September 26, 2013 at 18:46

Adding Security to the Firefox Browser

    image

    In today's Internet, we are increasingly confronted with various dangers emanating from Web pages. Vulnerable plugins, XSS on sites, exploitation of vulnerabilities using JavaScript, Clickjacking - and this is not a complete list of the joys of life that can be found on sites.

    Even if you have Linux or Mac OS X, you cannot be completely calm - in this case the muck just won’t go beyond the browser, but cookies or LocalStorage are able to extract malicious code. Also, the power of the computer can be used for completely unexpected purposes, up to mining bitcoins on the victim's computer.

    So you need to protect the browser not only from the outside, but also from the inside. To do this, look at the appropriate extensions, which this post is dedicated to. It will also cover some privacy issues ( but not anonymity! ) So you can protect yourself from tracking companies.


    Useful Extensions



    NoScript

    NoScriptIt seems to me that it is necessary to start with this extension, because it seems to me that every browser user needs it today after Adblock Plus, of course. If you look at the name, it becomes clear that the main task of this extension is to block JavaScript. And it performs its task perfectly, and much more convenient than just the button in the "Disable JavaScript" settings (especially considering that this button is no longer in the latest fox versions). There is the possibility of permission by site, maintaining white and black lists, and there is also support for temporary resolution for a particular site.

    However, the possibilities do not end there - he also knows how to block plugins (any), force HTTPS on pages, protects against XSS attacks and ClickJacking (using ClearClick technology that allows you to see the real form of an element when danger is detected). There is also an implementation of interesting ABE technology - a kind of firewall for the Web, which allows you to restrict the access of some sites to others.

    NoScript Website

    Adblock plus

    imageProbably the most famous browser extension. Indeed, those who installed it can no longer use the browser without an ad blocker - the Internet is becoming so clean and bright.

    However, it is not too obvious how it can help with security. The answer is in his subscriptions. They can be completely different - actually anti-advertising (and with it a lot of, if not malicious, then just junk content is cut out), protection from tracking by various statistics sites (privacy rather than security here), blocking domains seen in malware distribution and much more. Of the subscriptions I recommend using - EasyList , RuAdlist , EasyPrivacy , Fanboy Enchanced Trackers andThe Domains Malware . It will also help make the browser safer.

    AdBlock Plus Website

    RequestPolicy

    imageThe next add-on created for permission-by-site management. RequestPolicy gives you the ability to manage cross-site requests.

    Example - the habrahabr.ru site requests images from habrastorage.org and a script from mc.yandex.ru . Habrastorage can be enabled, and Yandex.Metrica can be left blocked. Thus, this addon will help protect against tracking sites that collect user statistics.

    He also definitely protects against XSS and any nonsense that you do not like - like the buttons of social networks and part of the advertisement. Thus, this extension does provide very good protection, but it has one important minus - the need for active interaction with it and manual selection of permissions - it will be really blocked a lot and a significant part of it may be necessary to view the site. So it's up to you. By the way, in version 1.0 (it has the status of being developed), subscriptions and the ability to use in the blacklist mode were added.

    RequestPolicy Website

    Cookie monster

    imageOne of those extensions, the functions of which, in general, are covered by the browser, but with which it is incomparably more convenient than without it. Cookie Monster allows you to manage your cookies, allowing them only for those sites for which you have explicitly set this. It is also possible to allow cookies to be stored only until the browser is closed or to prohibit only third-party cookies.

    A very convenient extension, it practically does not require interaction, since there really are very few sites on which cookies are really needed - basically these are sites on which you are registered. Highly recommended to everyone.

    Extension page on Addons.Mozilla.Org

    HTTPS Everywhere

    imageAn extension from the notorious Electronic Frontier Fund , designed to force the use of HTTPS on sites that support it, but do not set it as the main one. It helps to protect your browser from MITM attacks , which can lead to such bad consequences as stealing your password on an untrusted network or embedding ads in pages by your provider.

    The extension is very useful, especially in cases where you have to connect to a Wi-Fi network somewhere in a cafe or train station, because it allows you not to make a mistake in typing https addresses or when clicking on a link. Also, if possible, he rewrites unsafe requests from the page to safe.

    EFF extension page

    WOT - Web Of Trust

    imageAn extension that shows the trust level of sites established by communities near links. Designed for a "friend of an IT specialist" - that is, it may not be very necessary for me, but I put it to all my friends, after explaining that I don’t need to click on the links with the "red circle".

    It will help protect against phishing, partially from sites with malware. In fact, it has many false positives and does not perceive the subdomains of free hosting at all. But sometimes it’s better to overdo it than not to overdo it. It also has a negative effect on privacy - it directs the URL for verification to itself to the server.

    WOT website

    RefControl and UaControl

    image
    Add-ons designed to control the HTTP headers Referer (address of the page from which the user was taken to the site) and User Agent (non-unique browser identifier). They allow you to pretend to be other browsers, or even search robots, not to send information to the site, how you got to it, or even enter what you want into these fields. I’ve been surfing the Internet at one time with a User Agent configured as an IE 10 browser for Linux. Interestingly, webmasters read such logs?

    imageIn principle, RefControl allows you to prevent sites from knowing what search query you came for, especially considering how much Google crams into this field. Well, UAControl - pretend to be a popular browser and "hide in the crowd" in order to avoid all the same statistics collection. By the way, here it was advised below to change the User Agent to Linux (if you do not already have Linux), because thanks to this, some malware will not be sent to you. A strange way, of course, but there is such an opinion.

    RefControl page on AMO
    UaControl page on AMO

    Conclusion


    I hope you still read this post, and there it’s up to you to put the data of the extension or not, especially since I painted everything in sufficient detail. Now our browser is safer from the inside, but I can write later how to protect it from the outside using AppArmor.

    PS: I apologize for the presentation style. This is my first post on Habré, so I ask for constructive criticism.
    Tags:

    Also popular now: