Security tips for Firefox users

I'm working on a page called Security tips for Firefox users, describing what that I think Firefox users need to know in order to be secure while using the Web. It focuses on malware and phishing as the major threats.

I find it scary that users have to know so much in order to stay secure. A lot of the things users are seemingly expected to know are not at all obvious, even to people who have been using the Web for a long time. Hopefully, this page will make it clearer what kinds of changes we should make to Firefox in order to help users protect themselves against malware and phishing.

39 Responses to “Security tips for Firefox users”

  1. Dao Says:

    regarding domains: https://addons.mozilla.org/firefox/4014/

  2. Jesse Ruderman Says:

    Dao, that’s pretty cool.

    What do you think of emphasizing the domain more than the rest of the hostname, using nsEffectiveTLDService to determine what the domain is? That would make it easier to notice bogosity such as “www.ebay.com.signin.com”, or things like “signin-ebay.com” when you’re expecting “signin.ebay.com”.

  3. Nicki Says:

    Very nice! *bookmarked*

  4. arielb Says:

    I wanted to promote this article…until I noticed the porn links. Not everyone will be happy with this.

  5. Dao Says:

    Jesse, that looks like the right thing to do. I’ll try it.

  6. Dao Says:

    Erm, nsEffectiveTLDService is Gecko 1.9 only.

  7. Heikki Toivonen Says:

    FlashBlock extension is pretty nice to deal with Flash. I seem to recall that by default it disables all Flash content, putting an icon you can click to enable that piece of content. You can also enable Flash for any site you trust.

  8. Dao Says:

    Anyway, 0.3 uses nsEffectiveTLDService:
    http://en.design-noir.de/mozilla/locationbar2/

  9. Heikki Toivonen Says:

    Another thing that helps is to run as non-privileged user, so that if the browser is compromised it will be limited in what it can do. This is a little problematic on Windows, but I’ve been doing it with Windows XP since 2003. There are also programs (even for Windows) that allow you to start a program with limited privileges (for example DropMyRights from Microsoft).

  10. Christopher Says:

    Cool doc.

    Maybe add some more obfuscated URL examples. This has a ton I’ve never seen before. http://www.pc-help.org/obscure.htm

    You should suggest using noscript to white list plugins including java, flash, and others. Noscript can do this you just need to turn it on in the advanced options.

  11. Smylers Says:

    Having the main domain in bold is great. Are there any downsides to doing this? Is there a bug for making it a built-in Firefox feature?

    And I also think you should recommend the FlashBlock extension, rather tthan saying it’s hard to block.

  12. Jesse Ruderman Says:

    FlashBlock works by introducing XBL to web pages through a user stylesheet. I’m pretty sure a malicious site could get around it and still load Flash content. It works well enough for avoiding annoyances, but it’s not much of a security measure.

  13. Jesse Ruderman Says:

    NoScript’s plugin blocking is based on nsIContentPolicy. That sounds a lot safer. Thanks for pointing out NoScript’s plugin blocking feature, Christopher. I’ve edited the page to reflect that.

    I noticed that NoScript distinguishes Flash from Java from other plugins based on the mime type passed to nsIContentPolicy::shouldProcess. Hopefully the mime type correctly reflects which plugin is to be loaded; I guess I’d have to ask biesi and/or do a lot of testing to find out. But if you tell NoScript to disable all plugins on untrusted sites, the mime type issue is moot.

  14. Jesse Ruderman Says:

    I mentioned those safe porn sites because I think it’s more effective than making it sound like all porn sites are dangerous. Suggesting that users forgo porn altogether to avoid malicious sites just wouldn’t work.

    On the other hand, I think I understand arielb’s concern. I’m not trying to promote porn to children, teens who might be too young to enjoy porn responsibly, or adults who have decided to abstain. At least not with my “Security tips” page.

    Would it be better if I simply mentioned the names of the sites (e.g. “Tiava”) without making them links? Or if I moved those links to another page and said something like “click here for links to porn sites I think are safe”?

  15. Laur Says:

    The new IE7 have phishing protection … but is working so slow on my computer. I still prefer Firefox :)

  16. arielb Says:

    Don’t forget “companies that block sites that aren’t worksafe”

    yes please move the links off the page so that i can link to the “work/kid safe” version and promote it.

  17. Jesse Ruderman Says:

    I de-linked the porn site names.

  18. Sylvain Says:

    Great article. Just to mention that the bug #209234 you link to has the security flag set, which make it not visible for the unprivileged people.

