27 September, 2013
Firefox and Security Add-Ons for Windows - Secure Web Browser

Mozilla Firefox is a free and increasingly popular web browser. Mozilla Firefox is enhanced by the availability of numerous add-ons for it, including some that are designed to protect your privacy and security when you browse the web.

Version used in this guide: 
Free/Open Source Software
System requirements: 
  • Microsoft Windows
What you will get from this guide: 

A stable and secure Internet browser whose features can be enhanced by numerous add-ons.

The ability to protect yourself from potentially dangerous programs and malicious web sites.

The ability to wipe any traces of your browsing sessions from the computer.

1. Introduction to Firefox
1.0 Other tools like Firefox

GNU Linux, Mac OS and other Microsoft Windows Compatible Programs:

The Mozilla Firefox browser is available for GNU Linux, Mac OS, Microsoft Windows and other operating systems. The secure management of web pages is absolutely vital, as they are most common source of malware infection. Therefore, we strongly recommend that you use Mozilla Firefox and the prescribed add-ons for this purpose. The security advantages available in Firefox, a cross-platform free and open source program, are even more important when compared to its commercial equivalents like Internet Explorer. However, if you would prefer to use a program other than Mozilla Firefox, we recommend the following alternatives available for GNU Linux, Mac OS and Microsoft Windows:

1.1 Things you should know about Firefox before you start

This chapter assumes that you already know how to use a web browser; it will not explain how to use the Mozilla Firefox browser functions. Its purpose is to explain some additional functions that will make using it more secure.

  • Mozilla Firefox Add-ons (also referred to as 'extensions'), are small programs which add new features or extend existing functionality of Firefox.

  • Mozilla Firefox Plugins are small pieces of software, usually designed by a third party, to enable the use of their software within Firefox browser.

In this chapter, you will learn how to download, install and use the following Mozilla Add-ons to increase the privacy, safety and security of your Firefox web browser, and of your Internet experience as a whole.

Version of the NoScript add-on is documented separately in section 4.0 About NoScript. Other add-on are documented in More Useful Firefox Add-Ons:

  • HTTPS Everywhere 3.4.1
  • Adblock Plus 2.3
  • Better Privacy 1.68
  • Beef Taco 1.3.7

Important: The overwhelming majority of malware and spyware infections originate from web pages. It is very important that you always consider whether it is safe to open given web address, especially if you received it by email. Before you decide to open a page, we recommend that you scan the web address using the following page scanners:

You can also check the reputation of a web site using the scanners listed below:

2. Install and Configure Firefox

Firefox has many easy-to-use settings for protecting your privacy and security whenever you access the Internet. How frequently you may have to configure these settings depends on your particular situation:

  • If you are using your personal computer, and do not allow others to use it for browsing purposes, you need only configure these settings once.

  • If you are in a public location or at work, you may have to repeatedly re-configure these settings for your own use.

Note: You may also use a portable version of Firefox on a USB memory stick with you. This lets you configure Firefox according to your requirements, and you can use this version on any public computer. For more information about Firefox portable, please refer to Mozilla Firefox, Portable Edition.

2.1 Install Firefox

Installing Firefox is a simple and straightforward process. To begin installing Firefox, perform the following steps:

Step 1. Double click ; the Open File - Security Warning dialog box may appear. If it does, click to activate the Extracting progress status bar.

A few moments later, the The Welcome to the Firefox Setup Wizard window will appear.

Step 2. Follow the steps in the guided installation process, and simply accept the default options and settings.

Note: Do not change the default options and settings unless you know what you are doing and why you are doing so.

2.2 Configure General Options

To begin configuring Firefox, perform the following steps:

Step 1. Select Tools > Options... in the Firefox menu bar as follows:

Figure 1: The Tools menu with the Options item selected

This will activate the Options window as follows:

Figure 2: The Options window displaying the default General pane

Tip: Click if the General pane is not automatically displayed as shown in Figure 2 above.

The General pane lets you configure a few basic Firefox settings, among them your preferred home page and the location of your Downloads folder.

