Firefox and Security Add-Ons for Windows - Secure Web Browser

Posted10 August 2016

Table of Contents

...Loading Table of Contents...

    Mozilla Firefox (or simply known as Firefox) is a free and open source web browser which is enhanced by the availability of numerous add-ons for it, including some that are designed to protect your privacy and security when you browse the web.

    Required reading

    What you will get from this guide

    • A stable and secure internet browser whose features can be enhanced by numerous add-ons.
    • The ability to protect yourself from potentially dangerous programs and malicious websites.
    • The ability to wipe the digital traces of your browsing activity.

    1. Introduction to Firefox

    This guide assumes that you already know how to use a web browser and will not cover the basic functions of Firefox. It will focus on security-related settings and extensions.

    1.0. Things you should know about Firefox before you start

    Firefox supports many easy-to-use add-ons that improve your privacy and security when you browse the web. You can choose which add-ons to install and decide how to configure them, depending on your circumstances. If you are using a computer that is managed by someone else (at an Internet cafe, for example, or in your place of work), you might have to make these adjustments repeatedly.

    In addition to basic Firefox settings, this guide covers the installation and basic configuration of the following add-ons:

    Tactical Tech's App Centre includes information about additional privacy-enhancing browser add-ons.

    Important: The overwhelming majority of malware and spyware infections originate from web pages. It is important that you always consider whether it is safe to visit unknown websites, particularly those that are sent to you by email. Before you decide to open a web page, we recommend that you scan the web address using the following url scanners:

    You can also check the reputation of a website using the scanners listed below:

    1.1 Other tools like Firefox

    The Mozilla Firefox web browser is available for Microsoft Windows, GNU/Linux, Apple Mac OS X and other operating systems. Websites are the most common source of malware infection, so accessing them securely is vital. We recommend that you use Mozilla Firefox and install the add-ons covered in this guide. If you would prefer to use a program other than Mozilla Firefox, the alternatives below are also available for Microsoft Windows, GNU/Linux and Apple Mac OS X:

    2. Install, configure and use Firefox

    2.1. Install Firefox

    You can install Firefox through the following steps:

    Step 1. Go to Firefox's website: https://www.mozilla.org/en-US/firefox/new/

    Figure 1: Mozilla Firefox website

    Step 2. Click [Free Download] to download Firefox.

    Step 3. Once you have downloaded Firefox, right-click on the downloaded file and select [Open], as illustrated below:

    Figure 2: Opening a downloaded Firefox file

    Step 4. Click [Install] through the following Firefox Setup screen to start installing Firefox.

    Figure 3: Installation of Firefox through the Firefox Setup screen

    Wait while Firefox gets installed.

    Figure 4: Installation of Firefox

    You can now use Firefox browser.

    Figure 5: Mozilla Firefox browser

    Note: It is normally a good idea to use the most recent version of security-related software, including web browsers. It is therefore important to regularly update the software that you use.

    2.2. Configure search engines

    You can configure Firefox to use a search engine of your choice. To do so, follow the steps below:

    Step 1. Select [Options] from the menu at the bottom of your browser.

    Figure 1: Firefox menu options

    Step 2. Click [Search] in the side bar of the Options screen.

    Figure 2: Search Options via Firefox's Options screen

    You can now choose your default search engine and decide which other search engines should be accessible through the Firefox search box. We recommend DuckDuckGo as a default search engine because it does not track or profile its users, or share its users' personal information with third parties.

    Other privacy-focused search engines that you can choose to add as search engine options to choose in the Firefox toolbar’s search bar include:

    2.3. Configure privacy options

    You can configure the Firefox privacy settings by following the steps below:

    Step 1. Select [Options] through Firefox's browser menu bar at the bottom.

    Step 2. Click [Privacy] in the side bar of the Options screen.

