More Useful Firefox Security Extensions
As promised, I’m following up my previous post about security extensions for Firefox with suggestions from readers. Some of these are basically different solutions to similar problems—which is great, because some users will prefer one approach over another. A couple of these are very useful, though, and should be considered essential parts of a secure browsing platform. And one seems very useful, but raises privacy issues that are a little troubling.
(An aside: I wonder if a “more secure” version of Firefox is being built and distributed by someone, one that includes some of these extensions out of the box. If so, give us a heads-up.)
McAfee SiteAdvisor, started at MIT, is a project to classify the “safety” of a site into green (safe), yellow (caution) and red (warning) categories. Testing is done by a system of bot programs that interact with web sites, doing things like submitting email signup forms, testing downloads for adware and viruses, and looking at the safety levels of linked sites. Users can also submit reports manually.
The safety level of a site is displayed as a button in Firefox’s status bar, which I’m not sure was the best place. My eyes tend to spend more time at the top half of my browser window (maybe because I have 1920x1200 display), so more often than not I found myself forgetting that I had SiteAdvisor installed. I would have appreciated an option for display as a toolbar, like Netcraft’s extension.
I did, however, really dig the integration with search result pages from Google, Yahoo! and MSN. Links to result pages—even sponsored links—have a green, yellow or red icon appended to the end, and mousing over the icon displays a popup with additional info. This was very clear and easy to grasp without being intrusive or overbearing.
(McAfee also maintains a SiteAdvisor blog that’s quite interesting.)
Stanford SafeCache and SafeHistory
SafeCache and SafeHistory are extensions developed to address methods where users can be tracked via browser features that don’t apply a “same origin” policy: specifically the browser cache and browsing history. Details of this problem are available at at Same Origin Policy: Protecting Browser State from Web Privacy Attacks, a report created by the Stanford Security Lab. It’s a good read.
The SafeCache and SafeHistory extensions apply a proper “same origin” policy to these features, only allowing access to scripts that originate from the same domain as the cached content/history info. This isn’t perfect, as “cooperative” tracking where two sites pass info back and forth between each other isn’t addressed, but it’s certainly better than the current situation for out of the box browser installs. Honestly, this is something I think should be a default part of every browser install, because it’s a significant security hole that needs to be addressed. I hope that the Firefox, IE, Safari and Opera devs are addressing these problems.
The Netcraft Toolbar is a useful anti-phishing tool. A “risk rating” is calculated for your current site’s domain based on criteria like the age of the domain, known phishing sites within the domain, the ISP’s history re: phishing sites, and the like. Additional info, such as the site’s age and ISP, are displayed in the toolbar, linked to more detailed data on Netscraft’s site.
The plethora of web-based accounts we maintain can get out of hand quickly, and maintaining separate passwords for each one becomes pretty challenging. PasswordMaker is an interesting solution to this problem, in that it doesn’t store passwords anywhere, but instead takes a single master password and generates a site-specific password based on 10 criteria, including personal encryption settings and the site itself. The combination of these criteria makes for an enormous number of possibilties, so typical attacks are not likely to be effective (see their FAQ for more info). Site passwords are generated on the fly, and are proactively wiped from RAM. By default it doesn’t store your master password either.
The program itself isn’t too hard to use, although you’ll probably need to help Grandma get used to it when you set it up for her. I was able to get it working pretty quickly with some of my existing web app accounts.
Source code is available (it uses an LGPL license), and versions of PasswordMaker exist for IE, all Mozilla browsers, a Yahoo! Widget, CLI, PHP, and mobile devices. You can also use an online version if none of those fit the bill.
Form SSL Indicator (Greasemonkey script)
This is a handy Greasemonkey script that scratches an important itch: indicating if a form’s
actiontarget is SSL-encrypted. I liked the implementation here better than the FormFox extension, which pops up a
title/alt-style label if you hover over the submission button for a moment. This script pops up an indicator immediately, and I appreciate the responsiveness. Still, I wish that the submission button would just have a lock icon layered over it for quicker visual recognition, and this doesn’t do anything for forms with no submission button.
The Cookie Button extension is really three extensions that offer the same functionality, but in different interface contexts. All three allow you to quickly see and change the current cookie permissions on a site, with one displaying a Navigation Toolbar button, one adding a right-click context menu, and the third showing a status bar button. I’m not sure I entirely understand the need to separate these into three different extensions, but it does allow the user to pick the one that best fits his or her interface habits.
One little annoyance I found with Prefbar was that it doesn’t seem to “group” itself with the rest of your toolbars. I like to right-click on on the Navigation Toolbar to swap in and out the 5 or 6 toolbars I have installed, but Prefbar refuses to show up in this list, instead mapping itself to F8 (which will annoy folks who use that key for other functions, like Exposé on OS X), and appearing in the View menu. *grumble*
As before, if you have suggestions for useful security/privacy related addons for Firefox, please let me know.
on Tuesday, May 30, 2006 at 04:24 AM