The default setting for the When Firefox starts drop-down menu is Show my home page, and the default home page is the Mozilla Firefox Start Page.

Tip: Click to automatically set another page you know to be trustworthy as your home page.

2.3 Configure Privacy Options

The Privacy pane lets you manage privacy and security options for the browser.

Step 1. Click to activate the following screen:

Figure 3: The Options window displaying the Privacy pane

The Privacy pane is divided into three sections: The Tracking section, the History section and the Location bar section.

  • The Tracking section

The Do Not Track section lets you determine whether you wish your internet activities and behaviours to be monitored or tracked by third parties, for instance, advertising companies, analytic services, or market researchers. The first time Firefox is installed, the default setting is Do not tell sites anything about my preferences and must be changed; enabling the Tell sites I do not want to be tracked option notifies participating companies and organizations that you do not wish to be tracked.

Note: The Do Not Track option is based on an honour system and is voluntary; as such, individual web sites are neither legally nor technically compelled to respect such requests. Although a growing number of respectful and responsible organizations are participants, the Do Not Track option must be complemented by other add-ons or plugins that effectively target the commercial or malicious interests; enabling this option reduces your exposure to potentially harmful advertisements online. For more information about Firefox add-ons, please refer to More Useful Firefox Add-Ons.

Figure 4: The Tracking section

Step 1. Check the Tell sites I do not want to be tracked option (as shown in Figure 4 above) to have your privacy and security respected by the participants.

  • The History section

The History section lets you manage your Firefox browser 'history', that is, a list of all the different sites you have visited since you began using Firefox. The default Firefox will: option is Remember history and must be changed to protect your internet privacy and security.

To eliminate traces of your browsing history, perform the following steps:

Step 1. Activate the Firefox will: drop-down list and select the Never remember history item as shown in Figure 3.

Step 2. Click to activate the following screen:

Figure 5: The Clear All History window

Step 3. Select all check-boxes and click to clear Firefox of all potentially revealing data, and return to the Privacy pane.

  • The Location Bar section

The Location Bar section uses addresses, cookies and other temporary data from bookmarked web sites, and the web history to prompt or suggest addresses in the Firefox Universal Resource Locator (URL) bar for your browsing convenience. The default When using the location bar, suggest: option is History and Bookmarks, and must be changed to protect your internet privacy and security.

To eliminate traces of your browsing habits and history, perform the following steps:

Step 1. Activate the When using the location bar, suggest drop-down list and then select the Nothing item as shown in Figure 6 below and Figure 3 above:

Figure 6: The Location Bar displaying the Nothing item

Step 2. Click to confirm your settings and exit the Options window.

Note: For a more secure and thorough approach to deleting temporary data, please refer to the chapter on CCleaner.

2.4 Configure Security Options

The Security pane is divided into two sections: the first deals with potentially threatening actions from external sources and the second, or Passwords section, with password management.

Note: For more information on password storage, please refer to the chapter on KeePass.

Step 1. Select Tools > Options in the Firefox menu bar to activate the Options window, and then click the Security tab to activate the following screen:

Figure 7: The Options window displaying the Security pane

Step 2. Accept the default settings in the first section.

  • The Passwords section

The Passwords section lets you manage your passwords. The default Remember passwords for sites option is enabled the first time you install and run Firefox, and must be disabled to ensure your password privacy and security. We recommend to securely store passwords in KeePass.

Step 3. Click to complete the configuration of the Security pane in the Options window.

2.5 Configure Advanced Options

The Advanced tab, as its name suggests, is designed with the Advanced or Experienced Firefox user in mind. However, users of all levels will benefit from enabling the following option in the General tab.

  • The Warn me when websites try to redirect or reload the page option enables Firefox to prevent web sites from automatically redirecting you to another page, or reloading themselves without your consent or knowledge.

Figure 8: The Advanced pane options with the default General tab displayed

Step 1. Enable checkbox Warn me when websites try to redirect or reload the page option as shown in Figure 8 above.

Step 2. Click to apply these changes and exit the Advanced tab.

Congratulations! Firefox is now configured to browse the Internet in a private and secure manner.

