If you would like to read the other parts in this article series please go to
- Web Browser Security Revisited (Part 1)
- Web Browser Security Revisited (Part 2)
- Web Browser Security Revisited (Part 3)
- Web Browser Security Revisited (Part 4)
- Web Browser Security Revisited (Part 5)
- Web Browser Security Revisited (Part 7)
Introduction
In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they’re implemented. In Part 3, we looked at how to configure IE for best security. In Parts 4 and 5, we examined how to do the same with Google Chrome. And specifically at the special features Google provides for enterprise administrators with its Chrome for Business. In this, Part 6, we’ll continue with some tips on how to best secure Mozilla Firefox, and then wrap it up next time with some suggestions regarding Apple Safari and Opera.
Comparing the alternatives
At the ripe old age of 15 (as of April 2013) Firefox has been around for a long time. A few years ago, Firefox was the darling of computer users who were concerned about security. Internet Explorer 6 had a bad rep and Mozilla’s alternative was rapidly gaining market share. Then along came Chrome, Microsoft doubled down on security with each subsequent version of IE, and the poor fox found itself slowly losing out in popularity. The stats depend on which source you consult, but NetMarketShare.com’s pie chart puts Firefox 25’s share in November 2013 at only 10.43 percent to Chrome’s 12.71 percent (versions 30 and 31 combined). If you dig down into the “Other” stats, though, and add in Firefox 24’s 3.68 percent, Firefox comes in at a respectable 14.11 percent. IE is still the clear winner with 48.49 percent for versions 8, 9 and 10. IE 11, which comes with Windows 8.1 and was just recently released for Windows 7, adds another 3.27 percent.
Securing Firefox
The takeaway from the statistical information above is that Firefox is still a popular browser despite losing some ground over the last few years, thus it’s important for users who prefer it to understand its security settings and browser-specific steps they can take to make it more secure.
First, let’s look at the built-in security mechanisms in the latest version of Firefox. It now includes many of the same protective mechanisms that were first introduced in IE or Chrome. There is anti-phishing and anti-malware, which have become standard in all browsers, and automatic updates are enabled by default. Firefox also includes a content security policy (CSP) that protects against cross-site scripting (XSS) attacks, by which admins can configure specific domains that the browser can consider safe as sources of executable scripts. Other scripts will be ignored. You can read more about this feature on the Mozilla Developer Network web site.
Instant Website ID
The feature that Mozilla calls “Instant Website ID” uses color coding to warn you about suspicious web sites or to identify sites encrypted with SSL. A “site identity button” to the left of the URL displays one of the following icons for the site you’re on:
(Gray globe icon). This means the web site connection is not encrypted (or may be only partially encrypted. There is no identity information (certificate) provided for the site. You’ll see this icon on most regular HTTP sites.
(Shield icon). When you go to a site and the icon becomes a shield, you’ll also see a message that “Firefox has blocked content that isn’t secure,” and you can choose whether or not to allow that content. If you select to override that block by choosing Disable Protection on this Page in the drop-down box, this allows mixed content to be displayed and the icon changes to the next one in this list.
(Orange triangle with exclamation point). This icon is a warning message. It occurs with HTTPS sites that are only partially encrypted when you have mixed content (secure and non-secure) displayed and serves as a reminder that even though the URL says “HTTPS,” some of the content is served over HTTP and can be read or changed by attackers.
(Gray padlock). This icon identifies an HTTPS site that’s been verified so you know it has a valid digital SSL certificate issued by a Certification Authority (CA) such as Verisign or Thawte. It also means the transmissions to and from the site will be encrypted with SSL. It does not guarantee that the identity of the certificate holder is as stated. Anyone could buy a certificate claiming to be another person or company.
(Green padlock). This icon identifies an HTTPS site that has an Extended Validation Certificate (EV certificate). That means not only is the transmission encrypted, but the identity of the certifcate holder has been verified by the issuing CA. This is the equivalent of when the entire URL address bar turns green in Internet Explorer to indicate an EV certificate.
Custom Security Settings
The Firefox browser has security settings in the graphical interface that can be configured to control the levels of security and behavior of the browser in regard to security-related actions. Click Settings in the toolbar at the bottom of the browser window and then select the Security icon (gold padlock) at the top of the Options dialog box, as shown in Figure 1.
Figure 1
Here you’ll find that most of the default settings are configured to provide more security: Firefox will warn you when sites try to install add-ons, block reported attack sites and block foreign web forgeries. We recommend that you don’t change these default settings. You can, if you have trusted sites and want to forego the warning from those sites, create exceptions by entering the URL of each trusted web site and clicking Allow in the Exceptions dialog box.
This same interface also has password options and this is where you might want to make a change for better security. By default, Firefox will remember passwords for sites. The more secure setting would be to uncheck this box and have the user enter the password each time he/she connects to a site.
If you do choose to allow Firefox to store passwords, you can add a bit of security by using a master password to protect the stored passwords list. This is not enabled by default but is easy to implement. Check the box and the Change Master Password dialog box will pop up, as shown in Figure 2. Here you can enter and confirm a password, and the “quality meter” will indicate how strong the password is.
Figure 2
Unfortunately, the master password field is limited to 17 or fewer characters, but by combining alpha, numeric and symbol characters, you can create a strong password within those limits. When you’ve set a master password, you’ll have to enter it for each browser session before Firefox will use your stored site passwords.
Privacy features
As with IE and Chrome, Firefox has private browsing options to prevent saving browsing history information and a Do Not Track feature to let you opt out of tracking that is performed by many web sites. However, it’s important to be aware that not all sites honor the browser’s settings. History and tracking settings are configured through the Privacy tab in the Options dialog box.
It’s also easy to manually clear your recent browsing history, which includes a list of visited sites, cached web pages and graphics, cookies and site preferences. Some users might not be diligent about logging out of sites that use HTTP authentication, and clearing the history will also log you out of those active sites. To clear the history, you just click the orange Firefox button at the top left of the browser window and select History | Clear Recent History …
Prevent automatic connections
Firefox (like other browsers) sometimes automatically connects to the Internet for updating of bookmarks, anti-phishing and anti-malware definitions and security fixes, prefetching and other legitimate purposes. Malware can also cause the browser to connect automatically and send information to an attacker.
In most cases, you can prevent various types of automatic connections – although doing so isn’t necessarily desirable from a security point of view, as in the case of update checking, download and installation. You can stop the automatic reloading of live bookmarks by deleting all of your live bookmarks. If you don’t want the browser to connect to the web periodically to reload the home page, you can set it to a blank homepage.
Firefox updates metadata about each of the installed add-ons once per day by default. You can disable this going to about:config (type this in the address bar and press Enter). Look for extensions.getAddons.cache.enabled and set the value to False. You can disable link prefetching in the same way; in that case, look for network.prefetch-next and set it to False.
Some extensions (add-ons/plug-ins) will make automatic connections, as well. You can disable individual extensions by following the instructions here.
Speaking of add-ons, Mozilla provides a Firefox add-on that will allow you to manage Firefox preferences via Group Policy. You have to add an ADM file (administrative template) to define the registry keys will be read. You load the file, define the preferred settings and install the extension to read those settings. You can hide the extension from users so they can’t disable it. There’s a link to download the ADM file here.
Summary
In this, Part 6 of our series on web browser security, revisited, we looked at the third of the “Big Three,” Mozilla Firefox, and how it can be made more secure. We’ll wrap up this series in Part 7 by addressing the two remaining browsers with significant market share, Apple Safari and Opera.
If you would like to read the other parts in this article series please go to
