Firefox and Security Add-Ons for Mac OS X - Secure Web Browser

Posted10 August 2016

Table of Contents

...Loading Table of Contents...

    Mozilla Firefox is a free and open source software (FOSS) web browser for which many add-ons are available. Some of these add-ons are designed to protect your privacy and security when you browse the web.

    Required reading

    What you will get from this guide

    • A stable and secure internet browser whose features can be enhanced by numerous add-ons.
    • The ability to protect yourself from potentially dangerous programs and malicious websites.
    • The ability to wipe the digital traces of your browsing activity.

    1. Introduction to Firefox

    This guide assumes that you already know how to use a web browser and will not cover the basic functions of Firefox. It will focus on security-related settings and add-ons.

    1.0 Things to know about Firefox before you start

    Firefox has many easy-to-use add-ons that improve your privacy and security when you browse the Web. You can choose which add-ons to install, and decide how to configure them, depending on your circumstances. If you are using a computer that is managed by someone else (if you're at an Internet cafe, for example, or in your place of work), you might have to make these adjustments repeatedly.

    In addition to basic Firefox settings, this guide covers the installation and basic configuration of the following add-ons:

    The Resources section of Tactical Tech's MyShadow website covers additional privacy-enhancing browser add-ons.

    Important: The overwhelming majority of malware and spyware infections originate from webpages. It is important that you always consider whether it is safe to visit unknown websites, particularly those that are sent to you by email. Before you decide to open unknown or suspicious webpages, we recommend that you scan the web address using the following page scanners:

    You can also check the reputation of a website using the scanners listed below:

    1.1 Other tools like Firefox

    Microsoft Windows, GNU/Linux, and other Mac OS X, Compatible Programs:

    The Mozilla Firefox Web browser is available for GNU/Linux, Mac OS X, Microsoft Windows, Android, and iOS. Websites are the most common source of malware infection, so accessing them securely is vital. We recommend that you use Mozilla Firefox and install the add-ons covered in this guide. If you would prefer to use a program other than Mozilla Firefox, the alternatives below are also available for GNU/Linux, Mac OS X and Microsoft Windows:

    2. Install and configure Firefox

    2.1 Install and launch Firefox

    To install the latest stable version of Firefox, follow the steps below:

    Step 1. Go to the Firefox download page.

    Figure 1: Firefox download button

    Step 2. Click the [Free Download] button to download Firefox. Firefox will detect your Operating System (Mac OS X) and recommend the best version of Firefox for you.

    Step 3. The download should start automatically.

    Figure 2: Automatic download of Firefox

    Save the file somewhere convenient. In this example, we will assume the downloaded Firefox file is in your Downloads folder.

    Figure 3: Saving Firefox .dmg file to the Downloads folder

    Step 4. Navigate to the folder where you saved the Firefox file. In this example, we assume you saved file in your Downloads file.

    Figure 4: The Downloads folder containing the Firefox disk image

    Step 5. Double-click the Firefox disk image (a file ending in ‘.dmg’) to mount it as a disk image. It should show up as in a new window (Figure 5, below) and under Devices in the sidebar in a normal Finder window.

    Figure 5: Inside the mounted Firefox disk image

    Step 6. Drag the Firefox.app into your Applications folder.

    Figure 6: Dragging the mounted TorBrowser.app into the Applications folder

    It should then copy over into Applications.

    Figure 7: Progress window for copying Firefox.app into the Applications folder

    Step 7. Before we start using Firefox, we should unmount (or 'eject') the ** Firefox** disk image. Find Firefox under Devices in the Finder sidebar. Click on the {eject} icon next to it in the sidebar to unmount the disk image.

    Figure 8: Unmounting (or ejecting) the Firefox disk image

    Step 8. Now that we’ve installed Firefox, let’s open it up for the first time. First, Navigate to the Firefox app in your Applications folder.

    Step 9. Double-click the Firefox app to launch it.

    Step 10: An alert will pop up to ask you if you’re sure you want to open ”Firefox.app”. Click [Open].

    Figure 9: Final confirmation prompt

    2.2 Configure search engines

    You can configure Firefox to use a search engine of your choice. To do so, follow the steps below:

    Step 1. Click on Firefox in the main menu, then scroll down to select Preferences.

    Figure 1: Selecting Preferences in the Firefox menu

    Step 2. Click Search in the side bar of the Preferences screen.

    Figure 2: Choosing a default search engine in Firefox Preferences

    You can now choose your default search engine and decide which other search engines should be accessible through the Firefox search box. We recommend DuckDuckGo as a default search engine because it does not track or profile its users, nor share its users' personal information with third parties.

    Other privacy-focused search engines that you can choose to add as search engine options to select in the Firefox toolbar’s search bar include:

    2.3 Configure privacy options

    You can configure privacy options for Firefox by following the steps below:

    Figure 1: Selecting Preferences in the Firefox menu

    Step 2: Click Privacy in the side bar of the Preferences screen.

    The Privacy screen is divided into three sections: Tracking, History, and Location bar.

    Figure 2: The Privacy Preferences for Firefox

    You can now change the Firefox settings related to privacy, third-party tracking, and browsing history by following the steps below:

    Step 3. Many websites collect information about you and allow third parties to gather data about the websites you visit. This is called tracking. Do Not Track is a system that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

    To enable Do Not Track in Firefox, and minimise the tracking of your online activity, select the two options under the Tracking section. It is important to understand, however, that companies have the ability to ignore your choice and track you anyway. Here is a list of companies' commitments to honoring Do Not Track requests.

    Step 4. The History section lets you manage your Firefox browsing history preferences. Your browsing history is a list of websites you have visited using Firefox. The default option is Remember my browsing and download history, which means that Firefox will remember your browsing, download, form, and search histories. It will also accept cookies from the websites you visit. These cookies allow websites to record information on your device that Firefox will send back to them and their advertising partners.

    To prevent this, in the first option under History that starts with Firefox will:, you can change Remember history to Never remember history. Or you can change it to Use custom settings for history and set more detailed preferences in the History section.

    Step 5. The Location Bar section lets you choose the sources that Firefox will use to recommend Web address when you start typing in the Address bar. By default, it uses bookmarked Web addresses, open tabs, and websites that are in your browser history. You can uncheck any of these sources as you prefer.

    2.4 Configure security options

    You can configure the Firefox security settings by following the steps below:

    Step 1: Click on Firefox in the main menu, then scroll down to select Preferences.

    Figure 1: Selecting Preferences in the Firefox menu

    Step 2: Click Security in the side bar of the Preferences screen.

    Figure 2: The Security Preferences for Firefox

    You can now change the security settings for Firefox.

    Step 3. All of the boxes under General should be checked by default. If they are not, we recommend checking them so that Firefox will:

    • Warn you when websites try to install add-ons.
    • Block reported web attacks.
    • Block reported Web forgeries.

    Step 4. The boxes under Passwords relate to Firefox's built-in password manager. If you check the Use a master password box, Firefox will encrypt the website passwords that it saves and prompt you for a master password whenever it needs to enter one for you.

    We recommend using an offline password manager, such as KeePassX, to store your passwords. But, if you choose to allow Firefox to manage your website passwords, you should check the second box.

    2.5 Configure advanced options

    You can configure various advanced preferences for Firefox by following the steps below:

    Step 1. Click on Firefox in the main menu, then scroll down to select Preferences.

    Figure 1: Selecting Preferences in the Firefox menu

    Step 2. Click Advanced in the side bar of the Preferences screen.