3. Firefox Add-Ons

In the context of Mozilla products, an add-on is simply a lightweight software program which adds new features or extends existing functionality. As such, add-ons are sometimes referred to as extensions. For instance, the NoScript add-on extends Firefox functionality to block scripts from defined servers.

A plugin is essentially a piece of software usually designed by a third party to enable the use of their software within Firefox browser. An example of a common plugin would be the Flash plugin designed to display Adobe Flash content within the Firefox browser window.

3.1 Install Firefox Add-Ons

Downloading and installing Mozilla Add-ons is quick and simple. To begin downloading and installing different add-ons, perform the following steps:

Step 1. Select Start > Mozilla Firefox or double-click the Firefox desktop icon to open Firefox.

Step 2. Type https://addons.mozilla.org/ into the Firefox address bar, and then press Enter to activate the Mozilla Add-ons for Firefox site.

Step 3. Type the name of the add-on into the Mozilla search field (the Adblock Plus add-on is used in this example) as follows:

Figure 1: The Mozilla Firefox Add-ons Search bar displaying Adblock Plus

Step 4. Either click or press Enter to display the following screen:

Figure 2: The Search Results for Adblock Plus pane

Tip: The green Add to Firefox button only appears when the cursor is placed within a specified add-on section.

Step 5. Click to activate the following screens:

Figure 3: The Adblock Plus :: Search :: Add-ons for Firefox - Mozilla Firefox window

Step 6. Click to activate the following windows:

Figure 4: The Adblock Plus :: Search :: Add-ons for Firefox - Mozilla Firefox with a pop-up warning

Figure 5: The Adblock Plus Software Installation window

Step 7. Click after it becomes enabled, to begin installing the add-on; after the installation has been completed, the following screen will appear:

Figure 6: The adblock plus :: Search :: Add-ons for Firefox - Mozilla Firefox with a pop-up notification

Tip: Many add-ons and extensions currently require that Firefox be restarted to successfully install them. Click either or , to select the Not Now item if you prefer to restart Firefox later.

Step 8. Select Add-ons item in the Tools menu in the Firefox menu bar, to activate the following screen:

Figure 7: The Tools menu with the Add-ons item selected

Figure 8: The Add-ons Manager tab displaying the newly installed Adblock Plus add-on

Important: Do not install add-ons from unknown sources. Instead, always install add-ons from the https://addons.mozilla.org/ web site for improved security.

3.2 Disable or Remove Firefox Add-Ons

The Add-ons tab displays all installed add-ons as shown in Figure 8. Any Mozilla add-on can be either temporarily disabled by clicking or completely removed by clicking . However, in some instances Firefox must be restarted for the changes to take effect.

3.3 Update Mozilla Add-ons

Every so often, the various add-ons designed for use must be updated to be compatible or current with the latest version of Firefox. Depending on your connection speed, you may choose to either update these add-ons automatically or manually.

Step 1. Click to activate its associated menu, and then select Check for updates item to manually update your add-ons as shown in Figure 9 below.

Figure 9: The Add-ons Manager update button displaying its associated drop-down list

Step 2. Alternatively, select the Update Add-ons Automatically item to update your add-ons automatically as shown in Figure 9 above.

3.4 Update Mozilla Plugins

Given that a few plugins may not automatically update themselves, users are strongly recommended to check for the latest updates of Mozilla Plugins.

To manually check for updates of plugins, perform the following steps:

Step 1. Click https://www.mozilla.com/plugincheck to activate the following site:

Figure 10: The Mozilla Firefox Plugin Check & Updates site

Step 2. Address each plugin issue presented on the web page, indicated by the status on the button as follows:

  • For plugins displaying we strongly recommend that you immediately update them by clicking this button, and follow its instruction page. (Alternatively, please follow the steps after this list of buttons to disable or remove obsolete plugins.)

  • For plugins displaying , consider disabling or removing them unless the plugins are required and updated individually.

  • For plugins displaying , review them individually to determine which are required, and disable or remove those which are unknown or unnecessary.

To disable an unknown plugin or one that is no longer required, perform the following steps:

Step 1. Select Tools > Add-ons to activate the Add-ons Manager tab.

