Secure Browsing With Firefox

This is a guide on how to configure Firefox to harden it against most of the common known vulnerabilities. It concentrates on Cookies, Scripts, TLS Encryption Suites, and more. This whole process will take about 10-20 minutes to set up, and an hour or so of browsing to get used to.

Step 1: Install the Firefox browser.

Why Firefox: I prefer this for secure browsing because it is open-source and run by a non-profit organization. It is frequently security audited and frequently updated to close vulnerabilities. It also has a lot of granularity in control over privacy and security settings so you can custom-configure the browser to defend against new threats easily.more information In the past i have bashed Firefox for being behind on TLS. They have since caught up on the standard but still have TLS 1.1 and 1.2 disabled by default which I am generally unhappy with. It is understandable though, as it is done mainly to make the browser compatible with old TLS 1.0 sites that have issues with huge lists of cipher suites being supported.

Step 2: Install your privacy add-ons.

I recommend AdBlock PlusNoScript, Ghostery, HTTPS Everywhere,and CipherFox  

Why AdBlock Plus: AdBlock Plus blocks a lot of different types of ads. A lot of the flash and javascript based ads you see can contain tracking cookies or even malware. Also, ads are generally annoying anyway.

Why NoScript: NoScript blocks all scripting from working on web pages including Adobe Flash. Scripts are the most common method of attacking a PC via a browser. Using NoScript allows you to "whitelist" the sites that you trust, so that they work normally on your device. It also allows for more secure browsing, though, by blocking all scripts to new sites you visit by default. I highly recommend getting this add-on from the repository for Firefox as the "official" site is generally awful and has a lot of intrusive ads. Cisco has reported that in 2013, 91% of attacks were Java based.

Why Ghostery: Ghostery profiles what cookies are being used by various sites, and reports it to you in a small intuitive overlay in the corner of your browsing window. From there, you can learn about what these cookies do, take action to block them, or learn how to opt-out of their tracking programs.

Why HTTPS Everywhere: This add-on is the only one in this list that doesn't appear in the Firefox add-on repository at the time of this writing. It is created and managed by a collaboration between the Electronic Frontier Foundation and the engineers at Tor. This add-on forces a secure connection to all servers that support HTTPS by default. It supports a lot of the major sites we all visit, and has support for adding more domains manually.

Why CipherFox: Cipherfox shows you the certificate chain of the site you are visiting and allows you to see the current Qualys grade the site gets for security in a quick and easy manner.

Step 3: Configure Firefox for security and privacy.

First we are going to open our options menu to look at the basic settings.

In the upper-left corner of your Firefox browser is the menu. Open it up and go to options.

A window will pop-up with a bunch of tabs. We are going to navigate through them and crank up the privacy and security settings. First the "Privacy" tab.

We don't want sites to track us (for obvious reasons). We don't want Firefox to carry a history (data that can be stolen). We don't want suggestions (they send queries over the internet). It should look like below.

Next is the security tab. These settings are pretty self-explanatory.

Lastly, we want to go to the "Advanced" tab, and click on the "Data Choices" subtab. It is important to disable these settings because these reports are cloud-based and not encrypted. This data is important to Mozilla to make Firefox a better product, but until we are sure that the data is encrypted securely it is not worth transmitting all of this information about your system and browser settings over the internet. There is a lot of information about advanced persistent threats like governments going to great lengths to gather error and crash reports to find vulnerabilities in target systems. Data like this can help an advanced attacker break into your device.

Step 4: Harden Firefox Cryptography

Here, we are going to make it so Firefox can use the updated encryption available in TLS 1.1 and TLS 1.2. This is crucial to security because the vast majority of the cipher suites in TLS 1.0 are vulnerable or completely broken at this point.

First, we need to open the hidden advanced options menu. You open it by typing "about:config" (without the quotes) in your address bar in Firefox, as if you were navigating to a website. This will open a very long list of advanced configuration settings for Firefox. By default they are listed in alphabetical order, so that will help us find what we need.

The first setting we are going to edit is "security.tls.version.max" by default it is set to "1". You want to double click it and change the value to "3". This enables that much stronger TLS 1.1 and TLS 1.2 suites. Just fair warning, this can break older websites that are not properly configured to support newer versions of TLS. I personally have not found a site that it doesn't work on, but i've heard that some older government websites will stop functioning properly.

An optional setting you can alter is "security.tls.version.min". This setting is for the minimum level of encryption that is allowed. Setting it to "1" means that the site must have at least TLS 1.0 encryption, setting it to "2" forces TLS 1.1, and "3" forces TLS 1.2. Only do this if you are seriously concerned about security. It will break a LOT of websites.. This setting is usually used by heavily moderated networks like work places. I have it set to "2" on my work machine and "0" on my home machine because it breaks far too many sites to be worth the trade-off.

Lastly, we are going to disable cipher suites that are known to be weak or completely broken.

In the search bar at the top (while still in the about:config window) type "RC4" without the quotes. You'll see a list of cipher suites that support the weak RC4 stream cipher. Double click each one to disable it manually. You'll want to repeat the process for "DES_EDE3" ciphers. This will leave you with AES and Camellia ciphers which are believed to be strong and secure at this point.

That is all I have for now. If you have any questions, tips, or ideas that you'd like to ask about this article, feel free to email Viking customer support and we will respond.

< last
next >