How will you stay safe when surfing the web this new year? We’d like to offer some tips. Security takes up a large part of our work in building a web site for the DOD. As we try to keep current on new web attacks, we often find vulnerabilities that cannot easily be fixed. It seems to take years for web-sites to address the problems. For example, session side-jacking has been around for years. But it wasn’t until firesheep made the vulnerability so easy to exploit that major websites like hotmail and facebook have started to address it (Facebook still hasn’t fixed the problem, but they say they are working on it.)
We don’t have to wait years for web-sites and browsers to address these new attacks. To protect ourselves, we use Firefox or Chrome with an arsenal of pro-active plugins. Here is a collection of our favorite Firefox add ons that help us use the web more safely. These are what we recommend to our friends and family. Here is a list, in order, of the most protective add ons for firefox and why:
- RequestPolicy – keeps web-sites contained to their own domain, helping prevent cross-site attacks, specifically Request Forgery(CSRF). Here is a CSRF attack scenario: Suppose you are logged into you bank, then go to a shopping site. Now suppose someone found a way to upload a script to that the shopping site, perhaps through a review of a product. That script could force your browser to send commands to your bank without you even seeing it. Commands like “transfer $1000 to account xyz-123″. RequestPolicy restricts the content that each site can request, such as restricting the shopping site from sending requests to a bank.
- WOT – Web Of Trust uses the wisdom of crowds to help you avoid clicking or visiting a site that most do not trust.
- HTTPS Everywhere – forces encryption on a pre-built list of pages, or on pages that you manually add. It improves your privacy by forcing your traffic to be encryption and away from prying eyes. It also prevents more active attacks like session side-jacking (firesheep), and other man-in-the-middle attacks. For example, the maker of the tool SSL-Strip tested out his creation by putting his own wifi in an airport. In just one hour of testing Moxie collected 114 yahoo passwords, 50 google passwords, 42 ticket-master passwords, and dozen passwords for pay-pal, hotmail, linked-in, and facebook. This tool has been in the wild for 2 years now. This plugin can help. If you do online banking we highly recommend adding your bank to the list of pages to force encryption.
- Adblock – blocks ads, including those that could potentially bring malware.
- FlashBlock – Prevents flash from running without permission. Every month seems to bring a new zero-day exploit for flash. Prevent these attacks by only allowing flash to run on sites you trust.
- BetterPrivacy – Removes unwanted Flash cookies that can be used to track you. When you tell your browser to remove cookies, it doesn’t clear flash cookies. This plugin will.
- Nevercookie – Removes evercookies, a recent tool that uses 13 different techniques to track and remember you, making it difficult to remove. This tool removes them.
There are more. We have created a firefox plugin collection that lists all the plugins we recommend. Subscribing to the collection will send you an update when we find new plugins that we recommend. We hope you find this useful. Happy safe surfing this new year!