Simple Security and Privacy Enhancements for the Casual Web Surfer Using Firefox

Google+ Pinterest LinkedIn Tumblr +

Threats to your personal privacy are everywhere, from satellite imaging and street cameras to advertisers and governments, the world we live in is becoming more Orwellian at every turn. The internet is no exception, but with just a little bit of knowledge and effort you can easily implement some basic security and privacy enhancements to deter those with less than ethical motives. This guide will focus primarily on how to harden the Mozilla Firefox version 3 web browser against basic security and privacy threats, but information contained here may be of use to other browsers as well.

COOKIES:

Cookies, which are nothing more than small text files, are often beneficial. For instance when you join a forum a cookie is usually set (downloaded by your browser) that identifies you and keeps track of what topics you have and haven’t read, your custom settings for the forum, such as the display theme you chose to use, and perhaps some other beneficial information. Whether there is any personal information such as your name stored in the cookie may be up to you. If you didn’t use your real name to join the forum (and why would you), then your name shouldn’t be contained in the cookie. Even if you did use your real name it still may not be stored in the cookie. Often it will be a string of letters and numbers that are unique that will be used to identify you when you return. Such a cookie can be used to log you on automatically the next time you visit the forum instead of having to enter your credentials every time, or to mark which topics have been created or updated since your last visit. On the other side of the fence are cookies set by advertisers and profilers, such as Google, DoubleClick and many others, that may be used to track where you go, where you’ve been, what you’ve been searching for and what kind of ads to display based on your browsing habits. It is these kinds of cookies that you may want to concern yourself with.

Assuming you want to allow the benign cookies, but disallow the ones which track you, then it’s simply a question of finding an easy way to control cookie behavior. Most every browser has preferences for handling cookies whereby you can usually disallow all cookies, disallow 3rd party cookies only, allow all cookies, or allow cookies only from sites you trust. It is the latter we are interested in and there’s various ways to achieve the control we desire. In the case of Firefox, we could always go to: tools > options > privacy and set our preferences from there, choosing to disallow all cookies except for the web sites we make exceptions for. This can quickly become a rather annoying method though since we’d have to invoke this lengthy process for every site we wish to allow. An easier method is to install CS Lite which is a lighter version of Cookie Safe (a few others are available if you want to search the Mozilla add-ons site).

Cookiesafe-preview.png

Before or after installation we’ll go back to: tools > options > privacy and uncheck “Accept cookies from sites” which will set a policy that will disallow all cookies. We’ll white list the sites we want to accept cookies from as we visit them instead. You should also look at the next section with the heading “Private Data” and consider removing any cookies that may already be stored, but be aware that doing so may cause you to have to re-enter your logon credentials when you revisit sites you’ve joined in the past (you did save that information, yes?). You can use the “Settings” and “Clear Now” buttons to clear all your cookies.

With CS Lite installed, open the Firefox add-ons manager (tools > add-ons), find CS Lite and we’ll configure it. There are 3 tabs to be concerned with as far as cookie handling and the first is the “Behavior” tab, where i suggest checking the “Disable cookies globally on startup” option. Next is the “Global” tab where i suggest selecting “Deny cookies globally” in the “Global cookie behavior” drop-down. Last is the “Blocklist” tab and you can disable the updates and uncheck the “Block untrusted hosts” option because the list is no longer maintained.

Depending on what options you set in the appearance tab you’ll have access to the extension from your context menu and/or a status bar icon whereby you can easily allow, allow for session, allow temporarily, block or remove cookies on a per-domain basis. A word about “domains”: a web site may have the address “http://www.my-exciting-website.freewebs.com” but the domain is “freewebs.com”. The “my-exciting-web site” part is actually a sub domain of “freewebs.com”. This permissions available can be a bit confusing, so i’ll explain in a bit more detail:

  • Allow – allows the domain you are visiting to set cookies. When they expire, if ever, is determined by information contained in the cookie. Some may expire when you close your browser (session cookies), some not.
  • Allow for session – allows the domain you are visiting to set cookies, but only per browsing session, which lasts until you exit your browser. In other words, when you exit your browser, session cookies will be removed but will be allowed again during your next browsing session if you visit the same domain.
  • Allow temporarily – works the same as session cookies above, except that the cookies will not be allowed again the next time you start your browser and visit that domain.
  • Block – if you set the preferences for CS Lite according to my suggestions, this will be the default policy and all cookies will be blocked for every domain you visit except for those you have specifically allowed. You can also use this option to temporarily block cookies from a domain you previously allowed without deleting the cookie (maybe you want to see how a web site acts if it cannot access your cookie).
  • Remove – available for domains that you’ve already allowed to set cookies, this simply deletes them.

LOCAL SHARED OBJECTS:

A Local Shared Object, or LSO, is a less known method that a web site may use to store data on your computer. This technology may be more controversial than cookies but is only available to web sites that utilize Flash and you have to have installed the Adobe Flash plugin for your browser (which almost everyone does, knowingly or not). You can read more about LSO’s on the Wikipedia page, but as far as we’re concerned LSO’s are a potential threat to our privacy, just as some cookies are, and therefore we need an easy way to handle them.

Firefox does not provide an easy method of controlling what is stored, for how long, or by whom. Adobe does allow some control of Flash preferences through their Global Storage Settings panel but having to visit their web site every time you want change preferences or delete stored data is not very convenient. Furthermore, if you configure the settings incorrectly, you can suffer side effects and lose desired functionality (such as no audio when viewing videos). Enter BetterPrivacy, a Firefox extension that auto-deletes Flash “super cookies” when Firefox starts, exits, or at timed intervals – your choice. You can also protect the LSO’s you want to keep, though i have yet to run into a problem by letting BetterPrivacy delete them all automatically when Firefox exits.