    Figure 2: The Advanced Preferences for Firefox

    Step 3. The Advanced preferences section is designed with the advanced or experienced Firefox user in mind. You can explore and change the Advanced preferences for Firefox as you prefer. The screen contains five tabs:

    • General includes various usability options.
    • Data Choices enables you to choose whether or not you allow your data to be shared with Mozilla.
    • Update allows you to determine how Firefox will handle automatic updates (including updates to your preferred search engines)
    • Network allows you to add and manage proxy settings, cached web content, and offline user data
    • Certificates allows you to decide how Firefox should manage SSL certificates for sites that provide https encryption.

    Step 4. The General tab includes a useful option that allows Firefox to prevent web sites from automatically redirecting you to another page or reloading themselves without your consent or knowledge. Users of all levels will benefit from enabling this preference.

    Click on the General tab if you are not in that section already.

    Figure 3: The General tab of the Advances preferences screen

    Step 5. Check the Warn me when websites try to redirect or reload the page box. (It is the third option under Accessibility.)

    3. Firefox add-ons

    In Firefox, an add-on is a lightweight software program that adds new features or extends existing functionalities. As such, add-ons are sometimes referred to as extensions. (For example, the NoScript add-on, extends Firefox functionality to block scripts from defined servers.)

    A plugin is a piece of software typically designed to enable the use of third-party software within the Firefox browser. An example of a common plugin would be the Flash plugin designed to display Adobe Flash content within the Firefox browser window.

    Tip: The Adobe Flash and Oracle Java browser plugins are often found to contain security vulnerabilities that could allow a remote user to assume control of your computer or to install malware. It is strongly advised that you disable both of those plugins in Firefox. For more information about how to disable or remove Java, please refer to Oracle's steps to disable Java for all browsers on your computer or their guide on how to uninstall Java from your computer.

    In the next section, we explain how to install and configure the following Firefox add-ons:

    We have chosen the above add-ons as because they are designed to increase your privacy and security. Other privacy-friendly add-ons for Firefox can be found through the Resources section of Tactical Tech's MyShadow project.

    3.1 HTTPS Everywhere

    HTTPS Everywhere is a Firefox add-on that helps users use encrypted connections to websites when they are available. Many websites offer SSL encryption that you can recognize when a website address starts with https. But many websites default to unencrypted connections with addresses that start with http, even though they have the ability to provide an encrypted connection.

    When you connect to a website that starts with http, it means that all the information and data you receive and send to that website’s servers can be seen and intercepted by any intermediary between you and that website (including your Internet Service Provider).

    But when you connect to a website that starts with https, your connection to the website is encrypted. This makes it more difficult for the information and data you receive and send to that website’s to be seen and intercepted.

    The HTTPS Everywhere add-on addresses these problems by connecting to websites using https encryption when available.

    To install the HTTPS Everywhere add-on, follow the steps below:

    Step 1. Select Tools > Add-ons in the main Firefox menu. (Or you can use the shortkey combination Shift + Command + A.)

    Figure 1: Accessing add-ons in Firefox

    Step 2. In the “Get Add-ons” section, type HTTPS Everywhere in the search bar and press enter.

    Figure 2: The Add-ons Manager in Firefox

    You should now have a list of add-on search results, including one for HTTPS Everywhere.

    Figure 3: Finding the HTTPS Everywhere add-on for Firefox

    Step 3. Click [Install], next to HTTPS Everywhere to download the add-on.

    Figure 4: HTTPS Everywhere add-on downloaded

    Step 4. Click the Restart Now link to install HTTPS Everywhere.

    Step 5. After Firefox has restarted, it will return to the same screen in the add-ons manager where we searched for the HTTPS Everywhere, but the HTTPS Everywhere add-on will no longer be in the search results.

    In order to verify that HTTPS Everywhere has been installed successfully, click [Extensions] in the menu on the left side of the add-ons manager. HTTPS Everywhere should be listed along with your other installed add-ons.

    Figure 5: HTTPS Everywhere installed

    Step 6. To access the preferences for HTTPS Everywhere, click [Preferences] next to its name in the installed Extensions tab of Firefox’s Add-ons Manager (as seen in Figure 5).

