Security tips for Firefox users

This document describes what that I think Firefox users need to know in order to be secure while using the web. It is long because Firefox and operating systems are not perfect; as they improve, there will be less you need to know.

Tips for secure browsing

Protecting your computer from browser security holes

Occasionally, someone finds a flaw in Firefox (or a plugin) that allows any malicious web site you visit to take over your computer. This is less of a problem in Firefox than in some other browsers: according to research by Brian Krebs, Internet Explorer users were vulnerable to at least one known critical vulnerability for 70% of the days in 2005, while Firefox users were vulnerable for 5% of 2005.

Following these measures will keep Firefox from being vulnerable to these severe security holes most of the time:

These optional measures that make your computer less likely to be infected with malware, even if your software is vulnerable:

Downloading and installing software

Any software you run can take over your user account, so it is important to be careful when downloading native software.

(Hopefully, future operating systems will make it safe to download and install software by separating programs from each other and from your documents.)

Handling downloaded files

Windows makes it difficult to distinguish between data files and applications, and the same actions that open files (such as double-clicking) are also used for launching applications. A music file and a malicious application can look identical on common Windows setups. If you download files, whether through the Web, e-mail, or a peer-to-peer application, you should learn how to distinguish file types.

One way to determine the types of files is to use the "Details" view, which includes a column showing an English description of the file type -- "Application", "Text document", and so on. To use this view, select "Details" from the "View" menu in Windows Explorer.

Another way to determine the type of a file is to look at the file's extension. This method requires memorizing dozens of three-letter sequences, and has some other drawbacks, so I don't recommend it. See this page about file extensions if you're interested in using this method, or if you want to know why I don't recommend it.

If you download 20 video clips from 10 porn sites, you're unfortunately expected to check the type of each one before double-clicking on it. Hopefully, future versions of Firefox will do this for you (bug 249951).

Note that you cannot rely on a file's icon to determine whether it is a program or a data file, because a program can have any icon in Windows. An attacker might choose a common "video file" icon as the icon for the program disguised as a data file.

When in doubt, drag the file to the correct application -- for example, run Winamp, then drag the supposed audio file to Winamp. Alternatively, right-click the file and select a specific action, such as "Edit in Wordpad" or "Play in Winamp". Beware of the verb "Open", which can refer both to opening a document and launching an application.

By the way, any software you use to handle data from the web should be kept up-to-date. For example, if you download MP3s and play them in Winamp, be sure to keep Winamp up-to-date.

Protecting personal information from phishing

When you're about to log into an e-commerce site like eBay, you should make sure you're actually on eBay, rather than one of the hundreds of phishing sites designed to look like eBay. You cannot rely on the content area to determine where you are, because the appearance of a site can easily be copied. In Firefox, look at the address bar to determine where you are; see the section below on hostnames for how to interpret this information.

Phishing usually involves forged email, so be especially careful after clicking a link in an email that appears to come from a site like eBay. When in doubt, close the window and use another method to reach the site.

Firefox has anti-phishing that detects about 80% of phishing sites, mostly by maintaining a list of known phishing sites. Since the people who run phishing scams frequently have tens of thousands of compromised computers on which to host phishing sites, the 80% figure is unlikely to improve. So while using Firefox protects you from some phishing scams, you can't rely on it and you still need to check what site you're on.


Identifying trustworthy sites

You should make sure a site is trustworthy before making a purchase or downloading software from it. Here are some quick things you can try:

Domains and hostnames

The part of a URL after "http://" up to the next "/" is the hostname, which tells Firefox which site to connect to. As you read a hostname from right to left, as a sequence of parts separated by dots, it becomes more specific. For example, "com" is a top-level domain containing many sites, "" is a domain owned by eBay, and "" is a part of

Here are some examples of URLs that eBay controls as a result of owning "":

eBay Inc. does not control any of the following as a result of owning "". If you find yourself at a similar URL, it is probably a scam (phishing) site set up by someone who wants to steal your eBay account, money, or auction goods.

In the examples above, I helped by bolding the top-level domain ("com" in these examples) plus one more level, in order to indicate the domain that some person or company owns. Most web browsers do not do this for you; instead, they expect you to parse hostnames in your head by scanning from right to left, looking for dots.


When you connect to any web site, there are many routers between your computer and the site. When the connection uses the http protocol, any of those routers could look at the information or even modify it. If credit card numbers were routinely sent over http, there would be a huge incentive for criminals to compromise those routers in order to collect credit card numbers.

In contrast, when you connect using https, you can be almost certain that your connection is not being hijacked or eavesdropped. The https protocol accomplishes this with a combination of cryptographic authentication and encryption. When you connect to a site using https, Firefox turns the address bar yellow and shows a lock icon in both the address bar and the status bar.

Before submitting sensitive information like credit card numbers and financial passwords, you should check that you are connected to the correct site and that the connection is using https. If your bank lies to you by telling you that it is "secure" to log in using a form on a page that is not served using https, you should never log in while using an untrusted wireless internet connection and you should consider switching banks.

Note that https does not guarantee that the site is trustworthy, and in particular does not guarantee that the domain name does not infringe trademarks. You still need to verify that the hostname actually belongs to the correct company. (This may change over the next few years as Extended Validation certificates and corresponding browser UI are introduced.)

Browser chrome spoofing

When sites open new windows, they can hide the address bar (bug 337344) in the new window. This allows them to create fake address bars that appear in the same place (the top of the window) as a real address bar.

There are several ways to protect yourself against spoofed address bars:

Also note that sites can display entire fake "browser windows" inside their content areas. You can't trust the address bar of a small "browser window" which is entirely "in front of" an untrusted site's content area, because it might not be a browser window at all. One way to be safe is to keep your browser windows maximized or at least large.

Long-standing holes and tradeoffs

Most of these attacks have never been used "in the wild", but if you have reason to be extra paranoid about web security, it's good to know about them.

Always keep an eye on the screen while typing into web browser windows, so you don't inadvertently press a key that triggers an unwanted action in a security dialog (bug 363142).

If you type a lot of text into a web site, the site could cause your browser to upload a file with a known path and name (bug 56236, fixed in Firefox 3; Safari is not vulnerable).

Don't save and open untrusted HTML files. While HTML files are safe to view over the Web, they are no longer safe once you save them. Opening an HTML file from your hard drive allows JavaScript in the HTML file to read any text or HTML document on your hard drive (bug 230606 and bug 209234; IE is less vulnerable if you use Windows XP SP2).

When you add a bookmark, make sure the URL uses a normal scheme such as http or https. If it's a special scheme like data: or javascript:, clicking the bookmark allows scripts contained in the bookmark to run in the context of the site you're viewing. The script could steal cookies, stored passwords, or act on your behalf on that site. (Bookmarks using the javascript: protocol are called bookmarklets and are often useful. Bookmarklets are usually added by dragging a link or right-clicking a link and selecting "Bookmark Link...", but even bookmarking through Bookmarks > Bookmark This Page can bookmark javascript: and data: URLs.) (See bug 28387 and bug 72374. If you use IE, you'll see a warning dialog if you add such a bookmark.)

Web sites can find out whether you have visited a given URL. For example, a site could find out that you read Slashdot, and then find out which Slashdot articles from the last week you chose to read. You can mitigate this by disabling global history, but that will also break auto-complete and visited-link coloring. (bug 147777; Opera appears not to be vulnerable).

When you copy text from an untrusted web site, the text that ends up on your clipboard can be something entirely different from what you thought you were copying (bug 504748). In particular: