Self Destructing Cookies for Firefox

If you have read any of my previous writing on internet browsers, you probably know I don’t like cookies.  Unfortunately, they are a necessary evil.  Without cookies most of the internet services we love would be impossible.  This is great when you need a website to remember login credentials, the items in your cart, or the pages you’ve already visited.  Cookies have a downside, however.  They allow websites to track your browsing.  This tracking is not limited to the first-party site you visited.  Once you have a cookie from a site it can see the other sites you visit, as well.  It can also share this information, making your history and habits well known.  Sites like Facebook even track non-users.  I work to prevent this to the extent possible.  I recently discovered an add-on for Firefox that is my new favorite for deleting cookies.  It is called Self Destructing Cookies. Continue reading “Self Destructing Cookies for Firefox”

3DSC Day 11: NoScript Security Suite

Today is the last day of working with Firefox – I promise!  Because your browser is your computer’s ambassador to the internet this is worthwhile work – making your browser more secure makes your computer more secure.  Today’s task is to install the NoScript Security Suite add-on to Firefox.  I decided to include this add-on on its own day because NoScript has a very steep learning curve. While NoScript is the ultimate in security add-ons, it is also the most difficult to use.

NoScript is the nuclear option of security-focused browser extensions. NoScript blocks all scripts and plugins, including Flash, Java, and JavaScript, from executing except on websites that you have explicity approved. It also performs a number of other browser-related security functions. Unfortunately, this security comes at a cost. Because it blocks so many scripts, NoScript “breaks” many websites. In many cases, this may be desirable; NoScript prevents videos from automatically playing, stops animations, prevents pop-ups and other advertising, and makes busy pages much more manageable. For sites that you need to work, this can be quite frustrating initially. For this reason, the application allows you to whitelist certain sites permanently or temporarily.

NoScript Security Suite

I recommend taking a few minutes to learn how NoScript Security Suite works.  Otherwise it can be very frustrating, and I don’t want you to get discouraged with using Firefox because NoScript breaks your websites.  NoScript works on a whitelisting basis.  Until you have approved a site, or certain elements of a site, NoScript will block all scripts that the site is attempting to run.  This offers a substantial security layer between you and the internet.  Unfortunately many of the blocked scripts are necessary for sites to function as intended.

To use NoScript, install the NoScript Security Suite add-on.  It is available at https://noscript.net/ or through the Firefox add-ons menu.  Once it is installed you will see a NoScript icon in your browser’s toolbar.  Clicking the NoScript icon on a page will display all of the scripts that are running on the page. It will present options for enabling or disabling each script individually, as well as settings that apply to all scripts on a page and globally. These options are:

  • Allow scripts globally (dangerous): This setting removes all protections afforded by NoScript and lets all scripts on all pages run. There are some occasions where using this option is desirable. For example, if you are creating a new account or making an online purchase, and may be redirected to a page where scripts blocking may interfere with password input fields, you can allow scripts globally.  As soon as you are finished, enable script-blocking again.  Unfortunately, this option is not reset when you close and reopen your browser.
  • Allow all of this page: This setting permanently whitelists the entire page and all scripts running on it. Be aware that permanently whitelisting a site on NoScript will place the name of the site in a list on your computer. This list is unencrypted and may be viewed by anyone with access to your computer, allowing him or her to see what sites you visit frequently.
  • Temporarily allow all of this page: This setting allows the page you are visiting and all the scripts on the page to run for the duration of the browsing session or until permissions are revoked. This setting will be reset when you close your browser.
  • Allow…: This allows you to whitelist an individual script on a page permanently.
  • Temporarily Allow…: allows you to whitelist an individual script on the page you are visiting. This permission will be revoked when you close the browser. This may be desirable if you are visiting a page that needs a Flash script to run to play a video, animation, or other graphic that is broken by NoScript, but only desire it for a single visit.
  • Make page permissions permanent: If you frequent a site and have allowed the minimum number of scripts to permit that page to function properly you may wish to use this setting. It will add those permissions permanently to your whitelist so you do not have to manually allow scripts each time you visit the site.
  • Revoke Temporary Permissions: This option allows you to immediately revoke any temporary permissions and stop the scripts associated with them.
  • Forbid: Forbidding a given script allows you to stop any script to which you have granted temporary or permanent permissions. When visiting a site, you may wish to allow all the scripts on the site, then forbid them one by one until only the desired functions on the site are running and nothing else.
  • When you no longer wish to allow scripts on a given page NoScript also gives you the ability to revoke permissions. Additionally, each script on the page will have an “Allow” or “Temporarily allow” option, so you can fine tune each page to make the content you desire visible while blocking everything else. Though using NoScript can be frustrating at first, once the sites you primarily use have been whitelisted and are working well, the add-on requires little intervention except when visiting new sites or sites that are not permanently whitelisted.