Step 2. Click to reveal a complete list of Mozilla Firefox plugins, identify the plugin you would like to disable, and then click .

To remove a plugin from your computer:

Step 1. Click Start > Control Panel.

Step 2. Click .

Step 3. Select the relevant program from the window, and then click .

Repeat these steps until all the issues on the Plugin Check & Updates page are resolved. It is absolutely essential that you search for updates on a monthly basis at minimum. Plugins are constantly being improved and upgraded to deal with all manner of evolving security problems.

IMPORTANT: The Adobe Flash and Oracle Java browser plugins are often found to contain security vulnerabilities that could allow a remote user to assume control of your computer or install malware. It is strongly advised that you disable both of those plugins in Firefox. For more information about how to disable or remove Java, please refer to Oracle's steps to disable Java for all browsers on your computer or their guide on how to uninstall Java from your computer.

4. The NoScript Add-On

NoScript is a particularly useful Mozilla Add-on that can help protect your computer from malicious websites on the Internet. It operates by implementing a 'white list' of sites that you have determined as acceptable, safe or trusted (like a home-banking site or an on-line journal). All other sites are considered potentially harmful and their functioning is restricted, until you have determined that the content of a particular site presents no harm; at this point, you may add it to the white list.

NoScript will automatically start blocking all banners, pop-up advertisements, JavaScript and Java code, as well as other potentially harmful web site attributes. NoScript cannot differentiate between harmful content and content necessary to correctly display a web site. It is up to you to make exceptions for those sites with content that you think is safe.

4.1 Use the NoScript Add-On

Before you begin using NoScript ensure that it was successfully installed by selecting Tools > Add-ons to activate the Add-ons window and confirm that it has been installed.

Tip: Although NoScript might seem a little frustrating at first (as the websites you have always visited may not display properly), you will immediately profit from the automated object-blocking feature. This will restrict pesky advertisements, pop-up messages and malicious code built (or hacked) into web pages.

NoScript will run silently in the background until it detects the presence of JavaScript, Adobe Flash or other script-like content. At that point NoScript will block this content and status bar will appear on the bottom of the Firefox window as follows:

Figure 1: The NoScript status bar

The NoScript status bar displays information about which objects (for example, advertisements and pop-up messages) and scripts are currently prevented from executing themselves on your system. The following two figures are prime examples of NoScript at work: In Figure 2, NoScript has successfully blocked an advertisement created in Adobe Flash Player on a commercial website.

Figure 2: An example of NoScript blocking a pop-up advertisement in a commercial site

In Figure 3, the Twitter web site notifies you that JavaScript must be enabled (at least temporarily) to view this web site.

Figure 3: The Twitter web site requesting that JavaScript be enabled

Since NoScript does not differentiate between malicious and real code, certain key features and functions (for instance, a tool bar) may be missing. Some web pages present content, including script-like content, from more than one website. For example, a website like www.twitter.com has two sources of scripts (twitter.com and twimg.com):

Figure 4: An example of the NoScript status bar Options menu

To unblock scripts in these circumstances, start by selecting the Temporarily Allow [website name] option (in this instance, Temporarily allow twitter.com). However, if this does not allow you to view the page you may determine, through a process of trial and error, the minimum number of websites required to view your chosen content. For instance, on Twitter, you must select the Temporarily allow twitter.com and Temporarily allow twimg.com options, in order for Twitter to work.

Warning! Under no circumstances should you ever select the Allow Scripts Globally (dangerous) option. As far as possible, avoid selecting the Allow all from this page option. Occasionally, you may have to permit all scripts; in this situation, ensure that you only do this temporarily for sites you really trust, that is, until the end of your on-line session. It only takes a single injection of malicious code to compromise your on-line privacy and safety.

For websites that you trust and frequently visit, select the Allow [website name] option. (In the example above, Allow twitter.com and Allow twimg.com have been selected). Selecting this option permits NoScript to permanently list that website as trusted.

5. Useful Firefox Add-Ons

The Mozilla Firefox Add-ons featured in this section are designed to enhance or protect the anonymity, privacy and security of your browsing sessions. To download them, please refer to the Downloading Firefox section.

5.1 HTTPS Everywhere

HTTPS Everywhere is a Mozilla Firefox extension ensuring that you always communicate with specified list of websites over an encrypted (https) channel. Although many websites do offer encryption, they tend default to an unencrypted http address. The HTTPS Everywhere extension fixes these problems by rewriting all your requests to these sites to the HTTPS protocol. It runs silently in the background, ensuring that your Internet sessions with those selected sites are safe and secure. However, it works only when those sites are using the HTTPS protocol themselves.

After the HTTPS Everywhere extension has been successfully installed, the following screen will appear:

Figure 1: The Should HTTPS Everywhere Use the SSL Observatory? prompt screen

Step 1. Click to activate the following screen:

Figure 2: The SSL Observatory Preferences screen

Note: If there has been a previous installation of HTTPS Everywhere on your Firefox browser, select Tools > HTTPS Everywhere > SSL Observatory Preferences and verify that the Use the Observatory and When you see a new certificate, tell the Observatory which ISP you are connected to options are enabled. If you are not using Tor, enable the Check certificates even if Tor is not available option as well.

5.2 Adblock Plus

Adblock Plus is a content filtering extension designed to limit or restrict the ability of ads to display themselves.

After Adblock Plus has been successfully installed, the following page will be launched: chrome://adblockplus/content/ui/firstRun.html

Figure 3: The Adblock Plus chrome content page

Step 1. Click so that it changes to for the Malware Blocking, Remove Social Media Buttons and Disable Tracking options (as shown in Figure 1 above).

Step 2. Select Tools > Adblock Plus > Filter preferences... to activate the following window:

Figure 4: The Add Adblock Plus Filter Preferences displaying three filter subscriptions

Step 2. Click each filter subscription checkbox to enable it (as shown in Figure 2 above), and then disable the option, to prevent all advertisements described or listed in these filters from displaying themselves.

Step 3. If you work in multiple languages, click to view different filter subscriptions, then click to activate a drop-down list of different subscription filters, select the appropriate one, and then click .

Step 4. To update your filter subscriptions, click , and then select the Update filters item from the pop-up menu.

5.3 Beef Taco (Targeted Advertising Cookies Opt-Out)

Beef Taco is a Mozilla Firefox add-on which lets you manage cookies associated with advertising from a variety of companies, among them Google, Microsoft and Yahoo. It can be configured to delete cookies known as Targeted Advertising Cookies Opt-Out automatically. However, it also permits Experienced and Advanced users to specify in a more detailed way which cookies are permitted to reside on your system, and which to be eliminated.

5.4 Better Privacy

Better Privacy is a Mozilla Firefox add-on which helps to protect your system from a special cookies referred to as an LSO (Local Shared Objects) which may be placed on your computer by a Flash script. Those cookies are not removed by the standard Firefox cleaning procedure for cookies.

5.5 Other Useful Firefox Add-Ons

This section describes a number of useful add-ons and extensions that are free, open-sourced (or in the process of becoming so) add-ons and extensions, that can enhance or extend your ability to browse the Web in a private and secure manner.

5.5.1 Cryptocat

Cryptocat is an open source encrypted, private Instant Messaging add-on that works in your browser. Thus in certain situations it maybe easier to use than other comparable text chat software. Cryptocat lets you create a virtual chat room where you can chat with all members, or have private, one-to-one conversations with individual participants. All chats are encrypted and decrypted in the users browser before sending and after receiving. Cryptocat is available as browser extension for Mozilla Firefox, Google Chrome and Apple Safari and also as a Mac OS X app. Read more...

5.5.2 Disconnect

Disconnect is designed to keep your data safe from third-party web trackers, while analysing trackers and sorting them into different groups, for instance, advertisers, analytics and social ones. Read more...

5.5.3 DuckDuckGo

DuckDuckGo is designed to provide a private and safe alternative to Internet search engines such as Google or Bing. DuckDuckGo neither records nor shares user information, and all users have access to the same information. Either go directly to the DuckDuckGo website, or click the DuckDuckGo icon to install it as your default search engine in the search bar.