    Figure 1: Firefox privacy settings

    You can now change the Firefox settings related to privacy, third-party tracking, and browsing history by following the steps below:

    Step 3. Many websites collect information about you and allow third parties to gather data about the websites you visit. This is called tracking. Do Not Track is a system that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

    To enable Do Not Track in Firefox, and minimise the tracking of your online activity, select the two options under the Tracking section. It is important to understand, however, that companies have the ability to ignore your choice and track you anyway. Here is a list of companies' commitments to honoring Do Not Track requests.

    Step 4. The History section lets you manage your Firefox browsing history preferences. Your browsing history is a list of websites you have visited using Firefox. The default option is Remember my browsing and download history, which means that Firefox will remember your browsing, download, form, and search histories. It will also accept cookies from the websites you visit. These cookies allow websites to record information on your device that Firefox will send back to them and their advertising partners.

    To prevent this, in the first option under History that starts with Firefox will:, you can change Remember history to Never remember history. Or you can change it to Use custom settings for history and set more detailed preferences in the History section.

    Step 5. The Location Bar section lets you choose the sources that Firefox will use to recommend web address when you start typing in the Address bar. By default, it uses bookmarked web addresses, open tabs, and websites that are in your browser history. You can uncheck any of these sources as you prefer.

    2.4. Configure security options

    You can configure the Firefox security settings by following the steps below:

    Step 1. Select [Options] from the menu at the bottom of your browser.

    Step 2. Click [Security] in the side bar of the Options screen.

    Figure 1: The Firefox security settings

    You can now modify the Firefox security settings.

    Step 3. Uncheck [Remember logins for sites].

    All of the boxes under General should be checked. If they are not, we recommend checking them so that Firefox will:

    • Warn you when websites try to install add-ons
    • Block reported web attacks
    • Block reported web forgeries

    The boxes under Logins relate to Firefox's built-in password manager. If you check the Use a master password box, Firefox will encrypt the website passwords that it saves and prompt you for a master password whenever it needs to enter one for you. In general, we recommend using an offline password manager, such as KeePassX, to store your passwords. But, if you are going to allow Firefox to manage your website passwords, you should check the second box.

    2.5. Configure advanced options

    You can configure various advanced preferences for Firefox by following the steps below:

    Step 1. Select [Options] through Firefox's browser menu bar at the bottom.

    Step 2. Click [Advanced] in the side bar of the Options screen.

    The Advanced preferences screen contains five tabs:

    • General: includes various usability options
    • Data Choices: allows you to choose what data to send to Mozilla about your browser health, security and performance
    • Update: allows you to determine how Firefox will handle automatic updates (including updates to your preferred search engines)
    • Network: allows you to manage proxy settings, cached web content and offline user data
    • Certificates: allows you to decide how Firefox should deal with cryptographic certificates (both when websites request a personal certificate from your browser and when Firefox is trying to determine whether or not an https certificate presented by a website is valid)

    Figure 1: The General tab of the Advanced Options screen

    The General tab includes a useful option that allows Firefox to prevent web sites from automatically redirecting you to another page or reloading themselves without your consent or knowledge.

    Step 3. Check the [Warn me when websites try to redirect or reload the page] box.

    Optional Step 4. Click [Network] in the Advanced section of the Options screen.

    Figure 2: The Network tab of the Advanced Options screen

    Optional Step 5. Here you can configure your browser's proxy settings by clicking on [Settings...].

    2.6 Using privacy features while browsing the web

    In addition to the settings described above, Firefox provides two useful features that give you some control over the data that it stores on your computer and about the websites you visit. They are the Clear recent history screen and Private browsing mode.

    Clear recent history

    To clear data about your browsing history that Firefox has already stored, follow the steps below:

    Step 1. Select [History] from Firefox's menu bar, as illustrated below:

    Figure 1: History tab via Firefox's menu bar

    Step 2. Click [Clear Recent History...] through the drop-down menu.

    Figure 2: Clearing browser history on Firefox

    Step 3. Select [Everything] through the drop-down menu of Firefox's Clear Recent History screen, if you are interested in deleting all of your browser history. Alternatively, you can select a limited time frame for the deletion of your browsing history, as illustrated by the options in the drop down menu.

