Have you ever dabbled in Firefox, Chrome or Opera web browsers? These are all popular alternatives to Internet Explorer (IE).
Firefox (FF) burst onto the scene a few years ago as a vibrant successor to the aging Netscape communicator. What made Firefox unique is that, unlike the largely monolithic structure of IE, Firefox is built in layers like an onion. There is a small kernel of basic browser functionality and then some default outer layers that give it the familiar FF look and feel. But because of this onion-like structure, and because it is open-source software, users that had the technical skills could modify just about anything else about it! By far the most popular way to modify it was to add visual themes to change the shape and location of buttons and the overall color scheme. The next most popular modification was so-called add-ons. Add-ons change the fundamental way the browser works and, for our purposes, how security and privacy aspects function.
So, here are some of my favorite FF add-ons that will raise your awareness of all things security and privacy on the web:
LastPass – truly superior, genuinely secure, browser password vault
If you allow your browser to save your web site account names and passwords then you should switch from the built-in function to using LastPass. LastPass uses genuinely strong encryption methods to encrypt your personal information. Furthermore, all the encryption is based on your master pass phrase, which only you know, and all of your information is encrypted before leaving your local system – not on the LastPass web server! This means that even LastPass employees have no access to your information (nor would anyone that successfully hacked them). However, because your personal info is stored “in the cloud” all of your personal information is available across different browsers (FF, Chrome, IE) and across different systems (work, home, mobile).
Adblock Plus – eliminates ads in your browser, period, end-of-story
Without screwing up the appearance web pages, AdBlock Plus simply eliminates 99% of ads from your browsing experience. It is highly controllable via a little pull down menu so if you go to, say a not for profit web site that you know is ad-supported, you can tell it to not block ads on that site. This is security-related only insofar as that ads are a conduit for spyware entering your browser. In addition to turning on your browser’s pop-up blocker this will go a long way towards improving security and lessening annoying unsolicited ads. As a side effect, it will also speed up web page loading times.
Collusion – graphically exposes tracking and selling information about your browsing habits
Collusion shows you what companies are collecting information from your browser about where you go on the Net. The graph is color coded to distinguish between the web site you went to for content (e.g., www.nytimes.com) versus partner sites which collect information about where you have been on the web (e.g. doubleclick.com). It literally connects the dots so you can understand how the NYTimes is connected to CNN through both having cut deals with some third party tracker like Google’s DoubleClick subsidiary. It’s purely informational, but when combined with No-Script below, it gives you control over who can learn what about your browsing.
Certificate Patrol – detects changes to secure browsing certificates (websites you access via HTTPS)
For those not familiar with HTTPS certificates, they are the heart and soul of how your browser decides it is safe for you to trust that the web site you are buying a new golf club from really is Callaway’s web site. Certificate Patrol is a mostly passive/informational. It tells you about the certificates your browser has seen and what has changed about them since the last time your browser was at that site. So, while it is just nerdy to find it is interesting to discover that Google uses several certificate authorities for different Google products (Google+, Gmail, Google Apps, etc.), it is concretely security enhancing that it will tell you if a site’s certificates are either revoked (by the signing certificate authority), expired or forged before you input your credit card information!
NoScript – makes visible and/or stops unseen chatter between the browser & 3rd parties
You can get these add-ons to FF by using the Tools >> Add-ons menu item, and searching for each by name. Then follow the installation procedure for each. To remove an add-on on FF, just go to Tools >> Options >> General tab >> Manage Add-ons button.
What are your favorite security and privacy related plug-ins for FF or other browsers?
Credit to Steve Gibson of Gibson Research for pointing out some of these add-ons by name in his excellent Security Now! podcast (part of the This Week in Tech network of podcasts): http://grc.com.
John Brady is Information Security Architect Engineer at Westfield Insurance.