Security tips for users

Tips for Secure Browsing

Keep your browser up-to-date

Enable automatic updates so you're always using the most current version of your browser. Since web browsers are complex, security holes are found and fixed often, and bad guys start using the holes soon after they become publicly known. To enable automatic updates for Firefox, go to the Software Update section of Advanced options and check the boxes there.

Even if you only use Firefox, you should keep Windows and Internet Explorer up to date as well. To enable automatic updates for Windows XP and Internet Explorer, go to the System control panel and select the "Windows Update" tab. (Automatic updates are on by default if you have installed Windows XP Service Pack 2.)

Downloading and installing software

Do not download or install software except from sources you have identified as trustworthy. If a site says it requires that you install additional software (e.g. Flash) in order to view it, don't get it from the site. Instead, look up Flash in Google, see what people say about it, and download it from the vendor of the software or from to ensure that you're getting the latest version without any added trojans. If the software they want to install comes only from them and other content sites, do not install it; legitimate software is almost never distributed that way and the software is probably malicious.

Even signed software is not necessarily trustworthy. For example, malicious software that targets Internet Explorer users, which is common, tends to be in the form of signed ActiveX.

If you use an anti-virus program, keep its virus definitions up to date. Anti-virus programs protect you against some malicious software. Anti-virus programs do not protect against new viruses (they spread quickly!), quickly-changing spyware, or new malicious software written specifically to target you or your company, so do not assume they will stop you from running all types of malicious software.

Entering personal information

Before entering any personal information or passwords, you should ensure that the site is trustworthy and not spoofed. For sensitive information like credit card numbers and passwords for financial sites, you should also make sure the site is secure.

Make sure the site is trustworthy before shopping or submitting personal information.

Check that the site is not spoofed. Check the hostname (the part of the URL between "http://" or "https://" and the next "/"). The URL should begin as you expect, e.g. "", including the slash after the hostname. If the hostname isn't as you expect, or if that part of the URL contains an "@", close the window and visit the site by typing "" or searching Google for "Paypal". See the section titled "more about hostnames" below.

Before submitting sensitive information like credit card numbers and financial passwords, you should also check that the site is secure in addition to checking that it is trustworthy and unspoofed. When you have a secure connection to a web site, a "lock" icon appears in the status bar. The "lock" icon indicates that the connection is encrypted and that there is no attacker between you and the site. Double-clicking the lock icon and then clicking "View" gives you an additional way to make sure you're on the site you think you're on. Secure sites' URLs start with "https://" instead of "http://" (this is redundant with the lock icon).

More about hostnames

A hostname is a series of words separated by dots. As you read a hostname from right to left, it becomes more specific. "com" is a top-level domain containing many sites. "" is owned by a company, which controls both "" itself and all more specific hostnames, such as "" and "".

Thus, Paypal, Inc. controls all of the following URLs as a result of controlling "":

Paypal, Inc. does not control any of the following by virtue of controling "". If you find yourself at a similar URL, it is probably a scam site set up by someone who wants to steal your Paypal account or other financial information.

Look out for misspellings in hostnames, like or https://www.pá

If a site uses an IP address instead of a hostname (example:, it is hard to tell what site you are on, so you should not trust such sites.

Passwords in URLs

The hostname is usually the first part after "http://", but there is one case where it isn't the first part. When a URL contains a username and password, they confusingly appear before the hostname, like this:

A quick glance at

might not reveal that you are in fact connecting to, not Luckily, Firefox protects you by warning you when you click a link to a URL containing a username or password, and displays dots in usernames and passwords as "%2E" instead of as dots.

Browsing untrusted sites

While Firefox does not allow web sites to install software without your permission, it does not fully protect you from some other things. This section describes some extra precautions you should take on sites that you do not trust at all. (Most of these precautions apply to all web browsers, but we still wish you didn't have to know all this to stay secure. We're working on it.)

When sites open new windows, they can hide the address bar. If you are viewing an untrusted site and a new window appears that seems to be your bank, be wary, because the address bar in that window might be fake or "spoofed" (XUL example, HTML example). There are several things you can do to protect yourself against spoofed address bars:

When you add a bookmark, you should be aware of whether it is a data:, javascript:, or vbscript: URL. If it is one of those types of URLs, clicking the bookmark allows scripts contained in the bookmark to run in the context of the site you're viewing. The script could steal cookies, stored passwords, or act on your behalf on that site (bug 28387). Bookmarks using the javascript: protocol are called bookmarklets and are often useful, which is why Firefox does not warn you when bookmark such a URL.

Since a site can display anything in its content area, it can display something that looks like another browser window. For example, a site in a maximized window might make a small "browser window" appear inside itself that looks like Paypal. One way to be safe is to maximize sites before typing passwords or personal information; you won't be able to maximize the fake window because it isn't really a window.

After saving or downloading files, make sure they are data files rather than programs. See the section below, Downloading files and e-mail attachments, for how to tell them apart.

Don't save and open untrusted HTML files. While HTML files are safe to view over the Web, they are no longer safe once you save them. Opening an HTML file from your hard drive allows JavaScript in the HTML file to read any text or HTML document on your hard drive (bug 230606 and bug 209234).

If you're new to typing or learning a new keyboard layout, keep an eye on the screen while you type so you don't inadvertantly press a key that accepts a software installation dialog. (Related to bug 162020.)

You can use the status bar to see where links go, for example to avoid clicking links to But sites can use JavaScript to make it so the text displayed in the status bar is not the same as the link URL -- even if you uncheck "Allow sites to... change status bar text". The status bar is reliable when you are reading forums such as Slashdot, where you trust the site but not the person posting the link, and it is realiable while reading e-mail (assuming you haven't enabled JavaScript for mail message). But the status is not reliable when you are viewing a site where the person who included the link can also include JavaScript.

If you type a lot of text into a web site, the site could cause your browser to upload a file with a known path and name (bug 56236).

If you copy text from a web site and paste it back into that web site, the site could cause your browser to upload a file with a known name (bug 57770). Most non-Mac web browsers are vulnerable.

If you copy text from a web site and paste it back into that web site, the site could read what was in your clipboard before by preventing the copy command from working.

Do not paste text from untrusted web pages into IRC programs or DOS command prompts. A site can disguise text so that it looks like you're copying one thing when you're copying another. The text you paste may contain line breaks, causing the program to execute commands in the pasted text and giving the attacker control over your computer. One solution is to open a Notepad window, paste, check that the text is what you expect, select all, cut, and close Notepad.

Web sites can find out whether you have visited a given URL unless you disable global history (bug 147777).

Browsing from a public computer

When browsing using a public computer, you want to prevent the next person who uses the computer from being able to access your web site accounts. After clicking the site's "log out" button, close the browser window so the next person can't click the Back button to view your information or resubmit your password (bug 155030).

If the public computer allows you to access the browser's Options dialog, you should go to the Privacy section of Options when you're done and clear everything (login cookies, history, cache). Properly configured public computer block access to the Options dialog and automatically clear those when you exit the browser.

A second type of login, http auth, is only cleared when you close all browser windows (bug 55181, ...). If a site uses http auth, you'll see a dialog when you log in asking for your username and password (example) instead of a form in a web page.

Tips for Using Email Securely

Be aware that it is extremely easy for someone to forge an email message to make it appear as if the message has been sent by your bank, a software vendor (e.g., Microsoft), or another entity with whom you do business. If a message requests that you send your password or other private information, or asks that you run or install an attached file, then it is very likely that the message is not legitimate. When in doubt, just delete the message.


Give specific examples:


If a message is signed, you will see a pen to the right of the From address, and then you can trust the "from" address. [Link to a document that describes the difference between the kind of e-mail signatures corporations use and PGP / Enigmail signatures.] But if the e-mail is asking you to run an attached program, you should still be suspicious that the sender's computer might be infected with a virus.

Never fill out a form in an e-mail, because you cannot tell what web site the form will be submitted to.

Be cautious when clicking on links sent to you in email messages. If you do click on such a link, double-check the name of the site as shown in the location bar of the browser. Don't enter any personal information into forms displayed at such a site, and if you have any concerns whatsoever about your security, just close the browser window. Do not rely solely on the address displayed in the status bar of your e-mail program (split links, user:pass, javascript or maybe even CSS trickery); check the address displayed in the address bar of your browser after opening the message.

When you open an attachment, your e-mail client may say something like "be sure you trust the person who sent this file". Ignore this warning; its use of the word "trust" is dangerously inaccurate. Here's what you should do instead:

  1. Determine whether the file is a program or a data file using the instructions under "Downloading files and e-mail attachments". If it is a data file, it is safe to open. If it is a program or if you can't tell, continue to the next step.
  2. Contact the sender (in person or using a phone) to ask if they meant to e-mail you a program. Most likely, they did not mean to send you the program, and the program is a virus sent either from their computer or from another computer with a fake "From:" address.

Downloading files and e-mail attachments

If you download files, whether through the Web, e-mail, or a peer-to-peer application, you will be safer if you understand file types and extensions. Extensions determine what program is used to view the file -- or if the file is itself a program. In Windows and Mac, the action for viewing a document/image/movie (double-click or press Enter) is the same as the action for running a program, so you have to know what kind of file it is that you downloaded before you can open it safely. It is not sufficient to check the file's icon because executables can specify their icon to look like that of a data file.

In Windows, you should make sure file extensions are shown. In any Windows Explorer folder, Tools > Folder Options > View > uncheck "Hide extensions for known filetypes".

Tip: In Windows Explorer, you can use View > Details to make Windows show a "Type" column with a more readable description of the type of the file. This only applies to the current folder.

Common safe and unsafe file types

Documents (safe):
  .txt    Text document
  .rtf    Rich text document
  .doc    Microsoft Word documnt (safe if you keep Word up to date)
Images (safe):
  .jpg    Image - JPEG
  .jpeg   Image - JPEG
  .gif    Image - GIF
  .png    Image - PNG

Video (safe):
  .avi    Video - Various formats
  .mpg    Video - MPEG
  .mpeg   Video - MPEG
  .rm     Video - Real Player

Audio (safe):
  .mp3    Audio - MP3
  .ogg    Audio - Ogg Vorbis

Programs (unsafe)
  .exe    Windows executable - Application
  .scr    Windows executable - Screen Saver
  .com    DOS executable
  .bat    DOS batch file

Other unsafe types:
  .js     JavaScript
  .vbs    VBScript
  .html   HTML document.  
            (Safe to view over the web, but not safe after saving or downloading.)
  .lnk    Windows shortcut.  
            (Warning: the ".lnk" extension can be hidden even if you told Windows to 
             always show extensions.  Instead, the icon contains an arrow.)
  .pif    Windows 3.1 shortcut (?)

Archives (contain other files, which may be safe or unsafe)
  .zip     Zip archive
  .rar     Rar archive

More on files

A note about archives: Viruses are often contained in archives, both to fool server-side virus scanners and to prevent your e-mail program from knowing whether the files contained in the archive are safe or unsafe file types.

When in doubt, right-click the file and select an appropriate action ("Edit in Wordpad", "Play in Winamp", etc.) instead of double-clicking. Note that "Open" on a right-click menu can mean either open a document or execute a program.

Another way to be safe is to never download any files or open any e-mail attachments, but that's not fun.

Any program you often open untrusted data files in, such as Winamp, should be kept up to date. It is possible that bugs in those programs, such as buffer overflow bugs, could allow even a data format such as MP3 to become dangerous.

Watch out for filenames with lots of spaces before the extension, like this one:

foo.mp3                            .exe

Firefox protects you from "Opening" some types of unsafe files directly before downloading them, but it does not prevent you from downloading them or warn you that the file is a program (bug 249951.

Related pages