  19. Jesse Ruderman Says:

    Talking to biesi, it sounds like NoScript’s plugin blocking can’t tell the difference between plugins accurately, due to bug 309524.

    I also tested NoScript a bit and found that it didn’t block plugins at all when JavaScript was enabled globally, and also didn’t block plugins correctly half the time :(

  20. Giorgio Maone Says:

    Jesse, NoScript’s “Allow scripts Globally” command is a there merely for debugging purposes, as a “quick disable NoScript” option: if you use it, plugin blocking ceases to work by design.

    What does “don’t block plugins correctly half the time” means? It does it reliably in all stable Firefox versions. Are you using some trunk build?

  21. Jesse Ruderman Says:

    It’s not at all clear that the “Allow scripts Globally” command also allows plugins globally. You should rename it to make it more clear, or make “Allow all plugins globally” a separate option.

    I couldn’t get it to block some Homestarrunner Flash reliably, even in Firefox 2, with it set to disallow all plugins, and with “Allow scripts Globally” turned off.

  22. Gerv Says:

    It seems to me that the task of the Firefox security hackers could be summed up by saying “Make that page shorter”.

    I’ve always said that the shorter the list of things users need to know is, the better we are doing. See http://www.gerv.net/security/stay-safe/ .

  23. Gerv Says:

    Editorial comments:

    – Number the bullets and sections so I can refer to them more easily :-)

    – Link to the “plugin version blacklist” bug from bullet 1.

    – Given that this is a page explicitly for Firefox users, bullet 3 is unnecessary. Perhaps that point could be made in the introduction?

    – I’m not sure 4 and 5 are really practical for your average user. The mode of browsing involved (every time you visit a new site, you need to enable script, Flash and Java) is unlikely to work for them. Firstly, they’ll soon get bored of having to turn them on for each new site they visit. Also, if they visit a new site and get some sort of error, the first thing they will do is turn on all those things to see if it goes away – so there’s lots of inconvenience, but not really any protection.

    – Your point about OSes should come before the one about AV software, and the one about AV software should say “If you stick with Windows, …”.

    – “On Windows, Mac and Linux…” is fairly redundant in section 2. Yes, perhaps there are some highly specialised OSes where this is not necessarily true, but isn’t that being a bit pedantic?

    – People probably won’t understand the word “native”; perhaps best to just remove it.

    – In fact, perhaps it would be good to have a “Windows-specific” section, including the AV, double-clicking and extensions advice?

    – The domains and hostnames section should like both to the “make hostname bold” bug, and to a Bugzilla bug which advocates making this a normal part of Firefox.

    – I think there’s also a case for hiding the protocol. (We already have an option for this.) It would help when and if we implement security UI which shows bad HTTPS connections as if they were plain HTTP – because the “s” wouldn’t be there to confuse.

    – For that reason, I think recommending looking for the “s” (as opposed to the lock or the gold bar) is bad.

    – The status bar is always-on; people should check that (for secure sites) to avoid chrome spoofing. As we seem to have lost the battle on this one, though, we should switch the address bar to be always-on, and if the page requests that it be hidden, replace the editable version with a read-only version which displays only the hostname. This is neater without being a risk (in fact, it’s less risky, as sites can’t use other URL parts to obfuscate.)

    I don’t think we should always show the hostname in the status bar; that devalues it as a security indicator, because we are showing untrusted data.

    – You should make it clear which of the long-standing holes/tradeoffs are problems with all browsers.

    Gerv

  24. Jim Says:

    Great set of tips, great advice, but not sure its quite ready for the average user yet.

    I realise that explaining all of the more ‘geeky’ terms would make the document much more ‘wordy’ and put some people off, but there are some fairly technical terms in there that just aren’t in common English usage yet. Maybe you need some form of glossary page, or perhaps just making use of title attributes to give expansions/explanations on mouse-hover?

    For instance, picking on a couple of (fairly) random paragraphs I know that my Mother isn’t going to have a clue what a “URL” or a “domain” is, or what a “man-in-the-middle attack” is, or what a “router” is and what it has to do with connecting to a webpage.

  25. Ketan Says:

    Sorry to be at wrong place. I was using your collection of bookmarklets since long. But now it simply not working. Espicially zap plugin and zap images on my new pc. I have winxp and ie5. Your email id for comments on the bookmarklets page is not working. Request you to pl help.
    Regards,
    Ketan

  26. Jesse Ruderman Says:

    Link to the “plugin version blacklist” bug from bullet 1.

