The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

Useful Firefox Security Extensions

Wednesday, March 15, 2006 by Ed Finkler
in Secure IT Practices
Share:

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions.  Here’s a roundup of some of the more useful ones I’ve found.

  • Add n’ Edit Cookies This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience.  This extension not only shows you all the details, but lets you modify them too.  You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
  • Dr. Web Anti-Virus Link Checker This is an interesting idea—scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service.  I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
  • FormFox This extension doesn’t do a whole lot, but what it does is important—showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
  • FlashBlock Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance.  This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like.  It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
  • LiveHTTPHeaders & Header Monitor LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server.  Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar.  They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
  • JavaScript Option This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
  • NoScript This extension is pretty smooth.  Of all the addons for Firefox covered here, this is the one to get.  NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with.  NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code. The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access.  Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces.  Also read Pascal Meunier’s take on NoScript.
  • QuickJava Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1).  Hopefully a new version will be available soon.
  • ShowIP This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar.  Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info.  You can add additional web lookups if you like, as well as passing the IP to a local program.  Handy stuff.
  • SpoofStick The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users.  It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
  • Tamper Data Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions?  Leave a comment and I’ll collect them in an upcoming post.

    [tags]firefox, extensions, security, privacy, safe_browsing, browser, web, flash[/tags]
Tags for this post: browser, extensions, firefox, flash, privacy, safe_browsing, security, web

Leave a comment (67 so far) »

Comments

Posted by Firefox Facts » Security Firefox Extensions
on Saturday, March 18, 2006 at 06:57 AM

[...] Need some extra security in your browsing experience? Take a look at this list and hopefully it will be the solution to your security sorrows. Firefox claims to the most secure browser out there, how does it stand up with these tools? Some of the included extensions are Add n’ Edit Cookies, Dr. Web Anti-Virus Link Checker, and FormFox.  Tags: security, firefox, extensions [...]

Posted by Emery Jeffreys
on Saturday, March 18, 2006 at 09:04 AM

The Netcraft toolbar now available as a Firefox plug, is very useful.

Posted by Le estensioni per rendere sicuro FireFox
on Saturday, March 18, 2006 at 01:20 PM

[...] Mozilla Firefox deve il suo successo soprattutto alla convizione di molti che sia un browser più sicuro del concorrente Internet Explorer. Questo è vero, ma solo se si installano le estensioni giuste. Sul blog del centro CERIAS dell’Università di Purdue sono elencate le 11 estensioni che rendono Firefox un browser davvero sicuro (noi ne riportaimo 9): [...]

Posted by Dean
on Saturday, March 18, 2006 at 01:40 PM

A great extension you may find useful is the Web Developer Toolbar. As the name states, it’s made for web developers, but it has many features that are good for security.
For instance, you can disable JavaScript, Java and Referers. You can display form details to see the action URL. You can display the page’s JavaScript. You can see the response headers. You can clear your cache and history with a click in the toolbar. And a lot more.

Posted by Cefiar
on Saturday, March 18, 2006 at 02:55 PM

Another excellent extension is PrefBar (more aimed at the developer or more tech savvy user), which allows you to add a toolbar of common preference items that you might want to change. I’ve got things like turnong on off Javascript, Java, Send Referrer, changing font sizes, changing the User Agent, clearing the cache and more.

Posted by Praemio Foundation » Blog Archive » Fi
on Saturday, March 18, 2006 at 04:05 PM

[...] Firefox Safety Extensions CERIAS, the information security center based at Purdue, provides a list of Firefox Net Security Extensions. [...]

Posted by randomly biased musings » More Firefox Exten
on Sunday, March 19, 2006 at 03:54 AM

[...] Now after reading this post on security extensions for firefox I have decided to install two more: [...]

Posted by WebGuia » Blog Archive » Extensões
on Sunday, March 19, 2006 at 01:39 PM

[...] O browser Firefox é bastante mais seguro que o Internet Explorer; no entanto, grande parte dessa segurança advém das múltiplas extensões disponíveis para o programa. O site americano CERIAS, dedicado à segurança online, disponibiliza uma lista de extensões indispensáveis a todos os que utilizam o browser da Fundação Mozilla. » CERIAS (lista de extensões de segurança para o Firefox). [...]

