trusted pages, so I leave that one off.

In the “Advanced” tab, on the “Untrusted” sub-tab, check “Forbid <a ping…>”, “Forbid META redirections inside <NOSCRIPT> elements”, “Forbid XSLT” and “Attempt to fix JavaScript links”.  On the “XSS” tab, I check “Sanitize cross-site suspicious requests” and “Turn cross-site POST requests into data-less GET requests”.

NoScript can do even more than this, and you should look into the other options.  The configuration set I have described works well for my browsing habits.

Expert Steps

Doing everything, or even some of the things, that I’ve listed to this point will greatly improve your browser security.  But you can do more.  At this point I will get into the weeds a bit and make some significant changes to browser operation.  These changes may (and probably will) cause problems accessing poorly configured sites, but if you use sites configured so poorly, maybe you shouldn’t.  I recommend, if you follow these suggestions, that you implement them one at a time, and test all the sites you consider most important.  If you change a dozen things and suddenly some page stops working, you won’t know what to undo to restore it to functionality.  As an example, while writing up this post I noticed that addons.mozilla.org started to throw intermittent SSL errors when I tried to connect to it.  Hitting reload would usually load the page just fine.  It turned out that disabling RC4 cipher suites for SSL negotiation caused that problem: apparently not all of the servers behind their load balancer have the same configuration, and some of them just don’t work if the client browser does not accept RC4.

about:config

Everything else happens in the about:config screen.  If you haven’t used it before, type “about:config” into your address bar and hit enter.  Click through the warning that says it might break stuff, but recognize they put it there for a reason.

Disable RC4

The RC4 symmetric cipher contains significant failings.  You should not use it.  In fact, if you admin any webservers, leave this blog now and go figure out how to disable RC4 on them.  Then come back and finish securing your browser.  If you need convincing, read this: “Attack of the week: RC4 is kind of broken in TLS“.

In the about:config page, type “rc4” into the search bar and press enter.  You will see several cipher suites listed (with names like “security.ssl3.rsa_rc4_128_sha”).  Double-click on each of them so that the value field on the right reads “false”.  Your browser will no longer advertise willingness to accept RC4 as a component in an SSL connection.

Require TLS

Type “tls” into the about:config search bar and press enter.  Find the “security.tls.version.min” key, which defaults to 0, and change it to 1.  Set the “security.tls.version.max” key, which defaults to 1, to 3. [EDIT 20131112: I previously recommended 2 here, for TLS 1.1, thinking it would cause fewer connection failures than 3 for TLS 1.2. This won’t be a problem once Firefox has fallback code from TLS 1.2. But if you are following these steps you should know how to debug and fix any connection problems you have.] For more information on these settings and what they do, see this link.

Disable additional insecure cipher suites

(Added 20140107) Type “rsa_des_ede3” into the about:config search bar and press enter.  Find the “security.ssl3.rsa_des_ede3_sha” key and double-click it to set the value to false.  This will remove SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA from the cipher suites for which your client will advertise support.  Thanks to Jeff Hodges for creating howsmyssl.com through which I noticed this item.

Other Settings

(This section edited on 20140110, after the comment below from Ismail Dönmez.  Please see that comment for a link to the Firefox bug database entry concerning security.ssl.enable_false_start.)

Type “security” into the about:config search bar and press enter.  Find the “security.ssl.enable_false_start” key and double-click it to set the value to true.  Do the same for “security.ssl.false_start.require-forward-secrecy”, “security.ssl.require_safe_negotiation”, and “security.ssl.treat_unsafe_negotiation_as_broken”.  Read this link for more information about these settings.

Conclusion

If most of your web browsing still works after configuring all this stuff, congratulations.  You probably browse safely enough that you don’t have much to worry about.  If you run into sites that don’t work with these settings, consider whether or not you really need to visit them.  Good luck!

Advertisements

8 thoughts on “Improving security in your web browsers: Firefox

  1. Mr. S

    I’m writing to inform you of recent developments that began in September, 2013 in relation to encryption cipher implementation and standards.
    It appears there may have been a minor oversight in the article regarding the implementation of security policies in Firefox. I found it unusual to suggest setting security.tls.version.max value to 2 because this limits the browser’s ability to secure encrypted sessions. Setting security.tls.version.max to 2 will force Firefox to use encryption ciphers up to TLS 1.1. If you set it to 3, this would permit TLS 1.2 which provides for Galois/Counter Mode operations (see NIST Special Publication 800-38D).

    I’d recommend reading RFC 5246 for a comprehensive overview of the changes. There’s a comparison drawn between TLS v1.1 and TLS v1.2 here: http://tools.ietf.org/html/rfc5246#section-1.2

    On another note, if you’re using a different browser such as Google Chrome then you might have noticed encrypted sessions are authenticated with CHACHA20_POLY1305 with elliptic curve. This is a more recent example of emerging standards. If you are keen to follow up on this feel free to contact me at a suitable time.

    Regards,
    Mr. S

    Reply
    1. Brian Pardy Post author

      Thank you very much for your comment. I appreciate the chance to learn from others here

      Per the link I included near the security.tls. version.max setting, Firefox doesn’t currently implement a fallback from TLS 1.1/1.2, so I expected fewer connection failures to old servers to come from setting it to TLS 1.1 (2) than from setting it to TLS 1.2. I left my suggestion at 2 for compatibility reasons.

      With that said, I think someone following the about: config changes I suggested should be capable of debugging the issue if they can’t connect to a critical site with the connection forced to TLS 1.2. I will update the post.

      Reply
  2. eb1c4d

    Your suggestion to install Cert Patrol is a good one. The whole CA trust model is so flawed I don’t think it can even be salvaged especially when you have the likes of Equifax allegedly signing “fake” certs for the US govt and GeoTrust offering a GeoRoot product for larger organizations which effectively means that said organization could conceivably generate whatever certs they want and it will be trusted by the cert chain in most browsers. Zimmerman was right – a web of trust model is the only thing that can work on such a scale. The CAs have proven themselves to be untrustworthy (Diginotar anyone?).

    On the subject of Cert Patrol which pretty much employs an ssh like approach – cache the cert it sees last time and then complain if it ever changes. Which isn’t a bad idea. Moxie’s Convergence and the very similar Perspectives have a more interesting approach where other machines geographically dispersed throughout the internet (called notaries in Perspectives parlance) provide the key fingerprint that they see when connecting to the site thus foiling even very targeted MiTM attacks in a way that Cert Patrol can’t (as CertPatrol only knows *your* history, not others). The only downside (and it is significant) is that you are effectively allowing the Perspectives/Convergence server permission to eavesdrop on your web browsing habits as each SSLized site you visit is checked online against their database. To be fair though this isn’t all that different from modern browsers using OCSP based revocation queries rather than the legacy CRLs.

    Your comment on disabling RC4 is very good advice. I have it on very good authority from a respected cryptographer who I have known for many years (can’t name drop as he is currently on public payroll) that RC4 is broken and there exists a classified cryptanalytic attack against it that is significantly faster than a naive attack against the entire keyspace. I also asked the guy about Microsoft’s stance on SHA1 expecting he would have some insider gossip but he vehemently disagreed with Microsoft’s call to dump the hash so quickly and reiterated that it is used even to this day for evidentiary purposes (e.g. expert witness format for eDiscovery in legal matters) and collisions have yet to be found. Two very different opinions on the two most recent recommendations from Microsoft’s security lab.

    Thanks for dropping by my blog the other day. I really appreciate discussing security with guys like yourself who take your work seriously. Keep up the good work.

    Reply
    1. Brian Pardy Post author

      Thanks for reading and for the comment! I’ve respected your contributions the whole time I’ve seen you over on Schneier’s blog, so it means a lot.

      About Cert Patrol, I wrestled with the issue you bring up. As I find myself using it, the way that certain sites exchange certificates so frequently as already nearly trained me to ignore the message it brings up when a cert changes. Not good. I avoided recommending Perspectives (Convergence is new to me) for the exact reason you noted: it essentially leaks your information to another group that you must then rely on not to use your information maliciously. While the OCSP checks do this, those at least remain a default-on option in browsers off the shelf, so the traffic flow to OCSP must outweigh that to the Perspectives/Convergence servers by several orders of magnitude. If you use Perspectives/Convergence, you’ve tagged yourself as a security-conscious individual, perhaps making you a more interesting target. Until regular users start to take advantage of such things, the assumption that those who do make use of them may have something to hide remains a better than 50/50 proposition for an agency with an interest in defeating such personal protection. Of course, since I recommend MyWOT, someone following these ideas already leaks information on visited sites to third parties (mywot servers), but I feel like the fact that MyWOT queries their servers about sites that come up in your search results (which you haven’t yet visited and most likely won’t) that may pollute the data enough to limit the utility of such tracking.

      Hard to say at the moment which method wins. I like the reputation/rating-behavior analysis that MyWOT uses to evaluate user ratings when scoring a site, so if it turns out Perspectives/Convergence don’t have similar mechanisms in place to keep shills from submitting fraudulent certs as good, I would not put as much stock in their reports. I just don’t know if they do or not, but I will look into it.

      I think disabling RC4 might win as the most important recommendation I made. Even ignoring classified attacks that might permit realtime decryption, the known vulnerabilities are within the capabilities of non-nation-state actors, and I could see groups (for example) farming out the necessary computation to existing botnets.

      Thanks for the info on SHA-1. I suspect it remains good enough for many purposes for now. Without a salt I consider it inappropriate for anything like password hashing, but as one of many witness components in a “did somebody modify this file from what the distributor intended?” check that includes apparently strong hash functions like RIPEMD-160 and even something weak like MD5, I have no problem using it. Of course, I run grsecurity+PaX and a hardened toolchain so maybe that makes me lazy about the need to validate checksums. As a total amateur I hope people take my comments and use them as a springboard to learn on their own, rather than just blindly following any recommendations, I’d hate for some human rights worker to get exposed due to thinking they’ve done “enough” after doing nothing but locking their browser down a bit.

      I hope I can keep posting interesting stuff. I mostly work with databases (as my posts here show) but I intend to post more on security over time. I plan to hopefully follow this post up with a similar one for Chrome, though at the moment I don’t have anything useful other than commandline flags to influence client-side cipher selection for SSL along with a list of plugins. I also have another post in the pipeline (though it may appear on someone else’s blog) walking through solving a simple substitution cipher (only a few tens of thousands of those on the internet, so why not another one).

      Reply
  3. Pingback: Improving the HTTPS of Firefox using HowsMySSL.com and about:config | The Grymoire

  4. Pingback: How to unofficially disable SSL v3 in Oracle Enterprise Manager 12c to mitigate POODLE attack | Pardy DBA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s