    Done. The page with specific instructions for Windows users on keeping plugins up-to-date also mentions this bug.

    Given that this is a page explicitly for Firefox users, bullet 3 is unnecessary. Perhaps that point could be made in the introduction?

    Good point. I moved it to the introduction for that section.

    I’m not sure 4 and 5 are really practical for your average user. The mode of browsing involved (every time you visit a new site, you need to enable script, Flash and Java) is unlikely to work for them. Firstly, they’ll soon get bored of having to turn them on for each new site they visit. Also, if they visit a new site and get some sort of error, the first thing they will do is turn on all those things to see if it goes away – so there’s lots of inconvenience, but not really any protection.

    I shortened this section and added the following sentence:

    “Of course, this requires you to make decisions such as “should I trust this site to run JavaScript?” frequently when you visit new sites, and if your answer is always “yes”, it doesn’t protect you much.”

    Your point about OSes should come before the one about AV software…

    Switching OSes is more effective against today’s widespread attacks than installing AV software, but it’s also a lot harder. Depending on the OS you want to switch to, you might even have to purchase new hardware.

    … and the one about AV software should say “If you stick with Windows, …”

    I’m not sure I agree; viruses can strike other platforms. I think I’ll add something to the point about switching operating systems instead. Something like “Because attacks against Mac users are so infrequent, a Mac user without anti-virus software is quite a bit safer than a Windows user with anti-virus software.”

    “On Windows, Mac and Linux…” is fairly redundant in section 2. Yes, perhaps there are some highly specialised OSes where this is not necessarily true, but isn’t that being a bit pedantic?

    I originally had this in there as a reminder that not only Firefox but also operating systems can make changes to improve security. But you’re right, it does sound more pedantic than hopeful. I took it out and added this to the bottom of the section:

    “(Hopefully, future operating systems will make it safe to download and install software by separating programs from each other and from your documents.)”

    People probably won’t understand the word “native”; perhaps best to just remove it.

    Ok.

    In fact, perhaps it would be good to have a “Windows-specific” section, including the AV, double-clicking and extensions advice?

    I don’t think so.

    The domains and hostnames section should like both to the “make hostname bold” bug, and to a Bugzilla bug which advocates making this a normal part of Firefox.

    Is this feature request in Bugzilla yet?

    I think there’s also a case for hiding the protocol. (We already have an option for this.) It would help when and if we implement security UI which shows bad HTTPS connections as if they were plain HTTP – because the “s” wouldn’t be there to confuse. For that reason, I think recommending looking for the “s” (as opposed to the lock or the gold bar) is bad.

    We already have an option for hiding the protocol in the address bar, aside from installing LocationbarĀ²? I didn’t know that.

    I assume you’re referring to the first proposal in bug 327181. I hope we don’t do that; see comment 14 in the bug.

    The status bar is always-on; people should check that (for secure sites) to avoid chrome spoofing. As we seem to have lost the battle on this one, though, we should switch the address bar to be always-on, and if the page requests that it be hidden, replace the editable version with a read-only version which displays only the hostname. This is neater without being a risk (in fact, it’s less risky, as sites can’t use other URL parts to obfuscate.)

    I did mention that in the section on chrome spoofing. I agree that we should make that change to Firefox (making the entire section moot). I’m not sure I agree about showing only the hostname, though; it would be inconsistent with a normal Firefox window and it would be harmful in instances where a MySpace profile displays a fake MySpace login page.

    I don’t think we should always show the hostname in the status bar; that devalues it as a security indicator, because we are showing untrusted data.

    Whether you consider the hostname to be “untrusted data” depends on how much certainty you need at the moment and on how much you trust your Internet connection. I feel that the current UI ties “don’t force users to parse URLs and hostnames in their head” to https, and I don’t like that. Maybe we should revisit this argument when I’m happier with the address bar UI.

    You should make it clear which of the long-standing holes/tradeoffs are problems with all browsers.

    I added some “Safari is not vulnerable”, etc. I did it mostly from memory; hopefully I got it right.

    Unfortunately, this makes the page seem a little unfair to Firefox, since it doesn’t talk about long-standing holes in other browsers that Firefox doesn’t have.

    Thanks for the detailed comments :)

  27. arielb Says:

    Thanks jesse.

  28. mozilla links - Mozilla news, tips and more. » Firefox security tips Says:

    […] security tips By Percy Cabello Print This Share This Jesse Ruderman, a long time contributor for Firefox and other Mozilla projects,specializing on security topics, has released an article providing tips for a more secure experience with Firefox. […]