Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Most lists of Mozilla Firefox security add-ons talk about the same old extensions. Do Web of Trust (WOT), NoScript, AdBlock Plus, or LastPass sound familiar? These all add great functionality to the open source browser, but we’re going to look at some newer ones that you probably haven’t seen yet.
This monitors the traffic on open or unencrypted Wi-Fi networks and demonstrates the vulnerability of HTTP session hijacking. It can capture the login credentials to numerous sites, including Amazon, Facebook, Flickr, Google, Windows Live, Twitter, and Yahoo—just to name a few. It displays the captured accounts on the sidebar where you can click on them to login with their account. Though the login session to the site may be encrypted, Firesheep validates that only end-to-end encryption like SSL provides complete protection.
You should understand not all wireless adapters can sniff the traffic of other users on wireless networks. Thus sometimes Firesheep will only capture accounts that are logged into from the same PC running it. However, wireless adapters do exist that can listen in on any user’s traffic.
Firesheep is available for Windows XP or newer with Winpcap installed and Mac OS X 10.5 or newer on an Intel processor. Linux support is on the way. It requires Firefox 3.6.12 or newer (32-bit only).
[Editor's note: to learn more about Firesheep, read "10 Ways to Protect Yourself from Firesheep Attacks."]
As you may know, SSL encryption can secure your logins and data on websites. In Firefox, you’ll see a button with the domain or company name appearing on the left of the address bar and a small padlock in the lower right corner of the browser when you’re connected via SSL/HTTPS.
However, more a visible indication can better help you identify sites that aren’t secured. The SSLPersonas add-on does this by turning the background of Firefox another color based upon the encryption status.
When Firefox turns green the website is certified and the operator was verified by a trustworthy authority. Blue indicates a website is secured with a valid certificate, but the organization isn’t fully verified. Orange indicates a website is only partially secure. You’ll know when a site isn’t secured at all—there’s no color.
SSLPersonas also improves certificate error warning pages by giving you a preview of the blocked website. If you do indeed trust the site, you can bypass the warning with one click.
Though websites implement SSL/HTTPS encryption, it doesn’t necessarily mean their forms and your data are secure. For example, they could be sending the information you input into forms via clear-text emails to the site administrators—still a common practice among many small businesses. The CreditCardNanny add-on tries to detect and notify you of this type of security issue.
Once installed, you can test the extension by visiting the dummy credit card form that uses a form emailer script.
The Domain Name System Security Extensions (DNSSEC) have been developed to help secure the Domain Name System (DNS). Though DNSSEC is still in the early stages of adoption, you can get prepared by installing this DNSSEC Validator.
This DNSSEC Validator add-on will automatically query DNS records for domains and compare them to the IP addresses Firefox used to download the page. If the records contain valid DNSSEC signatures, you’re protected by DNSSEC; otherwise you might be a victim of DNS spoofing. The results are displayed as a green, orange, or red key right in the address bar.
If you administer a domain network with a Windows Server and Active Directory, you’re probably familiar with how Group Policy Objects (GPOs) can help you centralize the management of settings and preferences of Internet Explorer, among other applications and system components.
This add-on lets you use GPOs for Firefox. They provide an administrative template to build the GPOs in Active Directory. The add-on is installable onto clients to read the settings and write the preferences to Firefox.
These GPOs define general, proxy, security, and advanced settings. They can help prevent users from updating Firefox, modifying add-ons, and much more.
There are plenty of add-ons that offer shortcuts to deleting history, cookies, and cache files. Privacy Locker, however, takes a different approach. It doesn’t delete anything, but lets you lock down your Bookmarks, Tools and History menus. It even blocks the keyboard shortcuts to these menus and prevents access to the about:config page. Your browser settings, saved passwords, history, and bookmarks would all be protected by a password. This is a great way to protect your privacy when others use your PC.
This provides a new kind of anti-phishing protection for Firefox users. Lockfox tracks the passwords you use for each website and alerts you if you try to use the same password twice. If you use unique passwords like you should, this would help you detect fake or duplicate sites that are trying to phish for your login credentials or credit card info.
One of my biggest pet peeves on the Internet these days is shorten URLs. You can’t tell where the link is pointing, it’s just gibberish. However, install this add-on and you’ll be able to hover over links from over 180 services to see the long URL and other basic information about the site. It’s not a huge security concern, but seeing the longer URL can help you identify the site you’re about to visit.
Find add-ons for yourself!
You can search or browse through the over 10,000 add-ons yourself on the Firefox Add-ons site. Most extensions should be installable via the button on their download page. If you download from a third-party site (like with Firesheep), simply open the file in Firefox to install.
Eric Geier is a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press. He also founded NoWiresSecurity, which helps small businesses quickly and easily protect their Wi-Fi with enterprise-level security.
Keep up-to-date with browser security news; follow eSecurityPlanet on Twitter @eSecurityP.