Best free browser security
The top Firefox security and privacy add-ons
|
By
Becky Waring
Stay safe and protect your privacy when you're on the Web by using these top-notch browser extensions. Block malicious Web sites, stop annoying ads, control your cookies, cover your tracks, and manage your passwords securely with this collection of free Firefox add-ons. |
It's time to update your Firefox extensions
When you upgrade to Firefox 3, you also have to update or reinstall the browser's add-ons. The most popular extensions — including the ones I recommended here — now work with Firefox 3 and can easily be installed right within Firefox using the browser's Add-ons manager (on the Tools menu).
In this column, I review the best Firefox security and privacy add-ons. In the coming weeks, I'll tackle bookmark and tab managers, Google enhancements, user-agent switchers, and other organizational tools designed specifically for Firefox.
If there's a particular category of Firefox extension that you'd like me to cover, drop me a line via the contact page.
Three must-have add-ons for safe surfing
If you're concerned about phishing sites, spyware, viruses, fraudulent online stores, or child safety, you need WOT (Web of Trust). This unobtrusive yet amazingly useful extension shows a rating icon next to each site in search results from Google, Yahoo, Wikipedia, and other popular Web services. The rating is easy to interpret, so you can see instantly which links in the results are safe to click.
WOT also places an icon next to the address bar, so you can check the rating of your current page in case you didn't get there via a search engine.
The add-on's site ratings are derived from other people's browsing experiences and databases of malicious sites. The four categories of ratings are Trustworthiness, Vendor Reliability, Privacy, and Child Safety.
WOT uses a five-color scale that goes from red to green for each item. If you click a link with a red icon, you'll see a warning before you can navigate to the page. This can save you from accidentally surfing to malicious sites that install viruses or spyware.
The extension is amazingly accurate and complete. In a week of testing, I found very few search results that were not rated and only a handful of ratings I would question, especially compared to the ratings provided by McAfee's SiteAdvisor, a similar free extension.
WOT's accuracy is probably due to its incorporation of community input, which also makes possible the "vendor reliability" score for online stores.
You can register with WOT to get some additional features such as custom settings and the ability to add your own site ratings, but the unregistered version of the program provides all the features I need.
The second essential add-on for safe Firefox surfing is Sxipper. This password-management tool goes far beyond the one built into Firefox itself.
Sxipper is ideal for families and other users who might have multiple IDs registered at a given site by letting them create up to four different "personas." Each persona can register its own form-filling information and passwords.
Sxipper is also amazingly intuitive to use, unlike other password managers I've tried. When you first install the program, it gathers information already stored in Firefox and then builds from there.
When you navigate to a site with a form, Sxipper automatically populates the fields or shows options for filling in any items that have more than one possible entry. Having all these options at hand makes it easy to maintain different IDs for various Web purposes.
Bonus tip: No matter which password manager you use, be sure to turn on Firefox's master password option in the Security preference pane. This will require that you to enter a password when first opening Firefox, which then unlocks all other passwords on file.
Finally, everyone needs a good cookie manager, and CookieSafe is my choice as the best Firefox cookie handler. The program places an icon in the bottom-right corner of the browser window. Click it to block or allow cookies temporarily or permanently on the current site.
Your cookies will still be stored in the Firefox cookie list, so you can view and edit them as normal within the Firefox Privacy options pane. All CookieSafe does is make control of cookies quick and easy without having to open the Options window. The program is simple and unobtrusive, and it just plain works.
Stop dangerous scripts, ads, and animations
Most Internet dangers come from malicious ads and scripts on rogue Web pages. Simply blocking Java, Flash, and advertisements goes a long way toward preventing spyware, Trojans, and viruses from getting on your computer. In the process, you'll also benefit by speeding up your surfing and eliminating a lot of those distracting ads and animations.
However, blocking scripts or ads entirely also disables many functions you may want to use on various sites, so good ad-, Flash-, and script-management utilities are needed. That's where Adblock Plus, Flashblock, and NoScript come in.
Adblock Plus is my favorite Firefox ad blocker. The program turns ads on and off for particular sites and features customizable blocking filters. On the New York Times home page, for example, Adblock Plus removes all ads while leaving just the articles and photos.
Some sites — such as Cycling News — don't distinguish ads from content properly. Also, not all ads can be blocked, but Adblock Plus is the best tool for minimizing the impact of annoying (and possibly malicious) ads.