    Figure 3: Firefox's Clear Recent History screen

    Step 4. Check the boxes which include data that you would like Firefox to clear after each browsing session.

    Figure 4: Firefox's Clear All History screen

    Step 5. Click [Clear Now] to delete the selected data.

    As an alternative to the above, you can use Firefox's Private browsing mode to prevent it from recording your browsing history at all.

    Private browsing mode

    To prevent Firefox from storing data about your current browsing session, follow the steps below:

    Step 1. Select [New Private Window] from Firefox's menu bar, as illustrated below:

    Figure 5: Selecting a Firefox private browsing window

    Step 2. Browse the web using this window.

    Figure 6: Using Firefox's private browsing window

    Firefox will not record your browsing data while you use this window. This includes any tabs you might open within it. The window itself notes a few exceptions, including downloads and bookmarks. It also reminds you that Firefox itself cannot prevent those who might want to monitor your Internet connection (including your ISP) from tracking the websites you visit. For that, you will need Tor Browser.

    3. Firefox add-ons

    A Firefox add-on is software that adds new features or extends existing functionality. Add-ons include plugins, such as Adobe Flash, and extensions, such as NoScript. This section will show you how to disable potentially harmful plugins, then introduce a few useful privacy and security extensions, including:

    Other privacy-friendly add-ons for Firefox can be found through the Tactical Tech App Centre.

    3.1. Update or disable potentially harmful plugins

    Updating your add-ons

    You can update your browser add-ons by following the steps below:

    Step 1. Launch Firefox.

    Figure 1: Firefox

    Step 2. Click the button in the upper, right-hand corner of your browser window.

    Figure 2: The Firefox Options menu

    Step 3. Click [Add-ons]

    Step 4. Click the settings menu icon as illustrated below:

    Figure 3: Firefox Add-ons drop-down menu

    Step 5. Check Update Add-ons Automatically so that your browser add-ons can automatically get updated across time. If you choose not to check this option, then click Check for Updates regularly.

    Updating your plugins

    You can update your browser plugins by following the steps below:

    Step 1. Launch Firefox.

    Figure 1: Firefox

    Step 2. Click the button in the upper, right-hand corner of your browser window.

    Figure 2: The Firefox Options menu

    Step 3. Click [Add-ons].

    Step 4. Click the Plugins tab on the left-hand side of the window.

    Figure 4: The Firefox Plugins screen

    Step 5. Click the Check to see if your plugins are up to date link to open the Check Your Plugins tab.

    Figure 5: Firefox Check Your Plugins tab

    Step 6. Scroll down to check all of the plugins identified by Firefox.

    Figure 6: More plugins on the Check Your Plugins tab

    Your plugins should fall into one of three categories:

    • If all of your plugins are up-to-date, continue below.
    • Some of your plugins may appear next to a [Research] button. If you click [Research], Firefox will display search results that might help you update the corresponding plugin.
    • If any of your plugins appear next to an [Update Now] button, you should click it and follow the instructions. In the figure above, Adobe Flash Player is an example of an outdated plugin.

    Disabling potentially harmful plugins

    The Adobe Shockwave Flash plugin and the Oracle Java browser plugin are often found to contain security vulnerabilities that could allow a remote user to assume control of your computer or to install malware. It is strongly advised that you disable both of those plugins in Firefox.

    To disable potentially harmful plugins on Firefox, follow the steps below:

    Step 1. Launch Firefox.

    Figure 1: Firefox

    Step 2. Click the button in the upper, right-hand corner of your browser window.

    Figure 2: The Firefox Options menu

    Step 3. Click [Add-ons]

    Step 4. Click the Plugins tab on the left-hand side of the window.

    Figure 4: The Firefox Plugins screen

    Step 5. Click the arrow next to [Always Activate] and select Never Activate, as illustrated in the example below (though the specific plugin in the example is not necessarily harmful):

    Figure 5: Disabling plugins

    For more information about how to disable or remove Java, please refer to Oracle's steps to disable Java for all browsers on your computer.