    Figure 6: HTTPS Everywhere's Preferences screen

    Step 7. HTTPS Everywhere offers the option of using EFF’s SSL Observatory, which warns you about insecure connections or attacks on your browser. We strongly recommend that you use this for better browser security.

    To use the SSL Observatory, check the box next to Use the Observatory?

    3.2 Privacy Badger

    Privacy Badger is a browser add-on which prevents third-party companies from tracking your online activities. It accomplishes this by preventing third-party tracking content from loading in the webpages you visit. It is available as an add-on for Firefox, the Tor Browser, Chrome, and Chromium.

    Privacy Badger is unique because it blocks all third-party companies from tracking you when you access websites. This differentiates it from similar third-party extensions such as Ghostery, Disconnect and Adblock Plus, which all require custom configuration to block aggressive trackers.

    To install Privacy Badger, follow the steps below:

    Step 1. Select Tools > Add-ons in the main Firefox menu. (Or you can use the shortkey combination Shift + Command + A.)

    Figure 1: Accessing add-ons in Firefox

    Step 2. In the “Get Add-ons” section, type Privacy Badger in the search bar and press enter.

    Figure 2: The Add-ons Manager in Firefox

    You should now have a list of add-on search results, including one for Privacy Badger.

    Figure 3: Finding the Privacy Badger add-on for Firefox

    Step 3. Click [Install], next to Privacy Badger to download the add-on.

    Figure 4: Privacy Badger add-on downloaded

    The Privacy Badger add-on does not need you to restart Firefox in order for it to work.

    When the Privacy Badger add-on is installed, Firefox will open Privacy Badger's "Thank you" page in a new browser tab. (Keep this tab open for Step 5 below.)

    Figure 5:Privacy Badger's "Thank You" page

    Step 4. In order to verify that Privacy Badger has been installed successfully, click [Extensions] in the menu on the left side of the add-ons manager. Privacy Badger should be listed along with your other installed add-ons.

    Figure 6: Privacy Badger installed

    Step 5. To learn more about using Privacy Badger, return to Privacy Badger's "Thank you" page in the other browser tab (as seen in Figure 5 above).

    3.3 Click&Clean

    Click&Clean is an add-on designed to automatically delete private data upon closing Firefox. This includes clearing records from your download history, deleting browsing history, and removing cookies, including Flash Local Shared Objects (LSO). It also deletes temporary files and empties your local cache.

    Note: Click&Clean is also available on Chrome. Alternatively, users may also consider using external applications, like CCleaner for Apple OS X and Windows, or BleachBit for Linux and Windows.

    To install the Click&Clean add-on, follow the steps below:

    Step 1. Select Tools > Add-ons in the main Firefox menu. (Or you can use the shortkey combination Shift + Command + A.)

    Figure 1: Accessing add-ons in Firefox

    Step 2. In the “Get Add-ons” section, type Click&Clean in the search bar and press enter.

    Figure 2: The Add-ons Manager in Firefox

    You should now have a list of add-on search results, including one for Click&Clean.

    Figure 3: Finding the Click&Clean add-on for Firefox

    Step 3. Click [Install], next to Click&Clean, to download the add-on.

    Figure 4: Click&Clean add-on downloaded

    Step 4. Click the Restart Now link to install Click&Clean.

    Step 5. After Firefox has restarted, you will be taken to Click&Clean’s website on a new browser tab.

    In order to verify that Click&Clean has been installed successfully, return to Firefox’s add-ons manager tab. Click [Extensions] in the menu on the left side of the add-ons manager. Click&Clean should be listed along with your other installed add-ons.

    Figure 5: Click&Clean installed

    Step 6. The Click&Clean icon should now appear in the Firefox toolbar as a blue toilet paper roll. If you click on the arrow next to it, you can see its menu of options. These include viewing and deleting cookies, incognito browsing, clearing browsing data, and more.