For blocking Flash animations (which are a frequent source of intrusion, judging by the constant stream of Flash Player security patches), I use Flashblock. This add-on replaces Flash animations with a playback button you can press if you want to view them, which is a good compromise for people who don't want to disable Flash entirely.
You can create a whitelist of sites where you always want Flashblock to be off, such as YouTube, but Javascript must be enabled for Flashblock to work.
For full control of Javascript, Flash, Silverlight, QuickTime, and other plug-ins, look no further than NoScript, an extremely powerful and customizable Firefox extension that can block pretty much every kind of script.
When you navigate to a page such as the Apple iPhone 3G QuickTime demo, NoScript blocks the demo initially. Just click the NoScript icon at bottom right of the browser window to unblock scripts on that site temporarily or permanently.
Figure 1. The NoScript script-blocking extension for Firefox lets you decide which sites to trust.
NoScript maintains a customizable whitelist of sites you have unblocked. You can also decide exactly which plug-ins you want to block: Javascript but not Flash, for example. It takes a little effort to teach NoScript about your frequently visited sites, but once that's done, you'll really appreciate the control and safety the program provides.
Two plug-ins to keep your Web tracks covered
Sure, you can set Firefox's privacy options to always "Clear private data" when you close the browser. Or remove private data manually at any time via the Clear Private Data option on the Tools menu.
Unfortunately, this all-or-nothing approach nukes all your data — not just the things you want to keep from prying eyes. I like having a long surfing history that tells me where I've been and makes it easy to get there again. That's why I want to keep around the cookies that remember my settings on frequently visited Web sites.
I don't want to give up that convenience, so I manage my cookies and passwords carefully by using the add-ons I described above. I also use two additional extensions when needed: Stealther and Panic.
Stealther temporarily turns off tracked elements such as your browser history, cookies, and cache. The program can be accessed via a shortcut that it places at the top of your Tools menu during installation. You can also toggle Stealther on and off by using a configurable hot-key combination.
Before you navigate to sites you want to keep private, simply invoke Stealther, surf, and then turn the applet off again when you're ready to go back on record. Your history before and after the Stealther session is maintained.
One gotcha is that turning off cookies may cause some sites not to work properly. Still, you can configure Stealther to keep cookies on and then delete them later in the Firefox Privacy options pane. Also, be sure to turn Stealther on BEFORE you navigate to the page you want to keep out of your history.
Stealther worked as advertised for me, with one exception: The Recently Closed Tabs list (at the bottom of the History menu) was not cleared until I closed the Firefox window.
Since I would normally close the window anyway on finishing a browsing session, this wasn't too much of a problem. However, if you leave Firefox open while you're away from your computer, take note.
You might also want to check out Distrust, an add-on that has essentially the same functions as Stealther. However, Distrust has not yet been fully updated for Firefox 3, although it should be available for that version soon.
Finally, if you're at work or in a public place where you might not want people to see what you're doing online, try Panic. This utility places a button in the bottom-right corner of your browser window that instantly closes all tabs and opens a predetermined page of your choice instead. The Panic "button" can also be invoked from the keyboard.
Unfortunately, Panic doesn't have a restore feature, which would make it far more useful. However, this might add a crucial second or two to the process.
Of course, you could just quit Firefox instead, but that may bring up a warning message about closing multiple tabs and give your boss — or whomever — enough time to glimpse the YouTube video you were watching or your latest fantasy-baseball standings.
Becky Waring has worked as a writer and editor for PC World, NewMedia Magazine, CNET, The San Francisco Chronicle, Technology Review, Upside Magazine, and many other news sources. She alternates the Best Software column with Windows Secrets contributing editor Scott Spanbauer.
How to improve your security when using a public terminal (part 3 of 4)
Last month [1] I showed you how you can enter passwords more securely using obfuscation techniques. This is fancy way of saying that when you type your password you insert and delete random letters to mask the real password. It works because most keyloggers just record a long string of characters containing the keystrokes you have entered so adding and deleting random letters makes it very hard for an attacker to work out which of the recorded keystrokes form part of your actual password.
However some keylogging programs are smart enough to get around this. Next month I'll show you just how they get around it and what you can do about it but first we need to look at another way of outsmarting keyloggers: on-screen keyboards.
An on-screen keyboard (OSK) is, as its name implies, a screen version of a normal keyboard where you "type" characters by clicking with your mouse the appropriate key on the screen. Windows has an OSK built-in that can be accessed from Start / All Programs / Accessories / Accessibility / On Screen Keyboard or alternatively from Windows key + U.
