Web browsers have their fair share of security vulnerabilities, no matter what operating system you are using. Though well-loved and very popular for a lot of great reasons, by default there is plenty of room for improvement regarding Firefox security. While there are tons of plugins and extensions with the goal of making Firefox more secure, there are things outside the scope of plugins that you should consider implementing if you care about Internet security even a little.
Most people aren’t aware of the myriad options and Boolean flags that Firefox contains for configuration, security settings, and options menus. Worse yet, most people don’t understand how these settings work or why they exist in the first place. It is pretty simple to make your browser more secure and it only takes a few minutes, so the only valid excuse for leaving your browser in an insecure state is that of ignorance.
To make Firefox more secure, you are going to want to either click on the URL bar or simply use the hotkey shortcut “ctrl + L.” Then, type “about:config” into the URL bar and hit enter. This will pull up a configuration page that will allow you to enhance your security settings. When you pull up the page, you will see a message that says any configuration changes have the potential to void your warranty. To be completely honest, this warning is overdoing it a bit. It is not as dangerous or scandalous as the warning makes it out to be to make changes to the browser on your computer that you own. As someone who wants stronger security settings, ignore this and continue to the configuration page.
Once the page loads, you will see a ton of different security values and options that are really the “nuts and bolts” of the Firefox application. Be forewarned, it is inadvisable to change these values unless you are either working from a how-to guide or you know what you’re doing. Don’t make changes willy-nilly just because you want to see what happens.
To change a value from this screen, all you need to do is to double-click on a value and edit it accordingly. This page gives you an extremely high level of control over the inner-workings of your browser. To be fair, some of these values can be changed from other parts of Firefox, such as the Options screen – though not all of these values are able to be controlled unless you visit this page specifically.
Private Browsing Auto-Start
As the name implies, this option gives you control over the default browsing options whenever you fire up Firefox. Basically, it will cover up any tracks of your browsing history whenever a new instance of Firefox is launched. There is a bit of a stigma with this option that you must surely be using Firefox inappropriately or engaging in illicit activities online if you want to wipe your tracks clean, but this simply isn’t true. Whether you visit Facebook or your favorite eCommerce site, that’s honestly no one’s business but your own.
Not only is this setting invaluable on shared computers (such as work computers or a public computer), but it is also valuable in a personal setting. There are tons of exploits that attempt to steal cookies as well as browsing histories from a user’s browser, and you are better off changing the default value of this setting. It also stymies the use of a large variety of cookies, so you can rest assured that you are browsing the web more securely. However, note that changing this setting only clears the information from your browser. If you aren’t using a VPN, much of the data sent to/from your web browser can still be intercepted and seen by ISPs and Internet attackers.
By default, the browser.privatebrowsing.autostart value is set to “false.” Instead, double click on this setting and set it to “true.” This will keep others from digging through your browser to see where you have been and what you have seen on the web.
Disabling “Safe Browsing”
This option was made as an attempt to limit phishing vulnerabilities, and it is enabled by default. If it’s enabled by default, why should you be concerned with it in the first place? It sounds pretty great, right? Well, not exactly.
Look for the value named browser.safebrowsing.enabled and make sure it is set to “false.” Basically, this setting compares any URLs you visit to a list made by Google, but it also allows Google to track what sites you visit (who wants that?). Though this setting does admittedly offer some protection against phishing, it comes with the drawback that Google can see what you’re up to online. There are too many other browser extensions that offer better security to use this poor excuse of a “security enhancement.”
Safe Browsing and Malware
This setting, much like the previous setting, should be disabled. Again, it can report data back to Google which makes browsing and your online activities less secure. Disable the setting browser.safebrowsing.malware.enabled.
How insecure can a default homepage be, you ask? Well actually, it can be very insecure. The fact is that companies like the major search engines (Google, Bing, and Yahoo) can store tons of data about your browsing habits when you use their default homepage. Instead of opting for the default value, you can edit the browser.startup.homepage setting to another default search engine such as DuckDuckGo to decrease the amount of information that is stored about your browsing habits. You can also opt for other privacy friendly search engines listed here.
Browser Start Page
This setting is very similar to the last setting, but with one caveat. If you want, you can set browser.startup.page to “O” to set the startup page to a blank or null value when you start Firefox.
