Usable Browser Privacy & Security

September 15, 2011
By

Post to Twitter Post to Facebook Post to Reddit

Firefox Logo with Embedded MonsterIn a previous post I talked about one aspect of making sure URLs you visit are safe. While writing that post, I started thinking about what I do and would recommend to browse securely while still keeping the experience usable. Of course the “usable” requirement here means excluding efforts such using a separate computer or browser for sensitive activity or only browsing in a VM or LiveCD environment.

First off, my recommended browser of choice is Firefox … not because it’s necessarily the best browser out there but more based on the number of available add-ons … especially the security ones I suggest below. One thing to consider though is to try to keep the number of add-ons to a minimum. This not only helps Firefox start and run faster but it also minimizes the risk of getting p0wned by a vulnerable add-on. Anyway, the security add-ons I use in almost all of my Firefox installs include:

  • NoScript: This add-on is always the first plugin I install. Most malicious websites require JavaScript in some form to infect their victims and taking NoScripts’ disabled-by-default approach goes a long way.
  • HTTPS-Everywhere: Ever since FireSheep was released last year this add-on is a must-have. It forces your browser to always use HTTPS when visiting a number of popular websites. Of course better yet is to purchase a personal VPN or use your company’s if they allow.
  • Adblock Plus: This add-on is a fairly new one I’ve added to the mix based on the proliferation of malicious ads. Since most content on the web is free and ad supported, I almost hate to use it … but I value online safety more.
  • Google (SSL) Search Engine: This nice search engine add-on forces you browser to use Google’s encrypted search engine when using the built-in browser search bar. I use it just in case HTTPS-Everywhere misses requests sent from this field rather than a web page.

Over the years I’ve tried many other security plugins but these are the ones I always come back to from a usability perspective. And of course be sure to add some quick bookmarks to UnmaskURL, URLVoid, and VirusTotal as these services provide additional ways to research potential malicious websites.

Now from a usable privacy perspective I usually head on over to Firefox’s Privacy preferences area and uncheck “Automatically start Firefox in a private browsing session.” Make sure all the other sub-options are checked except for “Accept third-party cookies.” Under the “Settings” button associated with “Clear history when Firefox closes,” verify everything is checked.

One of the usability consequences of locking your browser down is that you may loose your open tabs and/or sessions if your browser crashes or is running slow and you want to restart. This could be a problem if you’re like me and keep tabs open as placeholders for pages you want to look at later. To make sure Firefox gives you the option to save your tabs, verify the following preferences.

  • General: Select “Show my home page” from the Startup drop-down.
  • Tabs: Ensure “Warn me when closing multiple tabs” is checked.
  • Privacy: Under the “Settings” button associated with “Clear history when Firefox closes,” uncheck “Browsing History.”

Unchecking “Browser History” does create a risk that some sensitive information could be carried over between sessions indefinitely. On the main Privacy tab changing “Remember my browsing history for at least” to 0 days helps mitigate this concern since any history storage would expire in less than a day.

Now if the browser crashes with 30 or so tabs opened, you at least get all your tabs back however your active sessions were probably lost. And if your browser is running slow and you want to restart, simply go to Preferences -> Privacy and uncheck “Clear history when Firefox closes.” Then close the browser and select the option to save your tabs. Now everything from your prior session should mostly reappear as you left it. Just be sure to go back in and recheck “Clear history when Firefox closes.”

#####

Do you like some of the plugins I mentioned above? Do you know that many of these plugin authors don’t make a dime off of their work? If you use any of these plugins on a regular basis, please consider heading over to their site and donating a few bucks. This kind donation helps ensure that these valuable tools remain free and up to date for the community to enjoy. See ya!

Tags: , , , , , , ,

18 Responses to Usable Browser Privacy & Security

  1. C-Sec (@csec) (@csec) (@csec) on September 15, 2011 at 3:10 am

    Usable Browser #Privacy & #Security: [nova#infosecportal.com] In a previous post I talked about one aspect of… http://t.co/CPInBkfw

  2. Elsbeth pidder.com (@_pidder_) (@_pidder_) on September 15, 2011 at 4:40 am

    Usable Browser Privacy & Security http://t.co/AvgnLyQg

  3. Michael (@_cypherpunks_) on September 15, 2011 at 5:25 am

    Usable Browser Privacy & Security | NovaInfosecPortal.com: http://t.co/vYrVlL9w – Torbundle is missing /c @torproject

  4. Any other FF security add-ons you use while still maintaining a usable browser experience? http://t.co/HxLdCKbn

  5. Brian (@RealSecurity) (@RealSecurity) on September 15, 2011 at 1:44 pm

    Usable Browser #Privacy & #Security http://t.co/ebCJ3tml

  6. Received suggestion 4 TorBundle 4 another security add-on 2 include. Any others while still keeping FF usable? http://t.co/HxLdCKbn

  7. grecs (@grecs) (@grecs) (@grecs) (@grecs) (@grecs) on September 15, 2011 at 7:00 pm

    Received suggestion 4 TorBundle 4 another security add-on 2 include. Any others while still keeping FF usable? http://t.co/Z7wYiF5X

  8. There are some standard Firefox plugins .. I talk about them here: http://t.co/Z7wYiF5X #securechat

  9. grecs on November 13, 2011 at 8:37 pm

    As most people know FireFox seems to have some major memory problems over the past year. If you’re on Windows there is a popular add-on called Memory Fox that tries to temporarily fix this problem. Hopefully FireFox will provide a permanent fix soon.

  10. grecs on November 15, 2011 at 1:07 pm

    Also there is LastPass … helps you follow good password practices while keeping the web usable. Now with Google Authenticator goodness! http://www.novainfosec.com/2011/11/15/new-multifactor-authentication-for-lastpass/

  11. (@novainfosec) (@novainfosec) on April 6, 2012 at 3:47 pm

    Best Of: Usable Browser Privacy & Security http://t.co/HxLdCKbn

  12. (@novainfosec) (@novainfosec) on April 17, 2012 at 6:38 am

    Best Of: Usable Browser Privacy & Security http://t.co/gstMVyCk

  13. (@novainfosec) (@novainfosec) on June 19, 2012 at 8:35 pm

    Best Of: Usable Browser Privacy & Security http://t.co/HxL95a2d

  14. [...] impossible to get anything working unless JavaScript is enabled. As we recommended before the best approach is whitelisting and NoScript does a pretty good job at that. Of course if you’re visiting a trusted site [...]

  15. novainfosec (@novainfosec) on November 18, 2012 at 9:18 am

    Best Of: Usable Browser Privacy & Security http://t.co/apD5OBCH

  16. novainfosec (@novainfosec) on March 25, 2013 at 11:23 pm

    Best Of: Usable Browser Privacy & Security http://t.co/2I9WrqDT4T

  17. novainfosec (@novainfosec) on February 26, 2014 at 4:44 am

    Best Of: Usable Browser Privacy & Security http://t.co/2I9WrqmQ2T

  18. novainfosec (@novainfosec) on November 30, 2014 at 8:10 am

    Best Of: Usable Browser Privacy & Security http://t.co/2I9WrqVucX

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.