8 Firefox extensions towards safer browsing
Web 2.0 has (re)introduced a wide variety of attack vectors that can be used against Internet users to steal sensitive information, control the web browser, and more. The security industry has seen a shift from concentrating on the servers that house data to protecting the data itself. Many web applications and social-networking sites today exhibit flaws that expose them to all sorts of attacks, with much focus on XSS, CSRF, exploiting the same-origin policy and malicious code execution.
With insight from a couple of web security experts and some further research, I’ve compiled a list of must-have Firefox extensions that help ensure safer and more secure browsing with Firefox. Many of us have agreed that the security “functionality” these extensions provide should be built right into Firefox (*cough*Mozilla Security Team*cough*). Below, I outline the risk and how each extension goes about mitigating it.
- Risk: Spammers and advertisers are increasingly using more malicious ways of getting advertisements to you. We saw in the past hacked ads on MySpace and other sites serving malicious code to infect users.
- Use Adblock Plus to block advertisements. You can right-click an advertisement (or image) and add it to your blacklist. There are also subscription filters you can subscribe to that will remove almost all advertisements automatically. The subscription filters are maintained by individuals like you and I, who hates ads just as much.
- Risk: Some sites set cookies for tracking browser behavior of their users across multiple sites. These are cookies usually set by third-party advertising companies that have banner ads on the site you visited. This can be a privacy risk for Internet users who accept cookies globally and are not more selective in which sites they allow to set cookies.
- With CS Lite, you can easily control cookie permissions on a domain basis. You can allow, block, or termporarily allow a site to set cookies. Initially, set CS Lite to deny cookies globally, and then enable them on a per site basis. Using this method, you can eliminate all those pesky tracking cookies served by third-party advertisers.
- Risk: When you visit a website, your IP address is recorded in an access log (unless the site specifically does not keep access logs). Sites such as Google tie your search records to your IP address. That means every search for information, be it medical remedies, hobbies, porn, etc, provides some piece of information about you. This poses an ever greater privacy threat than tracking cookies.
- Use FoxyProxy to manage proxy settings within Firefox. FoxyProxy can also be used with Tor, which tunnels your browsing sessions through multiple servers around the world. It is much harder to trace your browsing habits back to your original IP when you proxy through multiple systems as you do on the Tor network.*For more information on proxies, see the Wikipedia entry.
- Risk: Anti-DNS pinning (explained here) is an attack vector that has seen been mentioned a lot recently in the press. Essentially what happens, is malicious JavaScript can tell a browser to connect back to a site with a different IP address than originally set. This is especially dangerous when launched against sites with areas that are non-public (corporate intranets).
- Protect yourself from malicious JavaScript using LocalRodeo. You might be thinking, “but doesn’t NoScript protect me?” See the section on NoScript below for more information.*A more general anti-CSRF solution is being worked on here.
- Risk: When you click on a link or open a tab to a new site, that site can see what page referred you to them in their logs and analytics software. This can be a privacy risk since this site now knows where you were coming from. Some sites instruct users to post non-clickable links or disable HTML in posts to prevent their site from showing up in other sites’ referrer logs. This could even be a liability for some sites, especially those that host links to questionable material.
- Use an extension like RefControl to disable Firefox from sending information on the referring site. You can enable referrers on a per site basis, if you need too. I have enabled for just such an occasion, on digg.com, since clicking on a link to duggmirror.com relies on the referrer to redirect you to the appropriate site mirror.
- Risk: Web sites using various scripting languages to increase functionality of their websites. Unfortunately, these scripting languages open us up to a wide range of attacks such as XSS, XSRF and CSRF. Since the script is executed locally versus server-side, malicious scripts can be used to compromise the web browser.
- Use NoScript to block scripts globally. NoScript can be configured to allow scripts to run on a per domain basis. NoScript can also help prevent XSS attacks because it can identify when a non-trusted site tries to inject JavaScript into a trusted site and filters it. But what about LocalRodeo? Well, NoScript isn’t perfect. It can’t be. If you allow scripts to run on a domain basis, you risk running malicious code. If a site you “trust” is compromised (e.g. cnn.com), any code on that site is run. If an attacker has inserted malicious JavaScript into the site, you’re pwned. With LocalRodeo, you are more protected against malicious attacks, such as anti-DNS pinning.
*See Andre Gironda’s Reflections on Trusting the Same-Origin Policy
*See Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF
- Risk: Your browser caches various files when it visits a website to make subsequent visits load quicker. What we’ve seen though, are ways of tracking users via caches and cache timing attacks.
- SafeCache segments browser cache by the originating document, preventing Site A from using a timing technique to determine if you’ve visisted Site B.*
- Risk: CSS can set the color of a link based on whether you have clicked or visited the site previously. This can be used against you in a CSS History Hack as demonstrated by Jeremiah Grossman.
- Like SafeCache, SafeHistory segments the marking of visited links on the basis of the originating document.* You might notice that NoScript protects you in the POC for both SafeCache and SafeHistory. That’s true, but go ahead and disable NoScript for the site and you’re not protected anymore. We need to be careful which sites we trust, because though the author may be ethical doesn’t mean an attacker who compromises their site will be.