This post has only covered the tip of the security iceberg that is the NoScript Security Suite. In addition to preventing scripts from executing, NoScript also prevents Cross-Site Scripting attacks, allows you to force sites to use HTTPS connections (where available), prevents clickjacking attempts, and provides automatic boundaries enforcement (ABE).

3DSC Day 10: Firefox Security Add-Ons

Today we have crossed a new landmark: after this task you have completed one-third of the Thirty-Day Security Challenge!  Congratulations!

Yesterday we installed Mozilla Firefox.  We made some changes to Firefox’s settings to evade online tracking and limit the browsing data that is stored locally on your device.  Today we will increase Firefox’s security further by installing some security add-ons.  Add-ons are small plug-ins that that enhance an existing piece of software.  To install these add-ons follow the link provided.  On the resulting webpage click the green “Add to Firefox” button.

There is a slight chance that you have some other add-ons in Firefox already.  You should think twice about these.  They are probably not security add-ons.  Add-ons like those from Amazon.com and Facebook do not enhance your privacy.  Instead they give these services access to your browser.  Consider removing any add-on that does not improve your privacy or security.

Better Privacy:  This simple add-on is designed to delete flash cookies.  Flash cookies, sometimes called Locally Shared Objects (LSOs) are more sophisticated than conventional cookies.  Flash cookies allow much more detailed tracking of your online behavior.  Better Privacy runs in the background when you close Firefox and deletes flash cookies from your browser.

Disconnect:  Disconnect is an anti-tracking application.  It is very lightweight and prevents websites from tracking your behavior and serving you certain requests.  I like Disconnect because it is incredibly lightweight but still very capable.  According to Disconnect your pages will load 27% faster when using the add-on.  This is because tracking requests and adds consume bandwidth.  When they are blocked this bandwidth is yours once again.  Once Disconnect is installed you don’t have to do anything.  Disconnect will silently protect you in the background.

HTTPS Everywhere:  Many websites offer an encrypted (SSL) login page.  Unfortunately, many of these pages revert to a plain-text connection after you have logged in.  This can allow your ISP or a hacker to see what you are doing.  To prevent this, HTTPS Everywhere attempts to force an encrypted connection during your entire session, on any website that is capable of a secure connection.  HTTPS Everywhere is written by the Electronic Frontier Foundation (EFF), an advocacy group for online privacy.

Firefox Security Add-Ons

Fixing Firefox’s WebRTC Vulnerability

Earlier this year a major vulnerability called the WebRTC vulnerability was discovered in Windows machines running Chrome and Firefox.  This vulnerability can compromise your privacy by allowing websites to see your true IPv6 address despite the use of a VPN.  When using a VPN any site you visit should only see the IP address of the VPN’s exit server.  This prevents them from correlating you with your visit with your geographic location, and building profiles based on your IP address.  To test your system and see if your IP is leaking you can visit https://ipleak.net/.

Thankfully this vulnerability is very easy to correct in Firefox but it cannot be corrected through the “Options” dialogue.  To correct it go to your URL bar in Firefox and type “about:config.”  This will open a menu where power-users can make many adjustments to the application (many of these adjustments can be made through the Settings, but many cannot).  Bypass the warning and scroll down to “media.peerconnection.enabled.” This setting is “true” by default.  Double-click this line which will toggle the value to “false.”  This is all that is required to turn off WebRTC and secure this vulnerability.

WebRTC Vulnerability

There are add-ons for Chrome (WebRTC Leak Prevent and ScriptSafe) that are intended to defeat the WebRTC vulnerability.  It has been reported that these add-ons can be bypassed by a malicious adversary and should not be relied on.  However, if you must use Chrome you should enable one of these add-ons.

For full protection use Firefox and adjust as described above.  Using NoScript may also help mitigate this vulnerability.