5.5.4 vtzilla

vtzilla is a Mozilla Firefox browser extension designed to scan downloads and websites for malware and viruses. After the vtzilla extension has been successfully installed, the vtzilla toolbar (which can be toggled on and off) appears beneath the Firefox navigation toolbar. Simply copy and paste, or type a website address into the vtzilla search box, and your search request will be directed to Virus Total, a website that directs more than 40 different malware or virus scanners to the specified link or website. Additionally, vtzilla reduces the risk of infection by adding yet another level of protection to an existing anti-virus program (for instance avast!), by scanning your downloadable files. Read more....

5.5.5 ShareMeNot

ShareMeNot is designed to prevent third-party buttons (such as the Facebook “Like” button or the Twitter “tweet” button) embedded by sites across the Internet from tracking you, until you actually click on them. Read more...

5.5.6 Click&Clean

Click&Clean is designed to automatically delete private data upon closing Firefox; this includes clearing records from your download history, deleting browsing history, and removing cookies, including Flash Local Shared Objects (LSO). It also deletes temporary files and empties your local cache.

Note: Alternatively, users may also consider using external applications, like CCleaner, Wise Disk Cleaner etc. on Windows operating systems, or Janitor or BleachBit on Linux.

6. Portable Firefox
6.1 Differences between the Installed and Portable versions of Firefox

Given that portable tools are not installed on a local computer, their existence and use may remain undetected. However, keep in mind that your external deviceor USB memory stick, and portable tools are only as safe as the computer you are using, and may risk being exposed to adware, malware, spyware and viruses.

There are no other differences between Mozilla Firefox, Portable Edition and the version designed to be installed on a local computer.

6.2 Download and Extract Firefox Portable

To begin downloading and extracting Firefox Portable, perform the following steps:

Step 1. Click http://portableapps.com/apps/internet/firefox_portable to be directed to the appropriate download site.

Step 2. Click to begin downloading the Firefox Portable installation file.

Step 3. Click to save the installation file to your computer; then navigate to it.

Step 4. Double click ; the Open File - Security Warning dialog box may appear. If it does, click to activate the Mozilla Firefox, Portable Edition | Portableapps.com Installer window.

Step 5. Click to activate the following screen:

Figure 2: The Choose Install Location window

Step 6. Click to activate the Browse for Folders window as follows:

Figure 3: The Browse for Folder window

Step 7. Navigate to your destination external drive or USB memory stick, as shown in Figure 3 above, then click to confirm the destination of the Mozilla Firefox, Portable Edition file, and return to the Choose Install Location window.

Step 8. Click to begin the extraction process, then click to complete the installation process, and then navigate to the removable drive or USB memory stick which the Mozilla Firefox, Portable Edition file was saved.

Step 9. Open your removable device or USB memory stick, and it should resemble the following:

Figure 4: The newly installed Mozilla Firefox Portable Edition with the Firefox Portable folder highlighted in blue

Step 10. Open the Firefox Portable folder and then double click to begin using Firefox Portable.

Please refer to the Firefox chapter to begin configuring and using it.


Q: Why would I want so many different add-ons to defend myself against malicious websites? If NoScript protects me from potentially dangerous scripts, for example, why do I also need other add-ons which function in a similar way?

A: It is often a good idea to use more than one tool to address the same general security issue. (Anti-virus programs are an important exception to this rule, since they tend to conflict with one another.) These Firefox add-ons use very different techniques to protect your browser from a variety of threats. NoScript, for example, blocks all scripts from unknown websites, but users tend to 'whitelist' the websites they visit frequently, which allows them to load potentially-malicious scripts. NoScript users also tend to allow unknown sites to load scripts, on a temporary basis, if those scripts are necessary for the page to function properly.

Review questions: 
  • How do you erase your temporary Internet history, cookies and cache from your browser?

  • What kinds of attacks can NoScript protect your system from?

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.

security in-a-box is a project of Tactical Technology Collective and Front Line Defenders.