Firefox is too secure out of the box!

I've noticed something interesting about what i call Security minded users when they switch from Internet explorer to Firefox. In security forum after forum, I notice the first thing they ask is how can they harden it.

It seems that they are conditioned after years of use of Internet Explorer , that they cannot believe that Firefox out of the box is almost as good as it gets.

Let's face it, it's a common reaction, after years of tightening Internet Explorer settings, importing restricted sites, setting ActiveX killbits, using specialised cleaner software to clear index.dat, running http filter proxies and popup blockers, monitoring Browser Helper Objects and worse running obscure registry tweaks to close off services dangerous protocols. I probably left out a few other things you do.

In some even, I suspect there is for some a perverse pride in spending time and effort to do all this, being able to say "I have secured Internet Explorer, how dare all those idiots who say IE is insecure!" Maybe they even forget how much effort they have made to achieve this relative level of security and they rage against other clueless Internet Explorer users.

That is why I say for such security minded users, Firefox may be too secure out of the box! They feel the need to tweak some setting, download and buy some browser related security software, before they feel they have done their duty to the browser or security gods.

You won't find much about hardening Firefox because unlike Internet Explorer, it's default settings are already very secure. I won't rehash what is being mentioned here https://www.wilderssecurity.com/showthread.php?t=62772 , but the very fact that XPI installs are highly restricted by default compared to ActiveX gives you a clue that firefox doesnt really need much tweaking.

Besides the fact that tweaking Firefox for security is unnecessary, Firefox is much newer than Internet Explorer , so there is very little information so far about the various tweaks you can actually do, and the security software relating to Firefox has not developed much yet. Thus far, most software for firefox are related with cleaning cache and cookies, areas which firefox handle well enough on its own anyway.

This lack of information has also led to the misconception that Firefox is less configurable than Internet Explorer. While the Firefox guys have tried to minimize options bloat in the GUI to avoid confusing newbies, people familar with firefox and mozilla, know that there are a wealth of options that can be configured by simply typing about:config in the url bar. And even the options there can be added upon.

Sadly, there doesn't seem to be any good centralised place that explains what they do. http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries is a start

The Wilder thread mentioned earlier makes a good start in explaining some of the options but even that bare scratchs the surface.

For example you can totally disable the XPI installs. You can disable the XPI whitelist. You can control the time delay of the XPI popup (btw default is 5 seconds not 3).

Want control over popups?You can control the maximum number of popups each domain can launch (default is 20). You can control the events that trigger popups (change click dblclick mouseup reset submit by default).

How to handle phishing was already mentioned https://www.wilderssecurity.com/showthread.php?t=62772

Want to turn off your referrer? You can do it in Firefox without any external software. Ditto for changing your user-agent, though the extensions useragent switcher is more flexible.

Want to control handling of SSL and encryption , sure search for security.

There are more, even now I'm trying to recall some of the less common ones I came across while looking at bugzilla and I'm looking at some interesting ones that appeared when i put in different search terms.

Of course, it may seem that Internet Explorer seems to give more secure options, but you need to realise that Firefox does not support ActiveX, so that's one less feature that requires options. In terms of JS control, firefox is superior to Internet Explorer actually. And in some areas , Firefox is completely hardcoded (handling of JS and local machine for example) for very good reasons.

You might argue that this is not a very userfriendly way to change settings and I fully agree. But the thing is, you are not meant to change these settings unless you know what you are doing! It's not the case as in Internet Explorer, where you have to understand and change what advanced settings do, or die.

Even people concerned with security and privacy don't really need to change all this, unless they really want to.

It just occured to me that this long argument here , actually applies for the typical wilders members switching from Windows to linux. It just seems such a shame to give up all that hard earned knowledge and effort expanded to secure windows, and them give it all away by switching to Linux

Imagine all your time spent, learning how to unbind netbios, windows startup methods, knowledge about windows only security software, all useless!

))

 

ok, this thread is a little long for me to read completely at the moment, however I will coment on the name of the thread.

Can you be too secure?

Jimbob

 

You're right, but we'll have to get used to it

 

I think I mistitled my post.

It is not that firefox is too secure, but rather it is too secure out of the box!

 

I'd say so. When I downloaded firefox I'm pretty sure a box didn't come with it.

 

Oh lord, sometimes this forum cracks me up

Jimbob