Posted by Hohol
on Sunday, March 19, 2006 at 08:38 PM

I have established Firefox for testing, and now IE I do not use. Firefox
Not quickly under attitude(relation) Opera, but it is a lot of Extensions for different has put

Posted by otro blog m
on Monday, March 20, 2006 at 01:21 AM

[...] Y para cerrar, una lista de extensiones de seguridad para Firefox. Technorati Tags: privacidad seguridad [...]

Posted by Padraic :: CERIAS Weblogs » Useful Firefox Secu
on Monday, March 20, 2006 at 02:28 AM

<p>[...] Padraic   CERIAS Weblogs » Useful Firefox Security Extensions [...]
</p>

Posted by Peter Dowley
on Monday, March 20, 2006 at 03:03 AM

Thanks for the list.  I tried SpoofStick and have settled on Petname Tool instead.  See https://addons.mozilla.org/extensions/moreinfo.php?id=957&application=firefox

Rather than just yell the URL at you (like SpoofStick), Petname shows a small coloured box at the top of the screen.  This box is grey when you’re at an HTTP site, yellow when you’re at a new HTTPS site, and green when you’re at an HTTPS site that you’ve previously been to and named (with your own pet name).

Very simple and clean, and based on some security research work (discussed in Schneier’s blog a few months back).

Posted by -TMA-1- » Blog Archive » links for 200
on Monday, March 20, 2006 at 05:16 AM

[...] Useful Firefox Security Extensions (tags: Tech WebDev Firefox) [...]

Posted by Security Ripcord
on Tuesday, March 21, 2006 at 07:40 PM

<strong>The Doctor has a very cool plugin…</strong>

Ed Finker’s recent article points out an interesting extension that I was not aware of until reading about it.  Although online virus checkers are not new they are relatively unknown outside of the security industry.  Now one of them has a Firefo…

Posted by RoseD1
on Friday, March 24, 2006 at 09:17 AM

I like FF to make a FF registry repair that you could run to fix extensions.It would be unbeatable then.

Posted by Neil's Smaller World
on Saturday, March 25, 2006 at 01:33 AM

<strong>Useful Firefox Security Extensions…</strong>

Useful Firefox Security Extensions - extensions which improve security but are also useful for web development….

Posted by Mishel
on Tuesday, April 4, 2006 at 06:46 AM

JEG VIL HA LITT IS!!! ELLERS

Posted by Firefox Security Extensions » gHacks
on Wednesday, April 12, 2006 at 03:57 AM

[...] We all know there are hundreds of firefox extensions and more are released with every passing day. It´s a time consuming task to stay up to date, that´s when pre compiled lists of useful firefox extensions come into play. This one at cerias (The Center for Education and Research in Information Assurance and Security) lists firefox security extensions that are security related. [...]

Posted by Deapesh Misra
on Monday, April 24, 2006 at 01:53 PM

Nice !!

How about a search engine kind of an add-on which will send the typed IP address to Samspade.org and do a “Do Stuff” on it.

But then that would be a mere tool extension into Firefox.

Posted by Harish Pillay
on Monday, April 24, 2006 at 07:58 PM

I am using the Netcraft Anti-Phishing Toolbar which tell me who owns a particular domain/IP, for how long and gives a sense of security against phishing attacks.  Highly recommended.

Harish

Posted by kholburn
on Tuesday, April 25, 2006 at 12:06 AM

I use the netcraft toolbar: https://addons.mozilla.org/firefox/1326/

Posted by Carlton Bale’s Blog » Blog Archive &ra
on Thursday, April 27, 2006 at 03:50 PM

[...] Security extensions [...]

Posted by Joe N.
on Tuesday, May 2, 2006 at 10:39 PM

Firefox has a new version available for download. According to this site ( http://www.listerit.com/faqs/blog/firefox-faqs/firefox-users-should-upgrade-to-version-1.5.0.3.html ) Firefox users should upgrade to version 1.5.0.3

A recent ( http://www.mozilla.org/security/announce/2006/mfsa2006-30.html )Mozilla Security Bulletin explains that a possible exploit exists in Firefox version 1.5.0.2 that can cause browser crashes and run malicious code.

To obtain the latest version of Firefox visit:
http://www.mozilla.com/firefox/

Posted by Ian Macfarlane
on Thursday, May 11, 2006 at 11:24 AM

AdBlock combined with Filterset.G is also highly useful. Plus a hosts file is useful for whatever browser you are using.

Posted by from your science librarian’s desk » L
on Friday, May 19, 2006 at 08:23 AM

[...] read more | digg story [...]

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry