Recommended Firefox security extensions

In our Ultimate Privacy Guide we introduced some of our favorite Firefox extensions for making web browsing a more secure activity. While we think that if you have these running then you should be pretty well covered against most threats, here are some more we like.

As noted in the Ultimate Guide, we think that at the very least you should be running AdBlock Plus, Disconnect, HTTPS Everywhere, Better Privacy and possibly NoScript, which we include here for the sake of convenience.

AdBlock Edge – we recommend this fork of AdBlock Plus in Firefox over the original extension, as AdBlock Plus allows ‘some not intrusive advertising’ by default. Although this can be disabled (by going to off Add-ons -> Extensions -> AdBock Plus -> Filter preferences), AdBlock Edge removes this ‘feature’ while keeping the original’s ability to block all manner of adverts, even Facebook ads and those embedded within YouTube videos (here in the UK it even blocks 4oD ads!). In addition to this, it warns you when visiting known malware hosting websites, and disables third party tracking cookies and scripts. Unlike NoScript, AdBlock Edge is very easy to use while still remaining powerful.

  • You can improve Adblock’s (any version) capabilities by subscribing to third-party block lists, which are updated on a regular basis. We suggest those by EasyList (both the EasyList and Easy Privacy lists) and Fanboy (Adblock List, Tracking List and Annoyance Block List).


Better Privacy (Firefox) – blocks or manages the new and insidious Flash cookies (also known as Local Shared Objects or LSOs), which are not blocked when you disable cookies in your browser.


Bloody Vikings! – an easy-peasy way to create temporary email addresses. Just right-click in an email registration field, select ‘Bloody Vikings’ (or expand to see a choice of services), and a newly generated email address will be inserted into the field while a new browser tab opens to the temporary mailbox.


Cookie Monster – allows you to take control of your cookies (including third party cookies), and manage them in an unobtrusive way on a site or domain name basis.

Cookie monster

Disconnect– replacing popular Ghostery as our favorite anti-tracking and anti-cookie extension thanks to its up-to-date database of tracking cookies, page load optimization, secure WiFi encryption and analytics tools, Disconnect blocks third party tracking cookies and gives you control of over all a website’s elements. It also prevents social networks such as Google, Facebook and Twitter from following you so they can collect data as you surf elsewhere on the internet.


Empty Cache Button – lets you clear your bowser cache with one easy click

Empty cache

 HTTPS Everywhere – an essential tool, HTTPS Everywhere was developed by the Electronic Frontier Foundation, and tries to ensure that you always connect to a website using a secure HTTPS connection, if one is available. This is fantastic, but just but aware that we have reservations about how SSL is commonly implanted, and it has almost certainly been cracked by the NSA.


 NoScript – this is an extremely powerful tool that gives you unparalleled control over what scripts are run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to. It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web savvy power-users, NoScript is difficult to beat.


Reader’s tip: ‘I would recommend adding that even if you don’t want to bother messing with white lists in Noscript, you should still install the extension and choose to allow all scripts globally. This still provides some needed protection without hindering your browsing experience.’ (Thanks twlph!)

RefControl – stops cross-site tracking by letting you control the HTTP referrer on a site-by-site basis. An HTTP referrer is often added to webpage hyperlinks so the destination page knows where the link was followed from. For example, it is common practice for web businesses to run affiliate programs where affiliate partners receive a commission for sales made by the parent business for customers sent their way. If customers arrive via a hyperlink on an affiliate’s website, it is important to know which one, so the affiliate can get paid. This information is the HTTP referrer.  With this extension you can block this information from being passed on, or can even change it to suit your needs.


Request Policy – denies (or lets you manage) cross site requests (such as advertising). This has the side-benefit of protecting you from Cross-Site Request Forgery (CSRF) attacks, were the browser is tricked into making it appear as if a request to another website was made by you.

request policy

Perspectives – SSL is only as safe as the certificates it’s based on, but how do you know these are safe? Certificates can be issued by any number (600+) of dubious bodies, leaving many SSL connections vulnerable to man-in-the-middle (MitM) attacks. Perspectives solve this problem by building ‘a database of server identities using lightweight probing by “network notaries” – servers located at multiple vantage points across the Internet. Each time you connect to a secure website Perspectives compares the site’s certificate with network notary data, and warns if there is a mismatch’, thereby helping you to trust that your SSL connections are truly secure.


PwdHash – this clever extension by Stanford University solves the problem of never remembering your passwords, as it easily creates site-specific passwords using a hash of your password and the website domain name. Just type @@ or press F2 before entering a password, and you can securely use the same theft-resistant password for every site you visit. It’s not mentioned in the documentation, but the length of the hashed password is 2 characters more than your password, so factor this in when password length is important. If you need to login using a browser without PwdHash installed, you can go to instead.