    Note: If you select Ask to Activate, Firefox will let you know when a website tries to send you Flash content. You will then have the option to click [Allow], in the upper right-hand corner of your browser window, as shown below. However, we recommend that you fully disable Flash.

    Figure 12: Firefox prompting you to allow Flash content

    3.2. HTTPS Everywhere

    HTTPS Everywhere is an add-on that helps Firefox connect securely to websites that support encryption.

    When you access a page using a web address that begins with "http://" (such as http://www.amazon.com), your connection is unencrypted. The information you send to and receive from that website can be seen by anyone with the ability to monitor your Internet traffic. This includes your (ISP) and many surveillance platforms.

    When you access a page using a web address that begins with "https://" (such as https://www.amazon.com), your connection will be encrypted, and third parties will find it much more difficult to intercept the data you send and receive. Unfortunately, even websites that do support https often fail to redirect visitors to the correct web address. This is the problem that HTTPS Everywhere was designed solve.

    HTTPS Everywhere maintains a list of websites that support https and automatically requests an encrypted connection for those websites—even if you click on a link (or enter an address into your browser) that begins with http.

    To install HTTPS Everywhere, follow the steps below:

    Step 1. Select [Add-ons] through your browser's menu bar, as illustrated below:

    Figure 1: Firefox add-ons option

    Step 2. Type [HTTPS Everywhere] in the search bar of the Firefox Add-ons screen.

    Figure 2: Searching for HTTPS Everywhere

    Step 3. Click [Install] next to HTTPS Everywhere.

    Figure 3: HTTPS Everywhere add-on

    Wait while the HTTPS Everywhere add-on gets installed.

    Figure 4: Installation of HTTPS Everywhere

    Step 4. Click [Restart now] to install HTTPS Everywhere by restarting your Firefox browser.

    Figure 5: Restarting Firefox and installing HTTPS Everywhere

    Here you can choose whether you want to use the EFF's SSL Observatory, which warns you about insecure connections or attacks to your browser.

    Figure 6: SSL Observatory

    Step 5. Click [Yes] to use this SSL Observatory for better browser security.

    Step 6. Verify that HTTPS Everywhere was installed successfully by selecting [Add-ons > Extensions] in the Firefox menu bar. HTTPS Everywhere should be displayed (along with other add-ons).

    Figure 7: HTTPS Everywhere installed

    HTTPS Everywhere is now installed. When you connect to a website that is included in the list maintained by the add-on, and that supports https, your connection will be encrypted automatically.

    Note: When HTTPS Everywhere is working, you should still see "https://" in your browser's address bar. If you do not, then your connection is unencrypted.

    3.3. Privacy Badger

    Privacy Badger is a browser add-on that prevents third-party companies from tracking your online activities. It is available for Firefox, the Tor Browser, Chrome, and Chromium.

    To install Privacy Badger, follow the steps below:

    Step 1. Select [Add-ons] through your browser's menu bar, as illustrated below:

    Figure 1: Firefox add-ons option

    Step 2. Type [Privacy Badger] in the search bar of the Firefox Add-ons screen.

    Figure 2: Searching for Privacy Badger

    Step 3. Click [Install] next to Privacy Badger.

    Figure 3: Privacy Badger add-on

    Privacy Badger is now installed.

    Figure 4: Privacy Badger

    Step 4. Verify that Privacy Badger was installed successfully by selecting [Add-ons > Extensions] in the Firefox menu bar. Privacy Badger should be displayed (along with other add-ons).

    Figure 5: Privacy Badger installed

    The Privacy Badger add-on is now installed and can help prevent third party tracking of your online activities. You can click [Options] to change Privacy Badger's settings (though the default values are fine).

    3.4. Click&Clean

    Click&Clean is a browser extension that helps you clear your browsing history with just one click.

    Without privacy enhancing features, a browser can collect different types of information that it stores on the hard disk of your computer. Such data can include your location, browsing history, search history, cookies, cache, active logins and site preferences. This local storage can be deleted by manually cleaning your browser history with a tool like Click&Clean.

    You can install Click&Clean through the following steps:

    Step 1. Select [Add-ons] through your browser's menu bar, as illustrated below:

    Figure 1: Firefox add-ons option

    Step 2. Type [Click&Clean] in the search bar of the Firefox Add-ons screen.

    Figure 2: Searching for Click&Clean

    Step 3. Click [Install] next to Click&Clean.

    Figure 3: Click&Clean add-on

    Wait while Click&Clean gets installed.

    Figure 4: Installation of Click&Clean

    Step 4. Click [Restart now] to install Click&Clean by restarting your Firefox browser.

    Figure 5: Restarting Firefox and installing Click&Clean

    Step 5. Verify that Click&Clean was installed successfully by selecting [Add-ons > Extensions] in the Firefox menu bar. Click&Clean should be displayed (along with other add-ons).

    Figure 6: Click&Clean installed

    Step 6. Click [Options] next to Click&Clean.

    Figure 7: Click&Clean Options

    Step 7. Here you can choose if you want to automate the cleaning of your browser data. You can also clear your browsing history every time you close your browser, so that you do not need to think about your browsing history again.

    Figure 8: Click&Clean Options screen

    Alternatively, just look at your browser – the Click&Clean icon should be there now. If you click on the arrow next to it, you will notice that it offers a variety of features like incognito browsing, privacy testing, cookies, permissions and preferences.

    Figure 9: Click&Clean Options

    The privacy test feature gives you the ability to see what services are running on your browser that you might have forgotten about. The cookies feature shows you what cookies are currently stored on your computer. By using the permissions feature you can change your browser's default settings to enhance your privacy. These settings/permissions include blocking or asking for permission every time the browser wants to store your passwords, share your location and use your camera and microphone.

    Note: As an alternative, you can use an external application like BleachBit for this purpose.

    3.5. NoScript

    When you visit a website, your browser automatically downloads content from that site. In addition to text and images, this content often includes scripts, which are essentially small programs that run inside your browser. NoScript is a Firefox add-on that prevents your browser from running such programs without your permission.

    The vast majority of these scripts are harmless and serve only to make webpages more interactive. Some of them are malicious, however, and some of them are third-party trackers capable of building a profile of your online activities.

    Unfortunately, No Script cannot automatically identify which scripts are safe and which are harmful. So when you first tell it to Block Scripts Globally, it will prevent many websites from displaying properly. Once you start white-listing scripts from different locations, however, things will begin returning to normal, and you will still be protected from potentially dangerous web content.

    To install NoScript, follow the steps below:

    Step 1. Select [Add-ons] through your browser's menu bar, as illustrated below:

    Figure 1: Firefox add-ons option

    Step 2. Type [NoScript] in the search bar of the Firefox Add-ons screen.

    Figure 2: Searching for NoScript

    Step 3. Click [Install] next to NoScript.

    Figure 3: Installation of NoScript

    Step 4. Click [Restart now] to install NoScript by restarting your Firefox browser.

    Figure 4: Restarting Firefox and installing NoScript

    Step 5. Verify that NoScript was installed successfully by selecting [Add-ons > Extensions] in the Firefox menu bar. NoScript should be displayed (along with other add-ons).

    Figure 5: NoScript installed

    Your browser now supports NoScript and blocks malicious code from running on your computer.

    Although NoScript might seem a little frustrating at first (as the websites you have always visited may not display properly), you will immediately profit from the automated object-blocking feature. This will restrict pesky advertisements, pop-up messages and malicious code built (or hacked) into web pages.

    NoScript will run silently in the background until it detects the presence of JavaScript, Adobe Flash or other script-like content. At that point NoScript will block this content and status bar will appear on the bottom of the Firefox window. The NoScript status bar displays information about which objects (for example, advertisements and pop-up messages) and scripts are currently prevented from executing themselves on your system. But since NoScript does not differentiate between malicious and real code, certain key features and functions (for instance, a tool bar) may be missing.

