Security and privacy assessment of the open source tools of the Firefox ecosystem of add-ons

Connection Security

Current version of Firefox and Firefox Networks Features*

In the previous research[2], features were shown related to the security at the network level, such as certificates, HTTPS padlock, NSS, Necko security provided by previous versions of Firefox[3].

The last version of Firefox 100.0, was released on May 3 2022. Firefox released security bug fixes in its latest version regarding bypass vulnerabilities, but since 93.0 some security and privacy updates remain, explicitly concerning:

  1. Protection against insecure downloads[4]:
  • Block insecure HTTP downloads on a secure HTTPS page
  • Block downloads in sandboxed iframes, unless the iframe is explicitly annotated with the allow-downloads attribute[5]
  1. Private Browsing and Strict Tracking Protection[6]
  • Firefox developed a mechanism called “SmartBlock 3.0”, which compensates for the issue related to the content blocking (missing images or bad performance) already provided by the previous versions, and It loads local, privacy-preserving alternatives to the blocked resources that behave just enough like the original ones to make sure that the website works properly.
  1. HTTP Referrer Protections
  • Trims the HTTP referrer for cross-site requests.
  • The referrer allows a website to learn which other website the user was visiting before and the full URL may reveal sensitive user data included in the URL itself.

The user can benefit from these additional security mechanisms by installing the latest Firefox version.

 

VPN/Proxies*

The current version allows the user to hide his IP address using VPN and proxy extensions. “Browsec VPN[7]” and “Touch VPN[8]” were used for testing as both hide the original IP address.


Original IP address


New IP address by using Touch VPN New IP address by using Browsec VPN

DNS over HTTPS*

When a user sends a request over the Internet, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third parties to see what website the user is about to access.

DNS-over-HTTPS (DoH) works differently. It sends the domain name to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third parties from seeing what websites the user is trying to access.

In 2019 Firefox provided to all Firefox desktop users in the United States that the DoH is enabled by default. For the other countries, it is possible to enable this option through the connection settings manually.

In order to test if this mechanism is working, DoH was enabled, and Cloudflare was set as the provider.

Cloudflare provides a test page where the user can check the Connection Information “https://1.1.1.1/help”.

 

Manually enabling DoH


Test Page

HTTP to HTTPS*

Starting in Firefox version 83, the user can change his preferences to HTTPS-Only mode. This security-enhancing mode forces all connections to websites to use HTTPS. Most websites already support HTTPS; some support both HTTP and HTTPS. Enabling this mode guarantees that all of the connections to websites are upgraded to use HTTPS and hence secure.
This option is also provided in the current version of Firefox.

 

Manually enabling HTTPS-Only Mode

1.5 – New TLS Version Enforcer*

TLSv1.3 has been automatically enabled in Firefox since version 93. The user can verify it by searching in the configuration settings where the full version of TLS is 4 (1.3 version), while the minimum version applied is 3 (1.2 version).


Configuration Settings

TOR Solutions*

Some extensions allow the user to “Open a website in TOR” or use the OR network. These plugins need the TOR browser to be installed on the computer.

Content and Scripts Blockers

Ads, Scripts, and Malware Blockers*

These features remove all ads, help block malware, and tracking and improve browser performance by removing unwanted content.

Some Ad blockers also allow the user to enable an allow-listing mechanism to see only the contents of his choice.

The extension “Adblock Plus” [9] is also available in the Android mobile version.

Cookies and Local Data Storage Blockers*

All the websites that the user visits store cookies and other site data on his computer. The stored data contains information such as site preferences and login status.

Firefox 100 allows the user to block websites from storing this data by setting his preference in the Enhanced Tracking Protection[10] section of the browser settings.

Secure Downloads*

We can find three different kinds of techniques that Firefox’s most recent version allows to apply to protect the user from potentially malicious or unsafe downloads:

  1. Block insecure HTTP downloads on a secure HTTPS page and in sandboxed iframe[11]
  2. Malware Detection in downloaded application file[12]:
  3. Firefox verifies the signature of the file, and if it is signed, it compares the signature with a list of known safe publishers. For files that are not identified by the lists as “allowed” or as “blocked,” Firefox asks Google’s Safe Browsing service if the software is safe by sending it some of the download’s metadata.
  4. Scan download by using specific extensions such as VT4Browsers[13].

Websites Blockers*

These features block access to websites of the user’s choosing. The extension “Block Site” [14] also allows users to redirect navigation from one specific website to another and block access to the websites at specified times and dates.

 


Example of blocked domain

Ads Blockers Protectors*

Some websites lock the content if an Ads Blocker is detected. Ads Blocker Protectors allow users to keep their Ads blockers on this kind of website.

Firefox 100 allows the installation of different kinds of blockers. In particular, “uBlock Origin”[15] permits to bypass this kind of Ads Blocker Protection mechanism by simply changing the filter settings.

 

Filter Setting of uBlock Origin

Security Suite (NoScript only)*

NoScript Security Suite[16] allows for detecting of XSS, CSFR, cross-zone DNS rebinding, and Clickjacking attempts and blocking them. Google XSS Game training platform[17] provided by Google to practice XSS was used for testing.

WebRTC Blockers*

WebRTC allows websites to get the user’s IP address from behind his VPN. It is a complementary tool to the VPN. The test done in chapter 1.2 shows that the VPN could hide the IP address even without this extension.

The user can disable it by changing the browser address bar configuration settings and setting it as “false” in the “media.peerconnection.enable” field.

 

Cleaners

History, Cookies, Cache Cleaners*

Firefox 100 allows the user to automatically clear his history, cookies and cache data every time Firefox is closed. It is possible to set the preferences by changing the Privacy & Security Settings:


1 step: customise settings

2 step: set clear history when Firefox closes to make it automatically

3 step: check the items that the user want to have cleared automatically each time he quit Firefox

Browser Settings Controller

Cookies Cache History Proxy Managers*

Firefox 100 allows the user to customise and manage cookie, site data and cache by simply changing the Settings in the Privacy and Security field.

Cookies and Site Data Settings

The same applies to proxies that can be customised by the Connection Settings.

Connection Settings

As regards the History, Firefox only allows users to choose the range time of the data to be deleted or to choose to delete all the history data automatically. The user is not able to limit the deletion of data to specific websites as in the previous cases.

Browser Update*

Users are allowed to download and install the last version of the browser or its plugins
(automatically or not).


Updates Settings

Session Lockers and Guest Session

Secure Bookmarks*

The most used extension to create a secret folder in the bookmark which is only accessible with a password is “Private Bookmarks”[18], and it is available also with Firefox 100 since the latest update was in 2019.

Basically the user has to set a password that locks the secret folder which contains the bookmarks. The folder is visible only when the folder is unlocked.

Easy Security and Privacy Settings Managers*

Mozilla Firefox offers lots of control in its privacy settings, but the user must be quite savvy to access the configuration settings. There is an extension called Privacy Settings[19] that helps the user to access those advanced configuration settings.


Privacy Settings

Authentication and Reputation

Passwords Managers*

Depending upon how they store and manage passwords, password managers are classified into three different types.

  1. Desktop-based password managers:

Save all user’s passwords on the local drive of his device, so passwords remain private to him only. The downside is that if the user loses access to his device, he will lose access to all his passwords.

  1. Cloud-based password managers:

Save all the passwords in an encrypted form to its cloud network. A key benefit of cloud-based password managers is ready accessibility. However, the only limitation with this type is that the user essentially needs an internet connection to access his vault.

  1. Single Sign-On (SSO) password managers:

Sign-in to all users’ accounts with a single password.

With the password manager the user can also generate strong passwords, automatically change some passwords and detect a breach or leak.
Firefox 100 supports different add-ons to manage passwords such as LastPass[20], 1Password[21], KeePassXC[22] and so on.

Mozilla also provides Firefox Lockwise that was released with Firefox version 70, October 2019. It is Firefox’s built-in password management system, which securely stores usernames and passwords used to log into websites. When the user visits a site for which he has saved login credentials, the login form fields will be automatically filled in using his saved username and password. This tool also allows the user to set a master password to protect saved passwords.

Reputation and Blacklists for Rogue Websites*

Firefox contains built-in Phishing and Malware Protection to help keep the user safe online. These features will warn the user when a page he visits has been reported as a Deceptive Site, as a source of Unwanted Software or as a malware. This feature also warns the user if he downloads files that are detected as malware.

Phishing and Malware Protection works by checking the sites that the user visits against lists of reported phishing, unwanted software and malware sites. These lists are automatically downloaded and updated every 30 minutes or so when the Phishing and Malware Protection features are enabled.
It is also available an extension called “Website Reputation Rating”[23] which warns the user about the website safety ratings on every site.

Temporary Virtual Cards and Secure Payments*

Regardings this mechanism, the only add-ons that I found are “Pay by Privacy.com”[24] and “Eno from Capital One”[25] that requires an account on Privacy.com and CapitalOne.com.
They allow the user to generate a new virtual card number only for a specific site, allowing the user to shop online without exposing his actual credit card number.

I’ve tried it but for the “Pay by privacy” you must be a US resident, and for the other one you need to put sensitive data such as the Social Security Number or ITIN in the form.

Third-Party Authentication Systems*

It is possible to enable two-step authentication to prevent someone else from logging in a Firefox account, by requiring a unique code that only the specific user has access to and to set a Recovery key to restore his information when he forgets his password.

Security Settings

It is also possible to install some add-ons such as Authenticator[26] that allows generating two-factor authentication in the user browser to add an extra layer of security to his online accounts.

Tracking/Privacy Protection

Privacy-based Search Engines*

The Search panel in Firefox Settings lets the user customise his search options, he can add or remove or change his default search engine. Firefox 100 allows setting DuckDuckGo (Privacy-Based Search engine) as default.

Search Engine Settings

Easy Privacy Settings Managers*

See chapter 4.5

Cookies and Local Data Storage Blockers*

See chapter 2.2

Tracking Parameters Link Cleaners*

Among extensions in the Firefox Add-ons Store, it is recommended ClearURLs[27] to automatically remove tracking elements from URLs to help protect privacy when browsing through the Internet. The last update of this extension was released on 24 mar 2021 and it works also in Firefox 100.

Containers/Sandboxes*

It is possible to activate Containers available by modifying some preferences in the configuration editor. The user can set the privacy.userContext.enabled preferences to true and privacy.userContext.ui.enabled to true in the about page: config.


Containers tab button

It is also possible to activate Containers by installing the Multi-Account Containers[28] Firefox extension, which is an improved version of the Containers function introduced and integrated in Firefox.


Multi-Account Containers

Cookies Cache History Cleaners*

See chapter 3

Location*

Firefox 100 allows the user to block websites to access the user location, by changing the permissions settings.


Permission Settings

To spoof the location the user can use a VPN, the Location Guard Browser Extension[29] or change some preferences in the configuration editor. He can set geo.enabled as false and change the setting value in geo-wifi.url.

Fingerprints

Fingerprints Blockers*

When the user goes online, his device provides the sites he visits with highly specific information about his operating system, settings, and even hardware. The use of this information to identify and track him online is known as device or browser fingerprinting.

The latest version of Firefox protects the user from fingerprinting by blocking third party requests to companies that are known for using these techniques, by default.

Browser Privacy Settings


Fingerprints Spoofers*

There are a number of different browser extensions and add-ons that the user may find useful to minimise or spoof his fingerprint such as:

  • Canvasblocker[30]: Protects against canvas fingerprinting methods
  • Trace[31]: Protects against various fingerprinting methods
  • Chameleon[32]: Allows the user to spoof user agent values
  • User-Agent Switcher[33]: Allows the user to spoof user agent

The downside is that having many extensions may make the user more identifiable.

Others ways to minimise browser fingerprinting is to changing some preferences in the firefox configuration settings:

  • media.peerconnection.enabled (WebRTC) as false: Disable WebRTC that can also expose the real user’s IP address
  • privacy.resistFingerprinting as true: Makes Firefox more resistant to browser fingerprinting
  • privacy.trackingprotection.fingerprinting.enabled as true: This is a new preference with Firefox 67+ to block fingerprinting
  • geo.enabled as false: Disable geolocation tracking

Header Tracking Parameters: Blockers, Spoofers and DNT flag*

The new version of Firefox provides default settings to preserve privacy:

  • The fingerprinting protection enabled by default in the Privacy settings modifies some settings including the user agent
  • The new HTTP Referrer Protection functionality trims the HTTP referrer
  • Do Not Track signal option can be set by changing the browser preferences settings


Browser Privacy Settings

To spoof these tracking parameters the user can use add ons such as User-Agent Switcher[34] or change the configuration settings preferences:

Configuration Settings

Local CDNs*

Content delivery networks (CDNs) are geographically distributed networks of proxy servers that seek to provide features such as better availability and performances for websites. It also means that these CDN providers receive metadata related to the websites the user visits. To prevent them from obtaining any data related to user’s online browsing there are some add-ons such as Decentraleyes[35].

