In our Ultimate Privacy Guide we introduced some of our favorite Firefox extensions for making web browsing a more secure activity. While we think that if you have these running then you should be pretty well covered against most threats, here are some more we like.
As noted in the Ultimate Guide, we think that at the very least you should be running AdBlock Plus, Disconnect, HTTPS Everywhere, Better Privacy and possibly NoScript, which we include here for the sake of convenience.
AdBlock Edge – we recommend this fork of AdBlock Plus in Firefox over the original extension, as AdBlock Plus allows ‘some not intrusive advertising’ by default. Although this can be disabled (by going to off Add-ons -> Extensions -> AdBock Plus -> Filter preferences), AdBlock Edge removes this ‘feature’ while keeping the original’s ability to block all manner of adverts, even Facebook ads and those embedded within YouTube videos (here in the UK it even blocks 4oD ads!). In addition to this, it warns you when visiting known malware hosting websites, and disables third party tracking cookies and scripts. Unlike NoScript, AdBlock Edge is very easy to use while still remaining powerful.
- You can improve Adblock’s (any version) capabilities by subscribing to third-party block lists, which are updated on a regular basis. We suggest those by EasyList (both the EasyList and Easy Privacy lists) and Fanboy (Adblock List, Tracking List and Annoyance Block List).
Better Privacy (Firefox) – blocks or manages the new and insidious Flash cookies (also known as Local Shared Objects or LSOs), which are not blocked when you disable cookies in your browser.
Bloody Vikings! – an easy-peasy way to create temporary email addresses. Just right-click in an email registration field, select ‘Bloody Vikings’ (or expand to see a choice of services), and a newly generated email address will be inserted into the field while a new browser tab opens to the temporary mailbox.
Cookie Monster – allows you to take control of your cookies (including third party cookies), and manage them in an unobtrusive way on a site or domain name basis.
Disconnect– replacing popular Ghostery as our favorite anti-tracking and anti-cookie extension thanks to its up-to-date database of tracking cookies, page load optimization, secure WiFi encryption and analytics tools, Disconnect blocks third party tracking cookies and gives you control of over all a website’s elements. It also prevents social networks such as Google, Facebook and Twitter from following you so they can collect data as you surf elsewhere on the internet.
Empty Cache Button – lets you clear your bowser cache with one easy click
HTTPS Everywhere – an essential tool, HTTPS Everywhere was developed by the Electronic Frontier Foundation, and tries to ensure that you always connect to a website using a secure HTTPS connection, if one is available. This is fantastic, but just but aware that we have reservations about how SSL is commonly implanted, and it has almost certainly been cracked by the NSA.
NoScript – this is an extremely powerful tool that gives you unparalleled control over what scripts are run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to. It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web savvy power-users, NoScript is difficult to beat.
Reader’s tip: ‘I would recommend adding that even if you don’t want to bother messing with white lists in Noscript, you should still install the extension and choose to allow all scripts globally. This still provides some needed protection without hindering your browsing experience.’ (Thanks twlph!)
RefControl – stops cross-site tracking by letting you control the HTTP referrer on a site-by-site basis. An HTTP referrer is often added to webpage hyperlinks so the destination page knows where the link was followed from. For example, it is common practice for web businesses to run affiliate programs where affiliate partners receive a commission for sales made by the parent business for customers sent their way. If customers arrive via a hyperlink on an affiliate’s website, it is important to know which one, so the affiliate can get paid. This information is the HTTP referrer. With this extension you can block this information from being passed on, or can even change it to suit your needs.
Request Policy – denies (or lets you manage) cross site requests (such as advertising). This has the side-benefit of protecting you from Cross-Site Request Forgery (CSRF) attacks, were the browser is tricked into making it appear as if a request to another website was made by you.
Perspectives – SSL is only as safe as the certificates it’s based on, but how do you know these are safe? Certificates can be issued by any number (600+) of dubious bodies, leaving many SSL connections vulnerable to man-in-the-middle (MitM) attacks. Perspectives solve this problem by building ‘a database of server identities using lightweight probing by “network notaries” – servers located at multiple vantage points across the Internet. Each time you connect to a secure website Perspectives compares the site’s certificate with network notary data, and warns if there is a mismatch’, thereby helping you to trust that your SSL connections are truly secure.
PwdHash – this clever extension by Stanford University solves the problem of never remembering your passwords, as it easily creates site-specific passwords using a hash of your password and the website domain name. Just type @@ or press F2 before entering a password, and you can securely use the same theft-resistant password for every site you visit. It’s not mentioned in the documentation, but the length of the hashed password is 2 characters more than your password, so factor this in when password length is important. If you need to login using a browser without PwdHash installed, you can go to www.pwdhash.com instead.
User Agent Switcher – a web browser user agent lets a website know what type of computer, what OS, and what browser you are using, which many websites use to optimize their pages to improve user experience, but which some may find intrusive. With this extension you can simply change what user agent information is given to a website so, for example, it will think that you are accessing the site on an iPhone using Safari, rather than on a PC using Firefox. Lists of user agents can be imported from here.
Note that some of these extensions overlap in their functions, so that you might not need all of them. For example, if you use AdBlock Edge with the block lists mentioned and NoScript, then you won’t get much benefit from also running Disconnect.
If you like this article then you may also be interested ‘How to make Firefox more secure using about:config‘, while if you prefer Google’s browsers to Firefox you might want to check out ‘Recommended Chrome and Chromium security extensions‘.