    Figure 6: NoScript menu bar drop-down options

    Some web pages present content, including script-like content, from more than one website. For example, a website like www.twitter.com has two sources of scripts (twitter.com and twimg.com). To unblock scripts in these circumstances, start by selecting the Temporarily Allow [website name] option (in this instance, Temporarily allow twitter.com). However, if this does not allow you to view the page you may determine, through a process of trial and error, the minimum number of websites required to view your chosen content. For instance, on Twitter, you need to select the Temporarily allow twitter.com and Temporarily allow twimg.com options, in order for Twitter to work. For websites that you trust and frequently visit, select the Allow [website name] option. Selecting this option permits NoScript to permanently list that website as trusted.

    Step 6. You can further configure NoScript's permissions by clicking [Options] next to NoScript (or by clicking [Options] in NoScript's drop-down menu in your browser).

    Figure 7: NoScript Options

    Note: A vulnerability in NoScript was recently identified. We continue to recommend NoScript because this vulnerability does not present a threat unless you also install a separate (intentionally malicious) add-on. We strongly recommend researching add-ons before you install them and removing any add-ons that you do not need or about which you are uncertain.

    4. Portable Firefox

    4.1. Differences between the Installed and Portable versions of Firefox

    Given that portable tools are not installed on a local computer, their existence and use can remain undetected. However, keep in mind that your external device or USB memory stick, and portable tools are only as safe as the computer you are using, and may risk being exposed to adware, malware, spyware and viruses.

    There are no other differences between Mozilla Firefox, Portable Edition and the version designed to be installed on a local computer.

    4.2. Download and Extract Firefox Portable

    To begin downloading and extracting Firefox Portable, perform the following steps:

    Step 1. Click http://portableapps.com/apps/internet/firefox_portable to be directed to the appropriate download site.

    Step 2. Click to begin downloading the Firefox Portable installation file.

    Step 3. Click [Save File] to download the Firefox Portable installation file.

    Figure 1: Saving the Firefox Portable Installation file

    Wait while the Firefox Portable Installation file downloads.

    Figure 2: Downloading the Firefox Portable Installation file

    Step 4. Right-click on the downloaded Firefox Portable file and select [Open].

    Figure 3: Opening the downloaded Firefox Portable file

    Step 5. Click [Next] through the following Installer screen.

    Figure 4: Firefox Portable Installer screen

    Step 6. Select the location where you would like to install Firefox Portable on. In the example below, we install it on the Downloads folder, but you can choose to install it directly on a removable disk by selecting it through the [Browse...] option.

    Figure 5: Choosing an Installation Location for Firefox Portable

    Step 7. Click [Install] to install Firefox Portable in the selected location.

    Wait while Firefox Portable gets installed.

    Figure 6: Installing Firefox Portable

    Step 8. Click [Finish] to complete the installation process.

    Figure 7: Completing the installation of Firefox Portable

    You have now installed Firefox Portable on your selected location (which could be a removable disk, such as a USB).

    Step 9. To run Firefox Portable, open the installed Firefox Portable file and double-click on [FirefoxPortable].

    Figure 8: Inside the installed Firefox Portable file

    FAQ

    Q: Why would I want so many different add-ons to defend myself against malicious websites? If NoScript protects me from potentially dangerous scripts, for example, why do I also need other add-ons which function in a similar way?

    A: It is often a good idea to use more than one tool to address the same general security issue (anti-virus programs are an important exception to this rule, since they tend to conflict with one another). These Firefox add-ons use very different techniques to protect your browser from a variety of threats. NoScript, for example, blocks all scripts from unknown websites, but users tend to 'whitelist' the websites they visit frequently, which allows them to load potentially-malicious scripts. NoScript users also tend to allow unknown sites to load scripts, on a temporary basis, if those scripts are necessary for the page to function properly.