BetterPrivacy_1.png

Once installed, there isn’t allot to fiddle around with in the settings for BetterPrivacy. Just open it’s options and, if you have Flash installed, it should’ve auto-detected the directory where Flash data is stored. On the “Options” tab you can configure when you want to delete LSO’s as well as disabling DOM storage and ping tracking, both of which i’d suggest sticking a checkmark next to. After that you can probably forget about it as it will happily go about it’s business while you go about yours.

JAVASCRIPT

JS for short, JavaScript is a scripting language used by many web sites. If you block JS globally you will lose functionality for many web sites, or they may not function at all and could even just display a blank page. JS is often used to display ads, images, navigation menus, many widgets like clocks and rotating banner images and a host of other purposes but it can, and often is, used maliciously. Any modern, up to date browser has some safeguards in place that help limit what JS can and can’t do, but we can gain easy access to much greater control with 2 Firefox extensions, the first of which is NoScript.

ss0.png

Like CS Lite and BetterPrivacy, NoScript gives us easy access to blocking or allowing JavaScript on a per domain basis. It also provides some fine-grained control via a large number of options. Of all the extensions mentioned here, NoScript may be the most daunting to figure out for new users, but the good news it is super easy to toggle NoScript on or off from the icon it places in the Firefox status bar. How to configure NoScript is beyond the scope of this guide and i suggest you visit the NoScript web site to learn more about it.

While we’re on the subject of JavaScript, i’ll also give a heads up to Controle de Scripts which is another cool little Firefox extension.

main_permissions.png

While NoScript helps us with JavaScript security, Controle de Scripts limits JavaScript functionality. For instance, if you are annoyed when a pop-up window opened by JS has hidden the status bar, or writes scrolling text to the status bar, or disables your context menu so you can’t copy an image location or text, then Controle de Scripts has the solutions. Advanced users may prefer to edit their preferences manually but for novices, or anyone who just want fast access to common JS preferences, this is a really nice little extension for Firefox.

GOOGLE:

Google, who’s motto is “don’t be evil“, has gone infinitely beyond indexing the web and has become rather intrusive in our everyday lives. With their purchase of DoubleClick recently, storage of personal medical records, never ending parade of law suites and the controversy over how it uses cookies, one may wonder if the meaning of “don’t be evil” has been redefined somewhere along the way. The good news is that you easily tame the overstuffed giant with a wonderful Firefox extension by the name of CustomizeGoogle.

remove-click-tracking.png

CustomizeGoogle offers a ton of preferences that affect not only how Google search results are displayed, but also how to handle Google’s cookies and click tracking. It is also a set-it-and-forget-it extension so once you’ve configured the options, you’re done with it.

When you open it’s options you’ll see a list of Google services including Web, Images, Groups and many more. I’d suggest going through each one and disabling click tracking. In the “Privacy” section i’d suggest placing a check next to “Don’t send any cookies to Google Analytics” and “Anonymize the Google cookie UID” (unique identifier).

BROWSER INFORMATION:

Another issue that some may see as a threat to their privacy is the fact that most browsers will tell the web site you visit where you came from. For instance, if you were shopping for a new rifle over at Sig Sauer and then decide to visit the Department of Homeland Security, their server will probably know where you came from. Is it really any of their business? If you don’t think so, check out RefControl, a little extension that can alter the referrer that your browser sends to the site you’re visiting.

screenshot01.png

Once installed you’ll need to configure RefControl because by default it does nothing. Make sure it’s enabled and then click the “Edit” button next to where it says “Default for sites not listed” and select “Forge – send the root of this site”. In my opinion this is the best option as it won’t break very many sites yet still offers a privacy boost. Now when you visit Sig Sauer and then go to Department of Homeland Security, the DHS server log will see you as having come from the root of their own site, which is dhs.gov. And while we’re on the subject, maybe this extension will interest you.

CLOSING NOTES:

With all of the above extensions installed you’re going to inevitably run into problems with some web sites that all of a sudden don’t seem to function correctly. To troubleshoot a problem you’ll often have to allow cookies, at least temporarily, as well as JavaScript. If they are sites you visit regularly, then you may want to add permanent exceptions for them in NoScript and CS Lite. In very few instances you’ll have to allow the referring web site to be submitted which you can do by white listing the site in RefControl. As you set cookie and JavaScript preferences for the sites you typically visit, these problems will be less frequent. You’ll also begin to get a feel for what a site needs to function, and so troubleshooting will take hardly any effort at all. Remember these general rules of thumb:

  • If you can’t see a video or a page doesn’t display at all, or doesn’t display properly, try enabling JavaScript for that domain.
  • If you’re logging on to almost any web site, including forums, your bank, etc., cookies are almost always required and, quite often, JavaScript also.
  • If you still have trouble, try disabling RefControl or white listing the domain.
  • And if you STILL have trouble, try allowing cookies and JavaScript globally, as well as disabling RefControl. What happens sometimes is that content from 3rd party sites is needed to get you where you’re going. I’ve found this to be the case on Newegg, PayPal and a few others.

Also check out all the other privacy and security related extensions at Mozilla.

article by atomMan

see my other articles
subscribe to my feed

Share.

About Author

Leave A Reply