Some people may know that I'm a huge fan of Firefox, the free web browser from Mozilla. I've been using it faithfully as my primary web browser since its version 1 days. That was the time when it was the primary challenger to the incumbent Internet Explorer.
What I especially love about Firefox is its huge library of add-ons. These are small little apps that enhance Firefox's functionality. It is because of this add-ons library that I remain a Firefox user, even though there are new browsers like Apple Safari and Google Chrome.
Recently, I've installed three add-ons to make my web browsing even more secure. Firefox already provides great built-in security, like warning against browsing bad websites and private browsing. But there are new and hidden threats that Firefox doesn't protect. This is where these add-ons come in to assist the paranoid.
When you browse a secure site (one that uses "HTTPS" in its address), usually with banks or other e-commerce sites, Firefox will automatically display the website owner's name in the address bar. This reassures you that the secure website that you're browsing really belongs to the person or organization that you expect.
But sometimes, that little indicator, or a "lock" icon, isn't very noticeable. That's where "Safe" comes in. It not only draws a coloured border within the window, it also colours the window's tab. This gives you a very clear — albeit garish — indicator that you are, indeed, browsing a secure site delivered via the HTTPS protocol.
By default, the border is very thick, as if Safe's developer wanted to reinforce the indicator as blatantly clear as possible. Fortunately, this can be adjusted to be thinner. On the other hand, there's no way to change the available colours. From what I can tell, there are only three colours: red, blue and green, and these are toggled according to which site you're browsing.
- HTTPS Everywhere
HTTPS is the Internet protocol by which a secure connection is established between your web browser and the website that you're browsing. With this secure connection, it is theoretically and almost practically impossible for an outsider to see what information is being transferred. As I had mentioned above, almost every financial and e-commerce site uses HTTPS to deliver its information to you.
But HTTPS can — and should — be used beyond these kinds of websites. In fact, any time that you have to login to a website, you should be using a secure connection. Popular sites like Facebook and Twitter already provide these kinds of HTTPS connections on their login pages.
Unfortunately, HTTPS is rarely used beyond the login pages. And a few months ago, a nefarious Firefox add-on was developed to show the evils of this practice. Called "Firesheep", this add-on allows anyone to take over another person's browsing session on a website over a network, e.g. a wireless connection. (The Electronic Frontier Foundation (EFF) has a more complete write-up of Firesheep.)
Suffice to say that if all (good) websites enforced HTTPS connections when delivering personalized content, then we would be able to browse more comfortably and with greater trust. But because these websites don't enforce HTTPS, it falls on third parties to make it happen.
That's what EFF's "HTTPS Everywhere" does. When you're browsing a website that is known to allow HTTPS connections, like Google, Facebook and Twitter, HTTPS Everywhere will automatically force Firefox to connect to the site via a HTTPS connection. This is even if you are browsing a non-login page, like Gmail, a Facebook fan page or someone's Twitter profile. If you're using Safe, then you should see the (garish) coloured border and tab on these pages.
One downside of HTTPS Everywhere is that you may experience slightly slower browsing speeds when browsing these websites. But this slowdown is measured in milliseconds, and isn't your security worth that small amount of waiting time?
Another downside is that not all websites that allow HTTPS connections will operate properly. For example, Facebook Chat doesn't work over a HTTPS connection.
If you've been browsing the web for a long time, then you're probably familiar with "cookies", little bits of information that are stored in your web browser, usually to track your login credentials or online behaviour. But have you heard of the "evercookie"? That's a nickname for data that is stored in your web browser — and cannot be removed by your browser's usual "Delete cookies" option.
If you have the Flash plugin (and chances are, you do), then you probably already have evercookies. Unlike normal web browser cookies, evercookies are stored as part of your Flash plugin's temporary data. Called "Local Shared Objects", or LSOs, they are stored together with other Flash temporary data, like buffered video, until you explicitly clear your Flash plugin's cache.
Unfortunately, it isn't easy to delete the contents of your Flash plugin's cache. (Here's the Adobe help page that allows you to view and delete your Flash plugin's cache.) Also, within Firefox, there's no option to not store LSOs because it is an Adobe Flash technology, not a browser setting.
"BetterPrivacy" helps you manage evercookies more easily. Like the standard Firefox cookies settings, BetterPrivacy lets you view the LSOs in your Flash plugin's cache and remove any that you don't want. Also, whenever you quit Firefox, BetterPrivacy will prompt you if you want to delete any LSOs that it has found. (Of course, you have the option to automatically delete these LSOs without prompting.)
On top of that, BetterPrivacy guards against another kind of evercookies. Instead of being Flash-based, these evercookies are stored in your web browser through a new technology called "Web Storage". Web Storage is a feature of the new HTML5 specification to allow web services to store data within your browser. Needless to say, this includes cookies. Like LSOs, there's no easy way to remove these Web Storage data, including the evercookies. Fortunately, BetterPrivacy will let you automatically delete any Web Storage data that it finds.
(I suspect that this auto-removal feature will need to be improved in future. There is certainly some Web Storage data that could be deemed useful over separate browsing sessions and should not be removed.)
So if you are already viewing and removing your regular Firefox cookies — or even blocking them, then you might also want to consider BetterPrivacy for an added layer of protection against evercookies.
I know that this reeks of paranoia and some of my information/opinions may be challenged or contradicted, but when it comes to security, I'd personally prefer to err on the side of caution. There are still some dark corners in the far reaches of the World Wide Web that I'd like to insure myself against. Safe, HTTPS Everywhere and BetterPrivacy allow me to surf the web just that bit more comfortably.
If you liked this entry, you may also enjoy reading: