There are several browser addons to improve the security and privacy when visiting websites. With the switch to Web Extensions on Firefox 57 (Quantum) in November 2017, most browser addons are compatible with several browsers. I started this article in November 2015 but I now took time to finish it and update it with Web Extensions compatibility in mind.
Security and privacy can also be improved by using an open source web browser like Firefox and an open source operating system like GNU/Linux (Debian, Ubuntu without Unity Amazon tracking integration, Xubuntu, Lubuntu…). Firefox is my preferred web browser because it is free / libre / open source, cross-platform and fully customizable.
Another open source browser alternative might be Google Chrome but they are using some proprietary code. At least Chrome is based on Chromium, an open-source browser but there is no stable release version of Chromium and Google is promoting Chrome.
I will share a list of some useful addons to improve security and privacy when browsing the Internet so you can control websites instead of being controlled! Most of the addons are compatible with Chrome / Chromium too.
Not everybody know these addons that are making Internet safer so I think it is important to share them:
– NoScript: a well known Firefox addon that comes by default with Tor browser (Firefox based). It allows you to disable JavaScript from a specific website. JavaScript can be really annoying when not used correctly. An example could be websites that are opening a popup and asking you to login to continue reading (Viadeo French alternative to LinkedIn is exactly doing this: if you move the mouse when reading a profile, a popup will appear so you can’t read anymore. Solution: block viadeo-static.com)
NoScript also protects you against XSS and clickjacking attacks, it can block HTML5 video and audio content (finally you can get rid of YouTube autoplay!) or block plugins (which is not needed anymore with Firefox click-to-play function).
NoScript has the ability to replace third-party scripts with a local one, on your computer. This is called a surrogate script, you can for example replace a jQuery library from Google CDN (ajax.googleapis.com) with your own to protect your privacy or just in case the CDN fails (it happens!). The best solution is that if web developers use a CDN, then they use a local fallback in case if the CDN is not available or blocked (Google domains can also be blocked by some countries).
The limit of NoScript blocking is that it only blocks JavaScript content and if you allow googlemaps.com on a company website, it will be allowed to any other company websites.
For this privacy problem, the next addon can help you.
– uMatrix / RequestPolicy: with an addon like these, you can block all third-party HTTP requests of a website. This is the best privacy protection, no more Google Maps iframes tracking you without your consent and no more third-party tracking pixel image!
If you use uMatrix or RequestPolicy with a default-deny-policy for cross-site requests, it can also protect you from CSRF attacks.
Be ready to see a lot websites failing because they use third-party domains or CDNs. Sometimes it can seem annoying to whitelist websites third-party domains but it’s worth it!
About uMatrix: when Firefox switched to Web Extensions, NoScript and RequestPolicy were not compatible anymore so I had to find an alternative. uMatrix can replace NoScript by blocking scripts and replace RequestPolicy by blocking third-party requests. Note that NoScript can still be useful for blocking XSS and clickjacking attacks.
uMatrix allows you to block anything by using a deny/allow grid to block content from and to the domains of your choice.
It is even possible to block AJAX requests (also known as XHR for XMLHttpRequest) while allowing JavaScript for some annoying websites that require JavaScript to display content. This way they cannot track your activity by sending HTTP requests after the page has been loaded! This is an awesome feature that was not available with NoScript or RequestPolicy. I noticed that if a website needs to load the content through AJAX requests, we can allow it and then deny it, it takes effect without having to reload the page.
uMatrix can also replace Cookie Monster (addon not supported anymore) by blocking cookies and there is a functionality to spoof the HTTP referer header for third-party website, which I used previously with an addon like ModifyHeaders to edit HTTP request headers or an addon like moz-rewrite to edit both request and response headers depending on the incoming and outgoing domain (addon not compatible anymore but if we still want to modify headers, we can use another addon like Header Editor or a tool like mitmproxy).
– uBlock Origin / Adblock Plus: an adblocker like these could improve privacy by blocking third-party content but you may not need it if you already use a third-party requests blocker. It can still be useful to create or use existing filters, for example blocking an annoying content displayed on a web page or block some specific third-party URL like a tracker that is hosted on the same domain of the website your are visiting.
– Decentraleyes: this addon will prevent third-party requests made to get a JavaScript or CSS library from a CDN, instead it will use a local copy of the file. People don’t need anymore to use a NoScript surrogate script for this or use their own web server and change their host file to tell that ajax.googleapis.com should point to their custom server IP address.
– HTTPS Everywhere: this addon can force a website to use HTTPS if it is available for this website but it is not enabled by default. Using HTTPS can prevent man-in-the-middle attacks and people sniffing the network to know which website you are visiting.
– User-Agent Switcher: editing request headers to change the user agent is not enough to spoof a user agent if a website is checking the navigator.userAgent property. We could change the general.useragent.override property in Firefox’s about:config menu but using a browser addon like User-Agent Switcher makes it easier with saved user agents and we can be sure that the user agent is always modified by having a look at the addon status button. Changing a user agent can be useful to bypass censorship, for example if a content is only available from a mobile phone or a specific platform. I previously used another user agent switcher but it was not compatible anymore.
– Location Guard: you can spoof your geolocation if a website requires you to allow HTML5 geolocation.
– FoxyProxy: by default you can use a proxy without any addon but FoxyProxy makes it possible to save several proxy and switch between them. The current proxy used will be displayed in the addon status button, this is useful if you want to be sure that you are always connected through a proxy.
– Mailvelope: this addon will encrypt messages with PGP before you send them in your webmail (like it is possible to do with Enigmail addon in Thunderbird).
Always try to use necessary addons only. With fewer addons, Firefox can have a better performance but having control of web browsing is important too 😉
If you know other interesting addons, even if not related to privacy or security, feel free to share them!
Here are other addons that can be useful (not directly related to security / privacy or focused on a specific service like Facebook): Greasemonkey to install and create user scripts to change the website content or behaviour, JSON Lite to format JSON in Firefox since JSONView addon was not compatible anymore, Wappalizer to quickly see which technologies are used by websites, Facebook container, to isolate Facebook and avoid tracking.
Interesting addons that I previously used and were not already mentioned in this article, I will probably reinstall some of them if they are compatible again or if I find an alternative when I need them: eCleaner to clean Firefox preferences left after uninstalling addons, Lazarus: Form Recovery to restore forms if you close the browser accidentally or if the browser crashes, Status-4-Evar for status widgets and progress indicator that was removed in Firefox 4+, Dorando keyconfig to customize browser shortcuts and prevent closing Firefox by accident when pressing Ctrl+Q instead of Ctrl+A on an AZERTY keyboard, ReloadEvery to reload a page every X seconds, ViewSourceChart to have a printable source code of a page after it has been modified with JavaScript, Click to Play per-element restored a functionality removed in Firefox 35+ to enable a plugin like Flash player on a single element instead of the complete page (Flash player is deprecated so the addon may not be needed anymore), HttpFox to view network traffic from all browser tabs at the same time (mitmproxy tool can replace it).