Random Email Generators*

Firefox Relay[36] lets the user generate email aliases that forward to his real inbox. It is useful to hide the user’s real email address and protect himself from hackers and unwanted mail. It is provided by Firefox and its last update was on 27 October 2021.

Firefox Relay

Policy Privacy (GDPR) Decoders*

The user can be informed about the privacy compliance of websites and manage his consent by using some add-ons available in the Firefox add-ons store such as DuckDuckGo Privacy Essentials[37] which provides a Privacy Grade (A-F) in a way that the user can see how protected he is:


Firefox Relay

Another example is Consent-O-Matic[38] which automatically answers consent pop-ups for the user, so he can’t be manipulated by setting his preferences once.

PGP Mails Encryption*

Firefox 100 allows the user to enhance his webmail provider with end-to-end encryption, by using add-ons available in the Firefox add-on store. The most used is Mailvelope[39] that supports the PGP encryption standard (OpenPGP, GPG).

Bibliography

  1. Vashek Matyáš, Open tool taxonomy with proposed portal structure and selection of tools for D7.5, Annex A, Brno Masaryk University 28 July 2020
  2. Vashek Matyáš , Open tool taxonomy with proposed portal structure and selection of tools for D7.5, Annex A, Brno Masaryk University 28 July 2020
  3. 83.0 Firefox Release November 17, 2020 , https://www.mozilla.org/en-US/firefox/83.0/releasenotes/80.0 Firefox Release August 25, 2020, https://www.mozilla.org/en-US/firefox/80.0/releasenotes/
  4. https://blog.mozilla.org/security/2021/10/05/firefox-93-protects-against-insecure-downloads/
  5. allow-downloads: Allows for downloads to occur with a gesture from the user
  6. https://blog.mozilla.org/security/2021/10/05/firefox-93-features-an-improved-smartblock-and-new-referrer-tracking-protections/
  7. https://addons.mozilla.org/it/firefox/addon/browsec/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  8. https://addons.mozilla.org/it/firefox/addon/touch-vpn/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  9. https://addons.mozilla.org/it/firefox/addon/adblock-plus/
  10. about:preferences#privacy , Firefox
  11. released in the last Firefox version 93, October 2021
  12. released in Firefox 32 , September 2014
  13. https://addons.mozilla.org/en-GB/firefox/addon/vt4browsers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  14. https://addons.mozilla.org/en-GB/firefox/addon/block-website/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  15. https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin/
  16. https://addons.mozilla.org/en-GB/firefox/addon/noscript/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  17. https://xss-game.appspot.com/
  18. https://addons.mozilla.org/en-US/firefox/addon/webext-private-bookmarks/
  19. https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/
  20. https://addons.mozilla.org/en-GB/firefox/addon/lastpass-password-manager/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  21. https://addons.mozilla.org/en-GB/firefox/addon/1password-x-password-manager/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  22. https://addons.mozilla.org/en-GB/firefox/addon/keepassxc-browser/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  23. https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
  24. https://addons.mozilla.org/en-GB/firefox/addon/pay-by-privacy-com/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  25. https://addons.mozilla.org/en-GB/firefox/addon/capital-one-eno/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  26. https://addons.mozilla.org/en-GB/firefox/addon/auth-helper/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  27. https://addons.mozilla.org/it/firefox/addon/clearurls/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  28. https://addons.mozilla.org/en-GB/firefox/addon/multi-account-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  29. https://addons.mozilla.org/en-US/firefox/addon/location-guard/
  30. https://addons.mozilla.org/en-US/android/addon/canvasblocker/
  31. https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/
  32. https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/
  33. https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/
  34. https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/
  35. https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
  36. https://relay.firefox.com/, https://addons.mozilla.org/en-GB/firefox/addon/private-relay/
  37. https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-for-firefox/
  38. https://addons.mozilla.org/en-US/firefox/addon/consent-o-matic/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
  39. https://addons.mozilla.org/en-US/firefox/addon/mailvelope/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search