Jesse Ruderman, a contributor for Firefox security topics, released an article providing security tips for a Firefox users. His recommendations include:
- Set Firefox to automatically install updates.
- Keep plugins such as Flash, QuickTime, Adobe Reader and Shockwave up to date.
- Only download and install software (including extensions) from trustworthy sources.
- Double check the location bar to ensure you are where you are supposed to be. Specially when you are at sites where sensitive data is exchanged like financial sites.
- Use anti-virus software
The full article provides more details on these recommendations as well as some very useful tips for avoiding phising and ID theft.
While I agree with almost all of the above tips, I am a bit uneasy allowing Firefox to automatically install updates. I suppose for basic users this is a good idea, but I prefer to have control when Firefox is updated. Now keep in mind I usually install updates shortly after they are offered, I just don’t want to be in the middle of something (such as a blog entry) and Firefox updates itself.
Furthermore, as Ryan has pointed out and asked on the CyberNet Forum:
“Does this mean that Mozilla tests all extensions that they post on their addons page? That would be a lot of work to make sure none of the extensions do anything unknowingly.”
I provided a much more detailed answer on the forum, but in summary I do think the extensions on Firefox Add-ons are tested. However, I pointed out some the extensions I have recommended (ChromEdit Plus, Nightly Tester Tools, etc.) are not listed/hosted on the Firefox Add-ons page. Now, this begs the question, “How do we know that these extensions are coming from a trustworthy source?”
I suppose the answer to this is that it is up to expert users such as myself to make that judgment call. Before I post any recommendations or links for extension not listed/hosted on Firefox Add-ons, I have downloaded and tested to make sure the extensions (as well as the sources) are safe. I suppose Jesse’s recommendation are more intended for the basic/casual Firefox user who may not be aware of the dangers.
I’ve been using Firefox for almost 2 years now (I downloaded Firefox 1.0 back on Christmas 2004) and I thought I knew everything there was to being safe while browsing with Firefox. However, the article points out a very serious security vulnerability, known as Browser chrome spoofing. This is when a site opens a link/page in a new window, they can hide the address bar (this is a purposed Firefox 3 fix) and instead display a spoofed address bar. The spoofed address bar displays the address of a legitimate site, but in reality the real address bar with the fake address is hidden. There are several ways you can protect yourself:
- Force Firefox to open links/page in new tab. This will prevent the address bar from being hidden.
Firefox 1.5.0.X: From Tools menu, select Options… then go to Tabs. Check the option ‘Force links that open new windows to open in” and be sure a new tab is selected as well.
Firefox 2.0.0.X: From Tools menu, select Options… then go to Tabs. For the option “New pages should be opened in:” select a new tab.
- If a new window is opened, check your bookmark toolbar (below the address bar) first. If it is missing or does not look the same as your main window, chances are you have been redirected to a fake/spoofed site.
- Via about:config, change dom.disable_window_open_feature.location to true
- If you know you are suppose to be on a secure site (https), check the status bar at the bottom of the screen, it will display the hostname next to the padlock icon. If this is missing or incorrect you are not on a secure or correct site