penkapp.com

If you’ve been using that other browser or perhaps not feeling comfortable with Safari 4 beta’s poor cookie-handling/privacy options, feel free to take Mozilla Firefox for a spin. Regardless if you’ve been using Firefox for a few weeks or since way back when it was called Phoenix, the following suggestions will help you make Firefox a more secure option to browse the web! And no…I don’t work for Mozilla. ;-)

“Out of the box,” Firefox is a pretty secure web browser. But there are a few tweaks in the program’s preferences, coupled with a few add-ons that will really lock down and secure the browser. I’ll start with Firefox’s own preferences first.

Preferences

Open Firefox’s preferences by going to Firefox → Preferences (Mac), Tools → Options (Windows), or Edit → Preferences (Linux). The following instructions are specific to Firefox 3.1 beta3, but very similar instructions apply to older versions of Firefox.

Privacy

Select the Privacy tab (click on left image) to make changes to your History, Cookies, and Private Data settings. You may want to reduce the number of days your history is kept or remembered. The default settings keep your browsing history for 90 days, which I think is a little over-the-top (I like 9 days). Keeping your history for a few days or so will make using the location bar more convenient as the new Smart Location Bar (AKA Awesome Bar) “will try to guess where you are trying to go, based on where you have been.”

To really get a handle on the whole good cookie/bad cookie thing, Firefox allows you to not accept third-party cookies and blow away all of your cookies at the end of your session when you exit the program. FYI, Firefox and Opera are the only two browsers, according to Steve Gibson, of the Gibson Research Corp., that are capable of blocking outgoing cookies.

In the Privacy tab, uncheck “Accept third-party cookies” and choose “Keep until: I close Firefox” under the Cookies area. Under Private Data, check “Always clear my private data when I close Firefox” and click on the “Settings” button. In the new window (img), check everything except “Visited Pages” and “Download List” if you’re really concerned about your privacy. With “Visited Pages” unchecked, you’re history will be removed according to the number of days set in the Privacy tab and not after each session (exiting the program). In addition, starting with version 3.1 and later, Firefox will allow you to browse the world wide tubes in Private Browsing mode for when you decide to surf for pr0n  learn about relieving hemorrhoid pain browse the web somewhat anonymously. ;-)

Security

Select the Security tab (click on left image) to make changes to how Firefox deals with malicious web sites, passwords, and warning messages. By default, all the malicious web site options are checked. I leave the passwords options unchecked, as I use 1Password for the Mac. Firefox does provide you with a Master Password option should you decide to let Firefox remember your passwords.

There’s one little tweak that I recommend under the Warning Messages section. Click on the “Settings” button and in the new window (img), check the box that says “I leave an encrypted page for one that isn’t encrypted.

Firefox Security Add-ons

There are hundreds of security and privacy add-ons for Firefox. You can literally spend about 4 days looking through and playing with all of these things, so (because I’m a nice guy) I’m going to feature, what I think, are five must-have add-ons to help increase the security of Firefox.

Adblock Plus

Wladimir Palant’s Adblock Plus…um…well…blocks ads! After installing the add-on (and restarting Firefox), you’ll be asked to subscribe to a list of ad-blocking options. I highly recommend the EasyPrivacy subscription (img), which combines the general ad-blocking subscription (EasyList) with a list that will help prevent cookie/history-tracking during your browser session (EasyPrivacy). To do this, go to the Known Adblock Plus subscriptions page, scroll down a ways, and click on the link that says “Subscribe: EasyPrivacy+EasyList”. This list will automatically stay updated; you need to do nothing else…nice. If you’re really anal-retentive about blocking ads or other page elements not blocked by the subscription(s), check out Wladimir’s Element Hiding Helper.

NoScript

Giorgio Maone’s NoScript is arguably one of the best add-ons to help make Firefox more secure. Like most browsers (except Google Chrome), Firefox allows you turn off JavaScript; JavaScript being dynamic code that is often used as a means [by third party sites or on a hacked web site] to perform malicious acts through your web browser. The problem, however, is that by disabling JavaScript you “turn off” a great deal of functionality/features that a given web site may offer. Enter NoScript.

NoScript offers three unique features that protect you from malicious code (run on a web site you visit without your knowledge): (1) temporary whitelists, (2) disabling JavaScript code originating from third-party sites, and (3) clickjacking prevention.

Since NoScript is so powerful and based upon building up a whitelist of web sites you deem safe to run JavaScript [no site is ever really safe], it can be a little annoying at first, but stick with it. By temporarily allowing top-level sites (img) by default and setting the option to “Base 2nd level Domains” and turning off notifications (img), you will often forget you’re even using it.

Third-party Cookies

Although wiping out your cookies after every session and blocking third-party cookies can help make your browsing experience more private, there is such a thing as…(queue the timpani) “super-cookies!” Super-cookies (AKA Local Shared Objects) are like “regular” cookies and:

Feel free to install and try Objection or BetterPrivacy to help you manage and/or kill these things.

Awareness

Locationbar² isn’t an active security/privacy add-on per se, but makes you more aware of what’s going on in the URL/locationbar of Firefox. In other HTML, it can highlight/emphasize the top-level domain of the website your visiting. By doing so, the hope is that you’ll be more aware of the web site you’re visiting and more likely to notice any potential phishing threats, as phishing site URLs (i.e. “www.wel1sfargo.com”) tend to differ from the “real” web site URL (“www.wellsfargo.com”) by a letter or number. Notice the 1 in the first URL? Feel free to check out how I set my Locationbar² preferences (img).

Well, my hope is that this exhaustive look informative post has provided you with a good place to start if you’re concerned about your privacy and security on the “interwebs.” Have additional advice or favorite add-ons? Post ‘em in the comments!