Further Reading:
*Protecting Browser State from Web Privacy Attacks
Edit: Changed No-Referrer extension to RefControl
hi nice post, i enjoyed it
I would also recommend a combination of TorButton and Vidalia be added to the list, very useful utilities for anonymous browsing.
I’ve been using ABP and NS for quite some time but had no idea about the others. Nice Job.
You know, I’ve always figured that there were threats out on the net, but didn’t think I could do much to protect myself other than install a firewall. As a Firefox user, it’s nice to know that I have a bit more control. Thanks for the info!
René
http://www.workingauthor.com
@ Kevin:
There are worries for Tor anonymity. I like that Tor encrypts traffic to the end node, but exposure at the end node (and from the end node to the content) is still quite a significant problem.
Running code through ActiveX, Flash/Java applets, and other means can also give up information or control of the browser and/or entire client machine. For an example, look at DeCloak as part of the Metasploit project.
For better anonymity, using Tor to a valid SSL CGIProxy (or similar SSL-enabled proxy) is the first step to building an end-to-end encrypted tunnel, although I’d often rather just use SSL VPN (with client-side certificates and my own custom PKI) and a safe Internet connection (for performance/speed). Even HotSpotVPN is probably easier to use than Tor and provides the same (or a similar) amount of anonymity/safety.
What I don’t get is, AdBlock Plus blocks ads… but lets the cookies associated with those ads through to my system. Some of the cookie-blockers here require too much effort deciding which cookies to allow and which to block… why can’t we just block cookies for whatever AdBlock Plus is already blocking?
I nearly always run CCleaner after exiting my browser. The times I don’t, I get spyware cookies detected every time by my AVG AntiMalware. In every case it’s an ad cookie.
@ Moss:
Check out CS Lite (linked above) and it’s forums. There is a way of integrating anti-malware solutions with CS Lite (CookieSafe Lite), so that the adware cookies are blacklisted.
In other words, it does EXACTLY what you are asking for ;>
Personally, I use the full version of CookieSafe to whitelist every subdomain temporarily and usually only one per browser instance.
The link between blocking ads and security is lame. Most of the internet is supported by adverts, some selfish individuals use Adblock because they don’t like the ads but to say its to help security is just bad information.
The McAfee site advisor plugin is a good one which integrates into your search results telling you which ones are safe.
@Pete: Sure, you can argue that, but the same can be done using TiVo for television. I’d rather err on the side of caution and just block ads. I never clicked on ads anyways, so whatever you’re trying to say about people being selfish for using adblock, save it for someone who cares.
@ Pete:
You’ll be interested to know, that of the above Firefox add-ons, Adblock Plus is the only one that I don’t use. However, I do use the full CookieSafe version and not the Lite version, as mentioned earlier.
In Internet Explorer, I often use McAfee SiteAdvisor and the Netcraft Toolbar plugins. I wish that Safari had similar protections.
@Pete
People who use AdBlock to block all adverts aren’t a bad thing. They raise your click/view ratio on the ads that do get seen and save bandwidth.
None of these add-ons will protect againt a CSRF attack that simply uses an image src URL.
Would a way to protect against such attacks be an add-on that would block any attempts to access URLs from any remote site for a set of sites that the user specifies?
I could then specify that my browser wouldnt follow any links to my.bank.com – which wouldnt impact me as I could either type in its URL or use a bookmark.
@SB, you’re right about LocalRodeo not protecting against CSRF hotlinking. I’m not sure if RequestRodeo implements this functionality — I will get back to you on that this weekend. If it doesn’t, it sounds like a great feature request!
Been thinking about this a bit more.
I _think_ such a feature would provide some protection against ‘remote’ CSRF attacks, but not against CSRF attacks that were made using a link posted to the same site being attacked (eg in user generated content). I guess most banks wont allow user generated content in their sites for this reason.
However that still leaves many sites vulnerable that a user might want to protect.
The extension could allow a user to specify a subset of a site to protect (my.bank.com/onlinebanking) but that requires the user to delve into the site structure, and the protection breaks if the site structure changes.
A better solution might be if sites could actually specify in (for example) the HTML header the URLs that they think should be allowed to link to a specific page.
That could be abused to try to stop deep linking, but if browsers just warned about a potential issue then it would be in the users control. Of course that would require all of the major browser support such a feature, so that isnt going to happen!
There’s an extension that works like an IDS but it’s still an alpha: FireKeeper
http://firekeeper.mozdev.org/
Not sure about protecting CSRF…
FireKeeper has been around for awhile but doesn’t seem to be going in any direction. NoScript is where it’s at…
It looks like Firefox are actually looking at providing better protection against XSS & CSRF: http://www.theregister.co.uk/2008/05/20/new_firefox_security_protections/
Heres hoping IE does the same!
Nice lineup here. I’ve been using noscript, and had heard of a few of these, but there are a bunch that I didn’t know. Nice share. tnx!
How can this list not include WOT?
That app alone is the single most safest web browser possible.
@geoff Whatever, this post is old.