Now many folks think that using an OSK to enter password data is more secure because a keylogger can't capture the keystrokes. Unfortunately this is only partly true.
First some OSKs (including the Windows OSK) simply emulate actual keystrokes and these can be recorded by many keyloggers. Second anyone can see what you are entering with an OSK by simply taking a screen movie or even a rapid series of screen shots. Third by recording mouse click coordinates it may be possible to deduce the characters entered with an OSK. Finally it may be possible to capture the password from the OSK using a clipboard monitor when you copy the OSK entered password into a password form field.
That's the bad news. The good news is there are some OSKs that don't emulate keyboard input. Two of these are free, portable and specifically designed for secure entry. The first is Neo's SafeKeys [1]; the second is Monitor Only Keyboard (MOK) [2].
SafeKeys has some nifty features such as the ability to start up in a different screen position and with a different size every time you run it. This effectively defeats mouse click loggers. It also allows you to drag and drop the entered password into a web form thus bypassing clipboard loggers.
MOK has its own charms: it disables clipboard logging and has the option of a variable key layout. It doesn't support drag and drop but the copy implementation results in equal security to SafeKeys.
So on balance there is little between the products; each is a perfectly viable solution. Unfortunately both are still vulnerable to screen capture. However a screen capture program would have to take very frequent snaps or a continuous movie to successfully capture all your virtual keystrokes. That's possible, though the host PC would take a big performance hit in the process.
But there is a simple way of getting around screen capture programs: enter part of your password with an OSK and the remainder with the real keyboard. Combine the keyboard entry with a little basic obfuscation and you have a pretty secure solution.
It all sound a little complex but it's simpler in actual practice than this written description implies. So I suggest you download SafeKeys and/or MOK, install them on your USB drive and get some real life experience. It's all much easier than you think.
Next month in the fourth part of this originally planned two part series I'll look at some advanced keylogging techniques and the specific problems of protecting the RoboForm master password.
[1] http://techsupportalert.com/issues/issue146.htm#Section_5.1
[2] http://www.aplin.com.au/?cat=5
[3] http://www.myplanetsoft.com/free/mokhelp.php
How to use Windows Update with Firefox
Most folks know that the Windows Update site won't work correctly with Firefox. You can get around this by using Internet Explorer (IE) when visiting the Windows Update site but there are some better options.
The simplest option is to start up Internet Explorer from within Firefox by using either the IETab [1] or IEView [2] extensions.
IETab sets up an IE session within a separate Firefox tab while IEView opens IE in a separate window. Both work well and both save you the trouble of having to leave Firefox to start up Internet Explorer. Note that these extensions are still using IE but are doing so in a more convenient way.
There is another option that doesn't use IE at all. This to use the third party WindizUpdate web site [3]. It's a free service for Firefox users that pretty well duplicates the function of the Windows Update site but without ActiveX and Windows Genuine Advantage hassles.
To use the site you'll need to download an extension that scans your PC to determine the updates you need. Initially this gave me some privacy concerns but I quickly managed to satisfy myself that it was kosher.
Once you have the WindizUpdate plug-in installed the updating process works pretty much like the Windows Update site itself with separate suggestions for critical updates, other Windows updates and hardware updates. Downloading and installing the suggested updates proved effortless.
Apparently there can be a time delay between the time updates appear on the Windows Update sites and when they available from WindizUpdate. However, when I tested the service in late February, I found all the Microsoft February patches were available.
Overall, highly recommended for Firefox users.
A footnote: Recently I had my hopes raised for an even better solution when I got an email from subscriber 'TinnyTim' (sic) who enthused over " ... a great GreaseMonkey script written by Rafael Rivera that allows Firefox users to access all Microsoft sites." Nice find TinnyTim, but the script only defeats Windows Genuine Advantage validation and doesn't help Firefox handle the ActiveX scripting that's integral to the Windows Update operation.
[1] http://ietab.mozdev.org/
[2] http://ieview.mozdev.org/
[3] http://windizupdate.com/
[4] http://extended64.com/blogs/rafael/archive/2005/07/27/1026.aspx
How to surf with complete security, part 3
This month I'll show you two more free ways to surf safely.
But first, let's recap.
In issues #129 and #130 I talked about using the free VMWare Reader and the free Ubuntu LiveCD to surf safely. Both are great solutions but both are a little awkward to use as they take several minutes to start up.
