Macslocum over at O’Reilly Answers is asking people to submit their favourite browser plugins and extensions. No prizes for guessing which one I chose!
Thursday 18th March 2010
Thursday 13th August 2009
Another great reason for using NoScript in Firefox if you didn’t think it was useful before is that it blocks embedded media such as Flash unless you specifically choose to unblock it on individual pages (which for me is almost never!). With HTML5 elements like <video> and <audio> now being supported in Firefox 3.5 I was worried I’d be losing this control and that there would be an unguarded vector for attack… not to mention being annoyed and irritated by pages that start playing jingles and animated advertisements!
Suppose Firefox employed an external library to play media which turned out to be vulnerable; it’s happened in the past. Any malicious hacker could embed a specially crafted video or audio file into a page and your browser would start playing it automatically when you visited the page. By the time you realised what was going on, it’d be too late.
Well it’s time to breath easier again (that sounded like an introduction to a cheap infomercial). I just noticed this evening after updating to version 1.9.8.1 that NoScript now blocks HTML5 media elements on pages that aren’t on your NoScript whitelist just like JavaScript, Flash and the like which is fantastic news. I understand selectively enabling JavaScript may be a bit troublesome for some people to cope with, but HTML5 media filtering should be a mandatory part of Firefox in my opinion.
In any event, it’s one less thing to make me nervous and to worry about, which for someone always buzzing with social anxiety and caffeine is a good thing :).
Wednesday 12th August 2009
That mouth on their site has always scared the crap of me!
As I’ve said here in the past, the primary reason why I use Firefox isn’t for the superior browsing experience any more but rather for the security and privacy extensions, though sometimes they do break some sites.
In the case of the Australian Central Credit Union online banking site (try saying that three times in a row really fast!), simply enabling cookies and scripting with PermitCookies and NoScript on the accu.com.au address still generates "you need to enable cookies in your browser" errors, and if you get past them you then can’t enter in your unique personal icons combination because they don’t appear!
As with some other sites that uses frames, the problem is the ACCU frame is hosted on their primary domain, but one of the pages in the frame references an external site which means your whitelists don’t include it.
The solution:
- Right click (CTRL-Click on Mac) on the error page
- Choose This Frame > Open Frame in New Tab
- In the new tab, enable cookies and JavaScript with PermitCookies and NoScript
- Close that tab, return to the ACCU site
I’ve been told by more than a few people on Twitter that I’m paranoid by going to these lengths to block cookies and scripting, but to be blunt we are talking about dealing with bank accounts online and I’d rather be safe[er] than sorry. And besides, once you’ve set it up once, you’re good to go each time you visit. For me, the minor initial inconvenience is offset by the security and privacy of only having cookies and scripting I explicitly authorise running on my machine.
Now if you’d excuse me, my tin foil hat fell off and I ran over it with my computer chair. Might need to make a new one.
Tuesday 07th July 2009
As you’ve seen I’m somewhat obsessed with privacy and security plugins for Mozilla Firefox. Since writing my latest list of them, I’ve installed two more that I’m surprised I didn’t discover before.
The first is Targeted Advertising Cookie Opt-Out with the cute acronym of TACO. According to the extension description, it sets permanent opt-out cookies to stop behavioural advertising by 84 different advertising networks including Google, Yahoo, Microsoft, all members of the Network Advertising Initiative, and many other companies. What I love about it is it installs cleanly into Firefox without any configuration required.
The second is Master Password Timeout. If you’re like me and use Firefox to remember your passwords for sites, it’s critically important you assign a master password by going into Preferences > Security otherwise a malicious user accessing your machine could get your passwords in the clear. Master Password Timeout re-locks the master security device after a predefined period of inactivity which is useful if you tend to leave your browser open for long periods of time. Unfortunately it’s not currently available for Firefox 3.5 but I’m hoping that will change, it works great in Firefox 3.0.11 on my FreeBSD box.
All these extensions might seem like a symptom of paranoia, but personally given the Wild West nature of the Internet and how much of my life I spend on it, I couldn’t think of using anything else at this point.
Friday 15th May 2009
Demonstration from the Ghostery website
One of the extensions I added to my recent Mozilla Firefox extensions post that I hadn’t talked about before is a privacy gem called Ghostery. Whenever you visit a website that has hidden web bugs (bugs as in spying not errors) to track your online behaviour, it briefly superimposes a translucent message in the top right corner of the window informing you of such. It also adds a cute little Pacman-like monster to your status bar that persistently identifies how many bugs are on the current page.
As was the case when I realised how many sites break when JavaScript is only selectively enabled with NoScript and when cookies are only selectively enabled with PermitCookies, it’s been a real eye opener to see just how much snooping is happening on various sites I visit with this extension installed.
Some sites have nothing, others are perfectly harmless such as Whole Wheat Radio which only employs Google Analytics:
The current record for the most number of bugs on pages I frequent since installing this extension is Mashable which ranged from six to eight depending on the page. They look innocuous enough to me, but the number does seem a bit excessive:
As with much of security, the number of bugs on pages isn’t necessarily an automatic indication of how trustworthy a site is, though I would propose it does indicate where the priorities of the web developer and/or the site owners are. What’s more important to notice is what the bugs are.
My browsing habits haven’t really changed since installing Ghostery, but as with all my other security and privacy extensions it’s a part of my web defence kit which helps me identify material on sites so I can make informed decisions.
Monday 11th May 2009
In March I posted a list of the security and privacy extensions and usability extensions I use with Firefox. Because of the positive feedback I thought I’d create an updated post merging the two and showing some more extensions I’ve picked up since then. This page will always be available under http://rubenerd.com/firefox-extensions/.
What I like about most of these extensions is that they install unobtrusively in the statusbar and only inform you when action needs to be taken; not to mention peace of mind you get from knowing you’re using a browser that’s far more secure by default. In other words, you don’t need to be a security nut to use and benefit from these!
| Icon | Name | Description |
|---|---|---|
 |
NoScript | Disables JavaScript on all pages except for those you explicitly authorise. This is the primary reason to use Firefox! |
 |
BetterPrivacy | Protects from "super cookies" and Flash cookies that can be unscrupulously used to track you |
 |
SSL Blacklist | Warns if SSL certificates are signed by a suspect certificate authority and/or with the vulnerable MD5 algorithm |
 |
PermitCookies | Allows you to disable cookies in Firefox Preferences and only allow sites you trust |
 |
Ghostery | Notifies you of invisible web elements such as web bugs that are designed to track your behaviour |
 |
BlockSite | A simple, lightweight blacklist utility you populate with sites you want to block including elements on other pages that are hosted on said sites |
 |
AdBlock Plus | Removes ads from pages rendering them faster; also blocks attacks that use maliciously malformed ads |
 |
Greasemonkey | Lets you modify how pages work and look. I use it to hack Google Reader into something useful |
 |
LORI | Tracks how long it takes for a site and its elements to load, useful for debugging your own pages |
 |
FoxClocks | Adds any number of world clocks to either your status bar or your bookmarks bar |
 |
FireFTP | Very slick Norton Commander-ish dual pane FTP/SFTP client that launches in it’s own tab |
 |
TreeStyleTabs | A tree-style tab tar, akin to a folder tree. New tabs opened from links are automatically attached to current tab |
 |
British English Dictionary | Let’s you spell colourful words your favourite way ^_^ |
Wednesday 22nd April 2009
Spam, spam, spam, spam, spam…
An email I got just a few minutes ago:
Hi there,
My name is Peter and I’m interested in advertising with your site. We’re No 1 Commercial Software Reseller in US and having most competitive price on our website. It would be great if you link to our website, giving your visitors a better choice to buy wide range of products at a competitive price. If you are interested, we can discuss about the fee.
I would like to place a banner advert in home page or link buried in relevant content to your site. [...] Feel free to contact us for any other advertising methods available on your site.
Regards
Peter Mavis
Marketing Executive
Uh, thanks but no thanks. I also doubt you’re a number one US commercial software reseller given your email has more fractured English than even my own blog posts that I write with haste here and never seem to proof read before publishing. Grilled cheese sandwich.
Advertising on another blog? Just what the world needs! By the way, how great is AdBlock Plus?
Tuesday 07th April 2009
I’ve had to temporarily disable the BetterPrivacy extension because since I upgraded to Firefox 3.0.8 I get the above error message every single time I close the browser. Upon clicking it, all the browser windows disappear but Firefox stays active for anywhere between 5 to 30 seconds in the dock before finally quitting. It’s quite irritating!
Given it’s a JavaScript error I suspect perhaps it’s having a conflict with NoScript but disabling that extension still renders the above error. I’m running Firefox 3.0.8, BetterPrivacy 1.25, NoScript 1.9.1.6, Cookie Monster 0.97.0 and SSL Blacklist 4.0.30: as far as I know all the latest versions.
The error mentions NS_* (stands for NeXTSTEP, what Mac OS X was built from) which leads me to believe it may be a local problem. Anyone else having this issue?
Friday 13th March 2009
Given I’ve been obsessively talking about NoScript over the last few weeks, I thought I’d share something fun about their logo. According to their FAQ, the NoScript logo has a name and some history!
What is that strange, evil blue being in the NoScript logo?
It is Jesse the JavaScript Worm, an extra-dimensional menace trapped by NoScript. He’s said to be the evil cousin of Trogdor, but I swear by the Flying Spaghetti Monster I did not know anything about StrongBad and his dragon when I designed NoScript logo
I love these guys, they clearly know what they’re doing, they’re Pastafarians like me and they have a sense of humour to boot!
As I’ve eluded to previously, the primary reason why I use Mozilla Firefox is for it’s security and privacy extensions as I’ve discussed previously here; in particular NoScript. My cousin Nim can’t stand it when I say killer, so I’m going to say Firefox and NoScript are a killer combination. I really mean it!
Two random points from my family’s use of NoScript I thought I’d quickly share here:
- It dawned on me though that when I upgraded my sister’s MacBook to the latest version of Firefox that it should have been doing it for her automatically along with her plugins. She’s a NoScript user too but both her Firefox and her NoScript installations were woefully out of date. Checking the Update tab under Advanced in her preferences pane, I noticed her automatic updates were turned off. I don’t quite know why, she claims she never unchecked the boxes, but be that as it may it meant she was running older and potentially less secure versions of software for a while now.
- NoScript is updated on a very regular basis! Because I just put my MacBook to sleep instead of turning it off I can go for days without closing Firefox, and when I reopen it, it almost always has updates available for NoScript.
Two important lessons to take away from this post: if you’re a very, very happy NoScript user make sure firstly you have automatic updates enabled by default and that if you leave Firefox open for longer periods of time to check for updates more often. Again NoScript and Firefox are a match made in heaven, but they need constant updating to work optimally and securely.
A public service announcement from the Department of Ruben Schade Redundant Language Department, a red tape subsidiary of the Bureau of Oversight and the Ministry of Hot Air.