Health and Data Reporting
No, this option isn’t a healthcare industry spy. Instead, this option reports data about the health, status, and stability of your browser back to the Mozilla team. As they claim, all of this data is sent anonymously and it helps them improve their browser. However, many people understandably have misgivings about reporting any data about their web browser to an external party. To maximize your Internet security, you are better off setting the datareporting.healthreport.uploadEnabled value to “false.”
Websites these days are becoming pretty advanced, and they even have the ability to track what you copy and paste. With this setting enabled, you might want to think twice before you hit “ctrl +c” and “ctrl + v” while browsing a website. In fact, they even have the ability to change what is copied to your clipboard when you try to copy text or other information from their website. By setting the dom.event.clipboardevents.enabled value to “false,” you will prevent a website from being able to see where you pasted the text you copied as well as circumvent the website’s restrictions on copying and pasting.
There are a lot of tactics Internet firms use to track the activities, histories, and browsing habits of their users, and one of these tactics is called DOM storage. Unfortunately, this tactic is becoming more popular because more and more people are learning how to disable various types of cookies. To prevent these tactics, simply set dom.storage.enabled to “false.”
Capturing geo-location data is on the rise. In fact, Google may be adding a feature that shows users the peak busy-hours of businesses in your area by tracking (“anonymous”) user location data. That’s pretty darn scary, isn’t it?
To increase your security, never opt to share location data when you visit a website. To eliminate this problem, simply set the geo.enabled setting to “false” to prevent your browser from sharing location data.
Geo-Location Data Specific to Wireless Networks
If you have disabled the geo.enabled setting, you won’t see any security gains from the following value, but you should still disable it just to be safe. This setting determines if your browser will send geo-location data relating the Wi-Fi network you are using (as well as others in your area). To disable it, set the geo.wifi.uri value to that of your loopback address – which is 127.0.0.1.
Cookie Behavior Settings
You should also disable the network.cookie.cookiebehavior setting by changing the value to “1” which will only allow cookies to be stored from the destination server you are connecting to. However, if you use a third-party cookie manager, you will likely not need to change this setting.
Cookie Lifetime Settings
If you aren’t opposed to all forms of cookies, you can also limit how long they are stored. To configure this setting to only store a cookie for the duration of the connection with the server, simply set the network.cookie.lifetimepolicy to “2.”
DNS Settings and Prefetching
This setting is a little tricky to understand if you don’t understand DNS. DNS is essentially the way a computer turns a URL (such as www.google.com) into an IP address to be used in networking protocols. However, Firefox performs an operation called prefetching which essentially resolves links and domain names to IP addresses before a user clicks on them. In turn, this increases page load times and makes web browsing faster.
While this sounds good in theory, there are a lot of vulnerabilities and problems with this practice. To disable this setting, change the value of network.dns.disableprefetch to “true.” If you can’t find this value, add a new parameter with the name listed above and the value type as Boolean (true or false).
Additional Prefetching Mechanism
Find the network.prefetch-next value and set it to “false” to disable this setting. This prefetching mechanism is similar to the DNS prefetching value we disabled earlier, except it will basically download some page information ahead of time – even if you weren’t going to click on a particular link. From a security and privacy perspective, you are better off disabling this as well.
Do Not Track Header Value
Firefox, like many of its competitors, offers a feature that will ask any website not to track you. The privacy.donottrackheader.enabled value needs to be set to “true” for this value to work, but understand that a website isn’t required to comply. Even if you ask them not to track you with this feature, they may still do so. However, you are better safe than sorry, so you might as well enable this feature.
Enable Tracking Protection
This handy little setting will help stop tracking your activities from site to site by using a block-list. Furthermore, because the tracking data is cut out and blocked, you will even see some modest performance boosts concerning page load times and data usage. Make sure you have set privacy.trackingprotection.enabled to “true.”
Telemetry is a term used to describe a lot of different data reporting utilities. In theory, they are supposed to be used to measure an application’s performance and to help find bugs to improve the software. Today however, Internet marketers and software developers have gone wild – taking a lot more data than they need to. Make certain you have set the toolkit.telemetry.enabled setting to “false.”
After the nasty warning you have to pass to get to the about:config screen, it may seem like a bad idea to change these settings. Understand though, that if you want to maximize your security in a Firefox environment, you absolutely need to flip the switch on some of these settings. Enabling or disabling these various features will drastically improve your online privacy. Stop letting companies and external parties store personal information, location information, and tracking information about you!