Today I'll show you two different free products that will allow you to start surfing safely in seconds rather than minutes.
The first is called Sandboxie. Its name accurately describes what it does: it creates a sandbox environment on your PC within which you can browse safely.
The strange name "sandbox" derives from the Java world where it refers to the highly contained and restricted environment in which Java programs (applets) are allowed to run. They are allowed to "play in the sandbox" but not go outside it. The important point is that while running in the sandbox, the programs have no access to your PC.
So it is with Sandboxie. While browsing within the environment provided by Sandboxie you are totally corralled off from your other parts of your PC. Any files you download are isolated to the sandbox. Similarly, any programs that are executed only do so within the sandbox and have no access to your normal files, the Windows operating system or indeed any other part of your PC.
This means you have complete browsing security. Nothing you do while browsing can have any effect on your PC outside the sandbox.
Starting SandBoxie is simple. You just double click the Sandboxie icon and it will launch your default browser within the sandbox. When you've finished browsing you have the option of deleting all files accumulated in the sandbox during the session or retaining specific files. The secure option is to delete the lot.
It's a neat solution for safe surfing but there are some caveats. First, Sandboxie only works on Windows 2000 and later so Win9x users are out of luck. Second, the system is only safe if you choose the option of deleting all files at the end of your browsing session. Third, you have to be constantly mindful whether you are browsing in the safe sandbox environment or just browsing normally as the two environments look exactly alike. This is a real problem and I do wish the makers of Sandboxie would do something to make the sandboxed environment look visually different.
I also wonder about SandBoxie's ultimate security compared to using VMWare or a Linux LiveCD. I wasn't able to break out of the sandbox environment and get access to my PC but maybe a smart hacker could.
I don't have these residual concerns about the next option: surfing from Damn Small Linux within a QEMU virtual machine running on your Windows PC.
This is bit similar to the option of running a Linux on your Windows PC within a VMWare virtual machine that I mentioned in issue #129. It differs in that the virtual environment is created using the free Open Source program QEMU rather than VMWare.
Damn Small Linux (DSL) is a special cut-down version of Knoppix Linux that only takes up 50MB. However, it does include a pre- installed version of Firefox so it's ideal for creating a safe- surfing environment.
This may sound daunting to set up but it's not. The folks at DSL have included everything you need in a single archive. All you need do is download the 50 MB DSL archive, unzip it to a folder and run the file dsl-windows.bat.
This will automatically launch QEMU and then Damn Small Linux which will auto-install, including automatic network configuration. On my test 3.2 GHz P4 the whole process took less than one minute.
Running Firefox from within DSL is no more complex the clicking the Firefox icon on the DSL desktop. Ending your session is equally simple: just right click on the desktop and select "Power down."
When you power-down, all traces of your surfing session will disappear. That includes any files downloaded, any cookies and your whole surfing history.
This all sounds very attractive but I must warn you that QEMU takes up a lot of processing power; bags of it. You'll need at least a 2.0 GHz Pentium class processor to run it and even then you'll find response to be sluggish. With faster processors, though, it will work just fine.
So that's it folks. You now have four free options for safe surfing; VMWare Reader, the Ubuntu Linux LiveCD, Sandboxie and DSL under QEMU.
Which is best? Well, if convenience is your top priority then you can't beat Sandboxie. If you have a really fast PC then you'll be tempted by DSL and if you want the best security VMWare and Ubuntu are the way to go; it's your call.
Whatever option you choose you will soon discover that once you are freed from security and privacy concerns you will be free to surf the internet without fear, to go to places you would normally never dream visiting and to try things you wouldn't normally dare. All this, while knowing that at the end of your browsing session, you can wipe everything from your PC without leaving a trace.
Sandboxie: Free for non-commercial use, Windows 2000 and later, 310KB.
http://www.sandboxie.com
DSL+QEMU: Free GPL/GNU software, All Windows versions, 49.5MB.
http://damnsmalllinux.org/
See you next month.
Gizmo
Free Firefox extension offers selective privacy
Firefox V1.5 allows users to easily clear their internet history, cache, cookies and other internet tracks. Sometimes users don't want to clear everything but rather just the information for a particular browsing session. You can do this using the free Stealther extension. Once installed, just turn on Stealther from the Tools menu before the session and afterwards turn it off. Nothing will be recorded in the interim. Freeware, Firefox 0.9-1.6a1, 2KB.
https://addons.mozilla.org/extensions/moreinfo.php?id=1306