Five Tools To Bulletproof Firefox


Spyware, adware, drive-by downloads, phish blitzes, malware of all stripes, they all have one thing in common: they reach your computer through the wide open door that is your browser.

If the most important step you can take to secure your system is to use a secure browser -- advice held by everyone apparently, including Microsoft, which is working feverishly on IE 7 to close the years'-long security gap it created by not keeping the app up to date -- then the second step is to lock down the browser beyond what it offers out of the box, and/or learn how to use the security tools it does provide.

Firefox, which recently regained some of its market share momentum, fits the bill as a secure browser (more secure, anyway, than IE 6.x, its prime competitor).

We've wrapped up the second step for you by sniffing out five tools -- four extras and one integrated -- that we see as the most important security add-ons.

Now when malware and spyware and adware walk through the door, you can tell them

Not so fast, buddy. I'm Firefox armed and dangerous.

NoScript: We Don't Need No Stinkin' Java

Firefox may not allow ActiveX -- the Microsoft Internet Explorer technology at the root of numerous vulnerabilities over the years -- but it does support other active content that can be as dangerous, like JavaScript. The bulk of Firefox-exploitable active content vulnerabilities are, in fact, JavaScript bugs. (The most recently reported was one that hit the wires in early June; TechWeb covered it here.)

Although it's possible to disable JavaScript entirely -- Tools|Options|Web Features, clear the Enable JavaScript box -- that's not such a good idea; at times you'll not only want JavaScript, you'll need it. (Some online banking sites, for instance, put log-in forms on the screen using JavaScript.)

Enter NoScript.

The extension blocks Java and JavaScript (and Flash if you tell it) on all sites but those on a user-defined whitelist. Better still, you can authorize a site to use JavaScript for that session, or add it to the whitelist.

A small icon at the bottom of Firefox indicates the NoScript status of the site; a click there lets you allow some or all scripts on the page, or turn them off on a previously-whitelisted site.
SiteAdvisor: I Spy Before They Spyware
Most security strategies are reactive: like a beat cop, they don't swing into action until a crime's committed. Oops, too late: your identity's been hijacked.

To go proactive, you need something that gives you a hint of how dangerous an Internet neighborhood is before you walk into it. That's the approach of McAfee's SiteAdvisor.

The SiteAdvisor extension ( available here) slaps a green, yellow, or red safety rating next to search results on Google, Yahoo, and MSN; puts a color-coded button in the Firefox frame; and with a fast mouse-over, displays details about why the site's nasty, nice, or in-between.

SiteAdvisor scores sites on excessive use of pop-ups, how spammy the site is if you give it your e-mail address, and most importantly, prevalence of malicious downloads (including adware and spyware).
Anti-Phishing Tools: No Spoofs Allowed

While Beta 1 of Firefox 2.0 includes built-in anti-phishing tools -- based on an embryonic blacklist -- earlier editions need help from outsiders to warn you of suspicious sites.

The best-known anti-phishing toolbar for Firefox is a free-of-charge download from U.K.-based security vendor Netcraft. The community-supported toolbar -- that means users are the ones who sniff out most of the nasty sites -- blocks suspected URLs, displays a risk ranking for others, and inserts an icon to indicate the site's country of origin.

Other options exist, however, including Google's "Safe Browsing" extension, which adds an icon to the Firefox address bar when you surf to a spoofed site. (Safe Browsing is also part of the Google Toolbar for Firefox; the technology is also the basis for Firefox 2.0's anti-phishing defense.)
Clear Private Data: No Peeking

Every browser lets you cover your tracks -- an essential security step when you're working on a shared computer or one where others may peek inside (think office system) -- but Firefox's privacy retention command is the simplest to call.

Press the Ctrl-Shift-Del key combination -- or if you're more comfortable with the mouse, select Tools|Clear Private Data -- and a dialog box pops up offering to delete everything from the browsing history to saved passwords. (By unchecking the "Ask me before clearing private data" box, you'll save yourself a second click in the dialog.)

The feature, which debuted in Firefox 1.5, can be extended with the very small extension Clear Private Data; it adds a "clear data" item to the right-click menu within Firefox, and an optional icon that can be dragged and dropped to the browser's toolbar.
Password Maker: Password Please!

Security experts may nag us relentlessly to use different passwords for each Web site, but who, frankly, has that kind of brain power? Remember a dozen different passwords? Come on.

Firefox includes an integrated password manager (it's at Tools|Options|Passwords) that memorizes passwords, and if you want offers a "Master Password" to secure all the others, but a better tool is Password Maker, an extension that creates complicated, mathematically-difficult-to-break passwords automatically, but asks you to remember only one password.

Password Maker even has an online version so you can access its protected sites when you're away from your PC.

We're not cryptologists, so we really don't understand the science behind the extension -- there's more information here if you're interested -- but all you need to know is that your passwords aren't stored anywhere, so there's nothing for ID thieves to rip off.