There are several browser addons to improve the security and privacy when visiting websites. With the switch to Web Extensions on Firefox 57 (Quantum) in November 2017, most browser addons are compatible with several browsers. I started this article in November 2015 but I now took time to finish it and update it with Web Extensions compatibility in mind.
Security and privacy can also be improved by using an open source web browser like Firefox and an open source operating system like GNU/Linux (Debian, Ubuntu without Unity Amazon tracking integration, Xubuntu, Lubuntu…). Firefox is my preferred web browser because it is free / libre / open source, cross-platform and fully customizable.
Another open source browser alternative might be Google Chrome but they are using some proprietary code. At least Chrome is based on Chromium, an open-source browser but there is no stable release version of Chromium and Google is promoting Chrome.
I will share a list of some useful addons to improve security and privacy when browsing the Internet so you can control websites instead of being controlled! Most of the addons are compatible with Chrome / Chromium too.
Not everybody know these addons that are making Internet safer so I think it is important to share them:
NoScript also protects you against XSS and clickjacking attacks, it can block HTML5 video and audio content (finally you can get rid of YouTube autoplay!) or block plugins (which is not needed anymore with Firefox click-to-play function).
NoScript has the ability to replace third-party scripts with a local one, on your computer. This is called a surrogate script, you can for example replace a jQuery library from Google CDN (ajax.googleapis.com) with your own to protect your privacy or just in case the CDN fails (it happens!). The best solution is that if web developers use a CDN, then they use a local fallback in case if the CDN is not available or blocked (Google domains can also be blocked by some countries).
For this privacy problem, the next addon can help you.
– uMatrix / RequestPolicy: with an addon like these, you can block all third-party HTTP requests of a website. This is the best privacy protection, no more Google Maps iframes tracking you without your consent and no more third-party tracking pixel image!
If you use uMatrix or RequestPolicy with a default-deny-policy for cross-site requests, it can also protect you from CSRF attacks.
Be ready to see a lot websites failing because they use third-party domains or CDNs. Sometimes it can seem annoying to whitelist websites third-party domains but it’s worth it!
About uMatrix: when Firefox switched to Web Extensions, NoScript and RequestPolicy were not compatible anymore so I had to find an alternative. uMatrix can replace NoScript by blocking scripts and replace RequestPolicy by blocking third-party requests. Note that NoScript can still be useful for blocking XSS and clickjacking attacks.
uMatrix allows you to block anything by using a deny/allow grid to block content from and to the domains of your choice.
uMatrix can also replace Cookie Monster (addon not supported anymore) by blocking cookies and there is a functionality to spoof the HTTP referer header for third-party website, which I used previously with an addon like ModifyHeaders to edit HTTP request headers or an addon like moz-rewrite to edit both request and response headers depending on the incoming and outgoing domain (addon not compatible anymore but if we still want to modify headers, we can use another addon like Header Editor or a tool like mitmproxy).
– uBlock Origin / Adblock Plus: an adblocker like these could improve privacy by blocking third-party content but you may not need it if you already use a third-party requests blocker. It can still be useful to create or use existing filters, for example blocking an annoying content displayed on a web page or block some specific third-party URL like a tracker that is hosted on the same domain of the website your are visiting.
– HTTPS Everywhere: this addon can force a website to use HTTPS if it is available for this website but it is not enabled by default. Using HTTPS can prevent man-in-the-middle attacks and people sniffing the network to know which website you are visiting.
– User-Agent Switcher: editing request headers to change the user agent is not enough to spoof a user agent if a website is checking the navigator.userAgent property. We could change the general.useragent.override property in Firefox’s about:config menu but using a browser addon like User-Agent Switcher makes it easier with saved user agents and we can be sure that the user agent is always modified by having a look at the addon status button. Changing a user agent can be useful to bypass censorship, for example if a content is only available from a mobile phone or a specific platform. I previously used another user agent switcher but it was not compatible anymore.
– Location Guard: you can spoof your geolocation if a website requires you to allow HTML5 geolocation.
– FoxyProxy: by default you can use a proxy without any addon but FoxyProxy makes it possible to save several proxy and switch between them. The current proxy used will be displayed in the addon status button, this is useful if you want to be sure that you are always connected through a proxy.
– Mailvelope: this addon will encrypt messages with PGP before you send them in your webmail (like it is possible to do with Enigmail addon in Thunderbird).
Always try to use necessary addons only. With fewer addons, Firefox can have a better performance but having control of web browsing is important too 😉
If you know other interesting addons, even if not related to privacy or security, feel free to share them!
Here are other addons that can be useful (not directly related to security / privacy or focused on a specific service like Facebook): Greasemonkey to install and create user scripts to change the website content or behaviour, JSON Lite to format JSON in Firefox since JSONView addon was not compatible anymore, Wappalizer to quickly see which technologies are used by websites, Facebook container, to isolate Facebook and avoid tracking.