The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Useful Firefox Security Extensions

Share:

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions.  Here’s a roundup of some of the more useful ones I’ve found.

  • Add n’ Edit Cookies This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience.  This extension not only shows you all the details, but lets you modify them too.  You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
  • Dr. Web Anti-Virus Link Checker This is an interesting idea—scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service.  I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  • FormFox This extension doesn’t do a whole lot, but what it does is important—showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  • FlashBlock Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance.  This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like.  It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
  • LiveHTTPHeaders & Header Monitor LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server.  Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar.  They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
  • JavaScript Option This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
  • NoScript This extension is pretty smooth.  Of all the addons for Firefox covered here, this is the one to get.  NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with.  NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code. The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access.  Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.  Also read Pascal Meunier’s take on NoScript.
  • QuickJava Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1).  Hopefully a new version will be available soon.
  • ShowIP This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar.  Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info.  You can add additional web lookups if you like, as well as passing the IP to a local program.  Handy stuff.
  • SpoofStick The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users.  It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  • Tamper Data Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions?  Leave a comment and I’ll collect them in an upcoming post.

    [tags]firefox, extensions, security, privacy, safe_browsing, browser, web, flash[/tags]

Comments

Posted by CERIAS Weblogs » More Useful Firefox Securit
on Friday, May 26, 2006 at 08:59 AM

[...] As promised, I’m following up my previous post about security extensions for Firefox with suggestions from readers. Some of these are basically different solutions to similar problems — which is great, because some users will prefer one approach over another. A couple of these are very useful, though, and should be considered essential parts of a secure browsing platform. And one seems very useful, but raises privacy issues that are a little troubling. [...]

Posted by FireFox Hacker -- Firefox Hacks, Tweaks, Tutorials
on Tuesday, May 30, 2006 at 07:37 AM

[...] Firefox Security extensions Pt. 1 Firefox Security extensions Pt. 2 [...]

Posted by the 60 billion $$ man » Blog Archive »
on Friday, June 9, 2006 at 03:46 AM

[...] We all know there are hundreds of Firefox extensions and more are released with every passing day. It´s a time consuming task to stay up to date, that´s when pre compiled lists of useful Firefox extensions come into play. This one at cerias (The Center for Education and Research in Information Assurance and Security) lists firefox security extensions that are security related.The author lists 11 extensions, some known ones like LiveHttpHeaders and NoScript and lots of unheard ones like formfox. Each extension is explained in detail and linked to the mozilla website for more information and downloading. [...]

Posted by Seo Experts
on Wednesday, August 23, 2006 at 05:40 PM

As i see Google banned this site https://addons.mozilla.org/firefox/

My google PR is grey

Posted by security tool
on Thursday, August 24, 2006 at 09:53 PM

to protect our privacy, we should own our security software!

Posted by the electricfork blog » Blog Archive »
on Wednesday, August 30, 2006 at 03:00 AM

[...] I just need something basic on my mac, so I plan on using firefox’s builtin RSS as opposed to something like newsfire. I found a plugin that can import OPML files to import my rss list. (some other good plugins) [...]

Posted by Security » List Of Security-related Firefox
on Thursday, August 31, 2006 at 09:45 PM

[...] Firefox’s extensions are one of its biggest selling points. Looking for ones that will help make your browsing more secure? Check out this list.read more | digg story [...]

Posted by ARTbird309’s Blog » Article » li
on Friday, September 1, 2006 at 03:20 PM

[...] CERIAS Weblogs » Useful Firefox Security Extensions (tags: Firefox security Extensions extension web software browser) [...]

Posted by PARA TODXS TODO :: extensiones de seguridad para f
on Tuesday, September 26, 2006 at 01:49 PM

[...] El autor ha colocado en este enlace otras extensiones recomendables, como Add n’ Edit Cookies, Dr. Web Anti-Virus Link Checker, FormFox, FlashBlock, LiveHTTPHeaders & Header Monitor, JavaScript Option, NoScript, QuickJava, ShowIP, SpoofStick y Tamper Data. No dejéis de echarle un ojo. [...]

Posted by Carlton Bale’s Blog » Blog Archive &ra
on Saturday, November 11, 2006 at 08:47 AM

[...] Security extensions [...]

Posted by blog.code.ae » Blog Archive » Usefull
on Sunday, January 7, 2007 at 07:51 PM

[...] If you are a FireFox user, you might want to check out this post, and this one. [...]

Posted by Top 13 Firefox Extensions Links ever published &ra
on Monday, January 29, 2007 at 06:36 AM

[...] 11. 11 Useful Firefox Security Extensions … [cerias.purdue.edu/ March 17, 2006] Categories: security / web development [...]

Posted by Róka az asztalon at élet és könyvtá
on Wednesday, April 18, 2007 at 09:25 PM

[...] vallomásai, miért használnak FF-ot: Teri Vogel (UCSD) - egy rakat kiterjesztés, CERIAS - biztonsági kiterjesztések, Walk Like a Librarian - beállítás és testreszabás [...]

Posted by Links for 5/5/2007
on Thursday, May 3, 2007 at 07:42 PM

[...] Useful Firefox Security Extensions - Excellent list [...]

Posted by Mark Toman
on Saturday, May 19, 2007 at 10:13 AM

Ed Finkler

First i got your page from the, “SunBeltBlog”
I belong to Countless Security Groups like CastleCops” And others i have just started a Mini-Blog inside my Guitar site.
I,ve been working with Computers since the 80s also back then i run a local bbs” in Lafayette In.About Firefox Extenions other group i’m in (EHC)Also the 2 Groups below.
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts
http://www.professionalsecuritytesters.org/
https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:12
Also there some hidden new Extensions
Hidden in FireFox for 2002-3
Now also i’m a Reporter for Sunbelt which i go undercover and get News for the SunbeltBlog.I started out beta testing all malware programs including Sunbelts CounterSpy2 New Viper engine)
I ‘m now testing a Sandbox which makes newusers safer.I use Firefox in a Sanbox,
which if anything gets in it can;t move.
I do use a souped up hosts file and and about 25 tools to come face to face with the bad guys on irc plus thier bad sites.
So if you ever want good info on surfing safe.I would can give you very good info from out in the wild.If your not out there then you don’t know how bad it really is.You can read from the sites i give you.
Now most of the tools you mention will not work with firefox 2002 or 3.
Surf Safely .
Also My wife works at Purdue u.
Your Truly Mark Toman ech….

Posted by Algunas extensiones de seguridad para Firefox &laq
on Friday, July 20, 2007 at 01:32 AM

[...] autor ha colocado en este enlace otras extensiones recomendables, como Add n’ Edit Cookies, Dr. Web Anti-Virus Link Checker, [...]

Posted by John Titchmarsh
on Friday, July 27, 2007 at 01:58 AM

Wondering if there is a way to block firefox or scripts run in it from accessing the registry and file system?

Leave a comment

Commenting is not available in this section entry.