Firefox: Some security tips

There are several reasons why Firefox is the Web browser of choice for many of us. Providing a safe Web surfing experience is one of the more important ones. I’d like to offer some tips that will make surfing the Web with Firefox even safer.

——————————————————————————————————————-

It’s important to easily determine whether a Web site that should be using https, actually is. When Firefox first came out it used a method that was easily discernible. The address bar would turn yellow and a lock icon would appear on the right-hand side of the address bar:

That feature was replaced by a small blue frame surrounding the Web site’s favicon in the third version of Firefox. Additionally, clicking on the blue field reveals more information about the Web site’s SSL certificate:

I’m not particularly convinced the new approach is better. It’s easy to miss whether the site is using https or not, especially if the favicon is blue. Also, I’ve read that the blue frame and most favicons are easy to forge.

As to why the change, my guess would be that Firefox developers thought Extended Validation (EV) certificates were going to become the norm and focused on a way to better display the EV information. I think they succeeded, placing the Web-site’s name in a green frame is very distinguishable:

It’s a nice concept, but the use of EV certificates isn’t that prevalent, which kind of defeats the whole purpose. If my memory serves me correctly, less than one percent of all Web sites using SSL have EV certificates. It’s understandable though. By design, the vetting process is more in-depth, which drives up the cost of obtaining an EV certificate.

A well-kept secret

A good friend of mine let me in on what I’d call a hidden gem and I wanted to pass it along. It’s not perfect, but it certainly helps increase awareness of whether a Web site is using https or not. Besides it’s simple to do:

1. Type about:config in the address bar.
2. Firefox will display the following warning.
3. Click on the “I’ll be careful, I promise” button.
4. Enter “browser.identity.ssl_domain_display” (minus quotes) in the Filter box.
5. Double click on entry, which opens a dialogue box.
6. Change the entry from zero to one.

What this does is change the appearance of how the address bar displays information for Web sites using regular SSL certificates. As you can see below, except for the frame being blue instead of green it looks identical to what’s displayed by a Web site using an EV certificate. This should help reduce the risk of confusing secured Web sites with unsecured ones.

Revisit Perspectives

In August of 2008, I wrote an article about a Firefox add on called Perspectives. I’m not going to rehash the details; suffice it to say that I highly recommend installing it. Then forget about it. The application works quietly in the background making sure SSL certificates are valid. Now that I said that, I want to revise the configuration I used in the initial article, even though it makes Perspectives a bit noisier.

The two changes I’d like to propose are:

• Uncheck the default setting of “Allow perspectives to automatically override security errors”.
• Change “When to Contact Notaries” from the default to “Contact Notaries for all HTTPS sites”.

Perspectives isn’t perfect and the above changes may give additional false positives, but using the new settings will increase security while surfing the Web.

SSL Blacklist

Firefox version three checks a certificate’s revocation status using the online certificate status protocol. There’s a problem with that though. Like EV certifications the use of this protocol is very limited. In a somewhat ironic twist, all SSL certificates do contain information about where to obtain a certificate authority’s certificate revocation list, but Firefox isn’t setup to use them. Hmmm, this means Firefox isn’t capable of knowing whether a majority of existing SSL certificates are valid or not.

Màrton Anka seeing this deficiency developed the SSL Blacklist add on for Firefox. The application detects and reports on weak/revoked certificates or those that are still using the weak MD5 hash algorithm.

NoScript: a favorite

If you follow my articles, you will know that I think highly of Giorgio Maone’s Firefox add on NoScript. Giorgio realized that a vast majority of malicious Web sites use JavaScript exploits to leverage control of a victim’s computer. So he developed NoScript, which gives the user control on whether to allow or disallow execution of certain JavaScript code that NoScript deems as possibly harmful.

As you might guess, it’s a fairly noisy add on. NoScript is going to ask you quite often on whether you trust the site enough to allow JavaScript code execution. If that’s too granular, you have the option to change the setting “Scripts Globally Allowed (dangerous) from the default of disabled to enabled.

Doing so will make NoScripts considerably less intrusive, but any protection from JavaScript vulnerabilities is also removed. On a good note, even with scripts globally allowed you are still afforded protection from ClickJacking.

Final thoughts

There you have it, four tips that I use and recommend to all of my clients. None of them are perfect solutions, but they certainly elevate user security when surfing the Web with Firefox. Let me know if you have any favorite security add ons for Firefox that I may have missed. Also if you have started using Internet Explorer 8, I’d be curious to learn how it compares to Firefox security-wise.