Firefox 3.5 was released this week. With features such as Private Browsing, Location awareness, speed improvements and miscellaneous bug fixes, it’s well worth the free download. Now that Firefox 3.5 is out, this two part post will look at securing Firefox and maintaining your privacy on the web.
For part one, let’s look at five easy ways to secure Firefox to keep you safe on the web.
Securing Firefox, or any other browser, is not just the developer’s responsibility. With increasing features, multimedia rich web sites, plug-ins and add-ons, it’s also your responsibility to make sure Firefox won’t be compromised.
Note: While this article is written for Firefox 3.5 with OS X in mind, it contains tips and advice that apply to the Windows and Linux versions as well. If you’re running an older version, the next paragraph is for you.
1. Keep it up to date:
Like any other browser (and OS) in time, exploitable vulnerabilities will be found and attack code released. In the old days, you used to be safe by not going to unsavory sites. Not anymore. Now, the easiest way to attack a browser is to exploit a vulnerability by hacking a legitimate web site. You could go to a totally benign web page and be compromised.
How to defend against this? By making sure Firefox is always running the latest version. Mozilla takes security seriously and is quick to provide patches and fixes for Firefox.
To set Firefox to automatically check and download updates:
– Go into Firefox’s Preferences and choose the “Advanced” tab.
– Click on the “Update” sub-tab.
– Make sure at least the “Firefox” and “Installed Add-ons” boxes are checked.
– Select “Automatically download and install the update”.
Firefox will now periodically check for updates, download them if found and install them automatically. It doesn’t get any easier than that.
2. Securing your saved passwords:
If you use Firefox to save and remember passwords for you, make sure you set that Master Password. Did you know that if you didn’t, anyone can walk up to your computer (if it’s running and logged in), and with just a few clicks, Firefox will show them all of your passwords and what sites they are for? With a Master Password, Firefox will require it before showing any of it’s saved passwords.
It’s easy to set the Master Password:
– Go into Firefox’s Preferences and choose the “Security” tab.
– Check the checkbox next to “Use a master password”.
– Firefox will walk you through setting this password.
3. Disabling Java:
Firefox gives you the option of turning Java off and in the interest of security, you should. Now, before you freak and think you’ll never be able to do anything on the web, I’ll tell you that I’ve had Java turned off for years and haven’t had any problems at all.
Why do I recommend this? Java allows downloaded content from the internet to run within Firefox as an application. If there is a vulnerability (and there are), your system could be at risk.
Like all security minded developers, Sun releases updates for Java and that’s awesome. Except for the fact that when you’re running OS X, Java and it’s updates are the sole responsibility of Apple. And just recently, a nasty exploitable known vulnerability went unpatched for SIX MONTHS. Remember, Java works cross-platform and the vulnerability that went unpatched for six months affected both Windows and OS X.
According to ArsTechnica, “The reason the vulnerability was a threat was because an exploit could be written in pure Java and would work on all platforms and browsers. That means visiting any website with a specially crafted Java applet could easily take down your machine no matter what software you were using. Needless to say, this is bad.”
What happens if a site needs to run a Java applet? Simple, it will either tell you to install/turn on Java or will show a blank box with a little coffee cup icon inside. If that’s the case, just turn it back on for that site. Don’t forget to turn it off when you’re finished.
To turn Java on / off:
– Go into Firefox’s Preferences and choose the “Content” tab.
– Uncheck the “Enable Java” box to turn it off.
4. Keep the defaults:
Luckily, in Firefox, simple security features are turned on by default. Without even thinking about it, it’s pretty secure already. With that in mind, you’re going to want to keep them that way.
Here’s what NOT to change:
Under the “Security” tab in Firefox’s preferences, make sure there is a check next to the following boxes:
– “Warn me when sites try to install add-ons”.
– “Block reported attack sites”.
– “Block reported web forgeries”.
Under the “Advanced” tab in Firefox’s preferences, make sure there is a check next to:
– Under the Network sub-tab, “Tell me when a website asks to store data for offline use”.
– Under the Encryption sub-tab, “Use SSL 3.0”, “Use TLS 1.0” and “Ask me every time”.
5. Use NoScript:
In part two, we’ll look at what you can do to maintain your privacy on the web with Firefox 3.5