Hardening Firefox

Hardening Firefox

In this post, we will explore some techniques, methods, and tools to increase the security stance of the Firefox web Browser.

Don’t have Firefox? You can download it from here.

Latest version.

Let’s begin by verifying that the version of Firefox installed is the latest.

The fine folks at Mozilla, the makers of Firefox explain how to achieve this here and hereOn the menu bar, click the Firefox menu and select “about Firefox”. A window will appear with the version number listed underneath the Firefox name. Firefox has moved to an auto update mechanism since version 16. If you have an earlier version, you should definitely update it.

Note: Opening the About Firefox window will, by default, start an update check to see if an updated version of Firefox is available.”

 

 

If you leave your computer on for extended periods of time, you should shut down and restart the browser periodically, if only to ensure that Firefox can apply updates that require it to restart.

Now that we have either updated Firefox to the latest version or simply confirmed it is, let us go looking for additional functionality to harden the browser.

Firefox has a wonderful feature called “add-on”.  This feature allows you to enhance the browser with modular components. Developers from all over the world have created a myriad of add-ons that really allow Firefox users to customize their browsing experience. In this case, our goal is to enhance the overall security stance of the browser.

A good security stance, when installing add-ons, is to limit yourself to the ones available through the Firefox Browser AMO, yet the first one we will install can only be downloaded from an external website. This should be the exception, not the norm.

HTTPS Everywhere

HTTPS Everywhere is an EFF (Electronic Frontier Foundation) driven effort that aims to force the browser to connect via HTTPS whenever it can. This is achieved by installing it as an add-on in Firefox.

“Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by using a clever technology to rewrite requests to these sites to HTTPS.”

HTTPS-Everywhere can be downloaded here.

Why isn’t this add-on hosted and accessible from within Firefox? Some digging reveals that the plan is for it to be so in the future but at present, security concerns voiced here (by Yan Zhu of the EFF) prevent it for now. The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.

Back to hardening.

Add-ons are typically installed from within the Firefox browser, in a very similar method to the version check / manual update process described earlier.

You can access the add-on repository from the menu button located at the far right of the Firefox browser, and select the add-on button. The icon is recognizable as a puzzle piece. Adding “add-ons” through this method should be the preferred method, as Mozilla curates them.

Screen Shot 2014-10-27 at 11.54.04 AM

“Are add-ons safe to install? Unless clearly marked otherwise, add-ons available from this gallery have been checked and approved by Mozilla’s team of editors and are safe to install. We recommend that you only install approved add-ons. If you wish to install unapproved add-ons or add-ons from third-party websites, use caution as these add-ons may harm your computer or violate your privacy.”

Reclaim some web privacy.

There are several add-ons that remove web tracking technologies and they have significant overlap with each other. Web analytics have evolved beyond the cookie to include web bugs, tracking pixels, javascript tags, and many others. While most privacy reclaiming add-ons play well together, Disconnect stood out from the pack. It is open source, has a focus on speeding up your web browsing experience (less traffic sent back tracking your actions means a faster browsing experience) and Disconnect is also a B Corp.

This add-on will let you visualize the tracking requests and the websites that emit them.

Taking it up a notch.

NoScript is perhaps the add-on that will harden Firefox the most.

noscriptaddon_logo-300x300

NoScript blocks “active” content by default in Firefox.

“The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality…”

 

This add-on, while increasing the security of your browser has a profound impact on the whole browsing experience.

A typical user has no idea just how much active content typical websites serve up to visitors, and how much goes on behind the scenes when they navigate to any given webpage. Installing and using NoScript is an eye opener. Large swathes of once familiar websites no longer function without the express approval of the user.

Once NoScript is installed, you will notice that it notifies you of updates by opening an additional tab with the NoScript homepage. This will happen whenever you open a new instance of Firefox and an update has occurred to NoScript. This happens very often, as NoScript is actively maintained.

You are informed by a yellow bar at the bottom of your browser of what has been blocked.

Screen Shot 2014-10-21 at 4.11.00 PM

The NoScript yellow bar, located at the bottom of the browser.

On the left of the yellow bar, a list of scripts that are disallowed, and on the far right of the yellow bottom bar, an options button gives you a very granular control of what you can instruct NoScript to explicitly allow. There, individual scripts can be temporarily, or permanently allowed to run on each web page visited.

Once you have NoScript installed you will realize that almost all webpages have some form of script running in the background.

A particularly salient example is the perennial Google search engine homepage. Google has always strived to maintain a search focused and relatively sparse page for their search engine.

While over the years a greater number of bars, buttons, and links have appeared, it never devolved into the hot messes of early search engines, where the search box was often crowded out by ads, banners, and the such. When you visit the Google homepage, NoScript still finds 7 scripts to block on what by current standards is a pretty bare page.

Are the scripts located on the Google home page malicious? Most certainly not. What NoScript is doing is returning the control of what occurs in the browser to the user. The result is a fundamentally different browsing experience. Browsing the web is a much more involved affair. If some content isn’t displayed, you have to fiddle with what is allowed until it does.

Let’s explain the difference by using an analogy: Regular browsing is like driving an automatic car. Some user input is required, but not as much as a stick shift. With NoScript installed, you’re driving a stick shift. If you don’t know how to properly operate the clutch on a hill start, you’re going to stall.

Using NoScript will also require a significant amount of self discipline.  If you find yourself continually enabling scripts globally, you are defeating the purpose of the add-on. This add-on also requires delving under the hood of web technologies. In keeping with the car analogy, many people drive cars, not all want to know exactly how a fuel injection system works. Enabling scripts one by one via the option button may be too much to ask for many users.

The trick to this is to overcome the additional friction that NoScript introduces and persevere in using it.

Notable Absentees.

Adblock Plus. This add-on aims to rid the web of annoying ads, while still allowing non-intrusive ones that meet their criteria to be displayed. Most websites derive a portion, if not the totality of their profits through advertising. Many website owners object to users visiting their sites with add blocking technologies, saying it robs them of potential revenue streams. By the same token, a significant amount of web borne threats originate from malvertising.

“Malvertising involves injecting malicious or malware laden advertisements into legitimate online advertising networks and webpages.

In our hardening how-to, NoScript should cover most of the threats that use malvertising as an infection vector, thus avoiding the discussion on whether Adblock Plus should be used or not.

Honorable Mentions.

Better Privacy (TACO)

Ghostery

Web of Trust (WOT)

 

Know any other cool add-ons that would help harden Firefox? Don’t hesitate to leave a comment.

@jean_taggart

ABOUT THE AUTHOR

Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.