User Agent Switcher – a web browser user agent lets a website know what type of computer, what OS, and what browser you are using, which many websites use to optimize their pages to improve user experience, but which some may find intrusive. With this extension you can simply change what user agent information is given to a website so, for example, it will think that you are accessing the site on an iPhone using Safari, rather than on a PC using Firefox. Lists of user agents can be imported from here.

 user agent

Note that some of these extensions overlap in their functions, so that you might not need all of them. For example, if you use AdBlock Edge with the block lists mentioned and NoScript, then you won’t get much benefit from also running Disconnect.

If you like this article then you may also be interested ‘How to make Firefox more secure using about:config‘, while if you prefer Google’s browsers to Firefox you might want to check out ‘Recommended Chrome and Chromium security extensions‘.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

12 responses to “Recommended Firefox security extensions

  1. The link to ‘How to make Firefox more secure using about:config‘ is broken. You accidentally entered a link to an EDIT page for that article instead of the actual article.

  2. Dear Douglas,

    Thank you for your excellent article. I would be grateful if you could you please tell me please if there is any overlap/duplication/clash orconflict with the following FF extensions? I have the following installed and enabled:

    1.HTTPS everywhere
    2. Better Privacy
    3. Disconnect
    4. uBlock Origin
    5. No Script

    1. Hi Tony,

      There is considerable overlap between Disconnect and uBlock Origin, so there is no need to use both (I now recommend using uBlock Origin). If you use NoScript with privacy settings fully deployed (refuse all connections by default etc.), you really don’t need mush else except HTTPS everywhere…

  3. Please elucidate “even if you don’t want to bother messing with white lists in Noscript, you should still install the extension and choose to allow all scripts globally. This still provides some needed protection….”

    Excellent series of security and privacy articles. Easily amongst the best I’ve seen. These could grace any popular tech mag. Two addons were new to me and I periodically look through such lists.

    1. Hi BillR,

      Thanks! I should note that this article could do with an update, as things move fast in the online security world! As for NoScript, I think this explanation from pretty much covers it:

      “So, since security experts themselves sometimes seem confused about NoScript’s real “convenience vs security” tradeoffs, taking for granted that all the security it offers depends on and requires script blocking, recapping here a (non exhaustive) list of attacks blocked by NoScript even in “Allow Scripts Globally” mode may be useful:

      1. XSS, thanks to its “Injection Checker”, the first anti-XSS filter ever released in a web browser.
      2. Clickjacking — NoScript’s ClearClick feature is still the only effective protection entirely implemented inside the browser and requiring no server-side cooperation.
      3. CSRF (and especially, by default, cross-zone attacks against intranet resources) via the ABE module.
      4. MITM, courtesy of HSTS and other HTTPS-enhancing features.

  4. Some of security features should be built in to browser, but they are not so every additional workable extension eats up additional cpu and ram and that can be huge problem – ram and cpu overflow resulting in full ram waste cpu overkill and hogging complete system when multiple pages are opened and use of extension is progressive increased and multiplied instead only one extension for all web pages we have one extension multiple times started depends of how many session windows are opened ! Normal browsing isn’t possible any more and cpu can hog on 10 web pages opened ! I can not understand how the users are not seeing this !?! The whole concept of browsers and extensions is wrong (how they work not for what purposes they are coded) ! And web pages scripting is also criminal – its only information so why in the hell do we need ”heavy codded information” so that hardware industry can make money on user infinite – newer enough RAM CPU time not enough fast HDD’s and that for browsing internet only ! Even on new computer browser hog system and that on
    AMD’s 8 core CPU and 16 GB RAM ! How in the hell this is not noticed ! Why developers are not see this ! And why in the hell developers of web pages are killing our nerves ? Scripts that using to much ram should be BLOCKED automatically if they can not be blocked then block and ban web page permanently not click to play per element but click to play per script is required also browser loads all on all web pages opened – wrong only web page viewed should be loaded, all other pages in background should be unloaded keeping only url ready if then so clicked on it ! We have fast internet connections but get choked anyway so browser developers should rethink their designs and philosophy. O i almost forgot – why in the hell is facebook and other social no limited to their own networks instead the whole god damn internet is to become facebook monitoring tracking and all other nasty thing doing online ! I hate Zukerbery for tracking user that are not on facebook i don’t aprove it i don’t use it – LEVE ME ALONE – YOU NSA BUTTLER !!!!

  5. Hello,
    first let me thank you for a great read. I use most of these extensions already, but it is always useful to find something new.
    Now to my question: What do you think about DoNotTrackMe? Or even better, why do you prefer Disconnect before DNTM?
    Looking foward for your reply 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *