Geekly Articles each Day
📜 ⬆️ ⬇️

Adding Security to the Firefox Browser

image

In today's Internet, we are increasingly confronted with various dangers emanating from Web pages. Vulnerable plugins, XSS on sites, exploiting vulnerabilities using JavaScript, Clickjacking - and this is not a complete list of the joys of life that can be found on sites.

Even if you have Linux or Mac OS X, you can’t be completely calm - in this case, the crap just does not go beyond the browser, but cookies or LocalStorage can extract malicious code. Also, the power of the computer can be used for completely unexpected purposes, up to the mining of bitcoins on the victim's computer.
')
So you need to protect the browser not only from the outside, but also from the inside. To do this, you need to look at the appropriate extensions, which is what this post is about. Also here will be considered some privacy issues ( but not anonymity! ) So that you can protect yourself from follow-up companies.


Useful extensions



NoScript

NoScript It seems to me that you need to start with this extension, because it seems to me that every browser user needs it today - after Adblock Plus, of course. If you look at the name, it becomes clear that the main task of this extension is to block JavaScript. And it performs its task perfectly, and it is much more convenient than just the button in the “Disable JavaScript” settings (especially considering that the latest versions of the fox no longer have this button). There is the possibility of permission by site, maintaining white and black lists, as well as there is support for a temporary resolution for a particular site.

However, its capabilities do not end there - he also perfectly knows how to block plugins (any), force HTTPS on pages, protects against XSS attacks and ClickJacking (using ClearClick technology, which allows to see the real type of element when it detects danger). There is also an implementation of an interesting technology ABE - a kind of firewall for the Web, which allows you to limit access to some sites to others.

NoScript Website

Adblock plus

image Probably the most famous browser extension. Indeed, those who installed it can no longer use the browser without an ad blocker - the Internet becomes so clean and bright.

However, it is not too obvious how it can help with security. The answer is in his subscriptions. They can be completely different - anti-advertising itself (and with it a lot of if not malicious, then just junk content is cut out), protection from being monitored by various statistics sites (privacy rather than security is here), blocking domains detected in malware distribution and much more. From subscriptions, I recommend using EasyList , RuAdlist , EasyPrivacy , Fanboy Enchanced Trackers, and Malware Domains . It will also help make the browser safer.

AdBlock Plus website

RequestPolicy

image Another addon created for site-based permission management. RequestPolicy gives you the ability to manage cross-site requests.

Example - the site habrahabr.ru requests pictures from habrastorage.org and a script from mc.yandex.ru . Habrastorage can be enabled, and Yandex.Metrica can be left blocked. Thus, this addon will help protect against tracking sites that collect statistics on the user.

Also, it will definitely protect from XSS and any nonsense that you don’t like - like social networking buttons and some advertising. Thus, this extension really gives a very good protection, but it has one important disadvantage - the need for active interaction with it and manual selection of permissions - there will really be a lot of blocking and a considerable part of it may be necessary to view the site. So it's up to you. By the way, in version 1.0 (it has the status of being developed) subscriptions and the ability to use the black list mode have been added.

RequestPolicy website

Cookie monster

image One of those extensions, the functions of which, in general, covers the browser, but with which it is incomparably more convenient than without it. Cookie Monster allows you to manage your cookies, allowing them only for those sites for which you explicitly prescribed it. It is also possible to allow cookies to be stored until the browser is closed or to prohibit only third-party cookies.

A very convenient extension, practically does not require interaction, since the sites on which cookies are really needed are actually very few - mostly the sites on which you are registered. Highly recommended for everyone.

Extension page on Addons.Mozilla.Org

HTTPS Everywhere

image Expansion from the notorious Electronic Frontier Fund , intended for the forced use of HTTPS on sites that support it, but do not put it as the main one. It helps to protect your browser from MITM attacks , which can lead to bad consequences, such as stealing your password on an untrusted network or embedding advertising into the provider’s pages.

The extension is very useful, especially in those cases when you have to connect to a Wi-Fi network somewhere in a cafe or train station, because it allows you not to be mistaken in dialing https addresses or when clicking on a link. Also, if possible, it rewrites unsafe requests from a page to a safe one.

EFF extension page

WOT - Web Of Trust

image An extension that shows links to the level of trust sites, installed by the community. It is intended for a “friend of an IT person” - that is, it may not be very necessary for me, but I put it to everyone I know, having previously explained that it is not necessary to click on links with the “red circle”.

It will help protect against phishing, partly from sites with malware. In fact, it has a lot of false positives and absolutely does not perceive the subdomains of free hosting sites. But sometimes it is better to overdo it than not to. Also has a negative impact on privacy - the URL for verification it sends to your server.

WOT site

RefControl and UaControl

image
Add-ons designed to control the HTTP headers Referer (the address of the page from which the user got to the site) and User Agent (non-unique browser identifier). They allow you to pretend to be other browsers, or even search robots, not to send information to the site, how you got into it, or even enter what you want into these fields. I used to go over the Internet with a User Agent, formed as an IE 10 browser under Linux. Interestingly, webmasters read these logs?

image In principle, RefControl allows you to prevent sites from finding out what search query you came up with, especially considering how much Google crammed into this field. Well, UAControl - pretend to be a popular browser and “hide in the crowd” in order to avoid all the same statistics collection. By the way, here they advised me to change the User Agent to Linux (if you don’t have Linux anyway), since this will make some malware simply not be sent to you. Strange, of course, a way, but there is such an opinion.

RefControl on AMO
Page UaControl on AMO

Conclusion


I hope you still read this post, and there it’s up to you to install these extensions or not, especially since I have written everything in sufficient detail. Now our browser is safer from the inside, but how can I protect it from the outside with AppArmor? I may write later.

PS: I apologize for the style of presentation. This is my first post on Habré, so please constructive criticism.

Source: https://habr.com/ru/post/195052/

More articles:


All Articles