    Figure 6: The Click&Clean drop-down menu

    Step 7. In the Click&Clean drop-down menu, scroll down to select Preferences. In the preference section you can set preferences that manage and limit the data that websites can access, as well as the browsing data stored on your computer.

    Figure 7: The Click&Clean Preferences screen

    3.4 NoScript

    NoScript is a Firefox add-on that helps protect you by preventing potentially malicious code from running within your browser when you access websites.

    When you visit a website, your browser automatically downloads content from that site. In addition to text and images, this content often includes scripts, which are essentially small programs that run inside your browser. NoScript is a Firefox add-on that prevents your browser from running such programs without your permission.

    The vast majority of these scripts are harmless and serve only to make webpages more interactive. Some of them are malicious, however, and some of them are third-party trackers capable of building a profile of your online activities.

    Unfortunately, No Script cannot automatically identify which scripts are safe and which are harmful. So, when you first tell it to Block Scripts Globally, it will prevent many websites from displaying properly. Once you start whitelisting scripts from different locations, however, things will begin returning to normal, and you will still be protected from potentially dangerous Web content.

    To install NoScript, follow the steps below:

    Step 1. Select Tools > Add-ons in the main Firefox menu. (Or you can use the shortkey combination Shift + Command + A.)

    Figure 1: Accessing add-ons in Firefox

    Step 2. In the “Get Add-ons” section, type NoScript in the search bar and press enter.

    Figure 2: The Add-ons Manager in Firefox

    You should now have a list of add-on search results, including one for NoScript.

    Figure 3: Finding the NoScript add-on for Firefox

    Step 3. Click [Install], next to NoScript, to download the add-on.

    Figure 4: NoScript add-on downloaded

    Step 4. Click the Restart Now link to install NoScript.

    Step 5. After Firefox has restarted, you will be taken to NoScript’s website on a new browser tab.

    In order to verify that NoScript has been installed successfully, return to Firefox’s add-ons manager tab. Click [Extensions] in the menu on the left side of the add-ons manager. NoScript should be listed along with your other installed add-ons.

    Figure 5: NoScript installed

    Although NoScript might seem a little frustrating at first (as the websites you have always visited may not display properly), you will immediately profit from the automated object-blocking feature. This will restrict pesky advertisements, pop-up messages and malicious code built (or hacked) into web pages.

    NoScript will run silently in the background until it detects the presence of JavaScript, Adobe Flash or other script-like content. At that point NoScript will block this content and status bar will appear on the bottom of the Firefox window. The NoScript status bar displays information about which objects (for example, advertisements and pop-up messages) and scripts are currently prevented from executing themselves on your system. But since NoScript does not differentiate between malicious and real code, certain key features and functions (for instance, a tool bar) may be missing.

    Some web pages present content, including script-like content, from more than one website. For example, a website like www.twitter.com has two sources of scripts (twitter.com and twimg.com). To unblock scripts in these circumstances, start by selecting the Temporarily Allow [website name] option (in this instance, Temporarily allow twitter.com). However, if this does not allow you to view the page you may determine, through a process of trial and error, the minimum number of websites required to view your chosen content. For instance, on Twitter, you need to select the Temporarily allow twitter.com and Temporarily allow twimg.com options, in order for Twitter to work. For websites that you trust and frequently visit, select the Allow [website name] option. Selecting this option permits NoScript to permanently list that website as trusted.

    FAQ

    Q: Why would I want so many different add-ons to defend myself against malicious websites? If NoScript protects me from potentially dangerous scripts, for example, why do I also need other add-ons which function in a similar way?

    A: It is often a good idea to use more than one tool to address the same general security issue (anti-virus programs are an important exception to this rule, since they tend to conflict with one another). These Firefox add-ons use very different techniques to protect your browser from a variety of threats. NoScript, for example, blocks all scripts from unknown websites, but users tend to 'whitelist' the websites they visit frequently, which allows them to load potentially-malicious scripts. NoScript users also tend to allow unknown sites to load scripts, on a temporary basis, if those scripts are necessary for the page to function properly.