Now, there are no absolutes in computer security. The only way to a system can be completely secure is if it does not exist. (No, I’m not kidding.) Any existing system is at risk. Even if a machine is turned off and unplugged from the net, it is still possible for an attacker to gain physical access to it, turn it on and copy any files off of it. Even if the files are encrypted, the machine can be compromised so as to leak the decrypted information. The trick with securing a system is to find the right balance between usability and security. The system should be as secure as needed to discourage attackers or to make it too hard for them to get secure information in a timely way but no so much as to annoy the legitimate users of the system. If a system is designed to be hyper-secure but that security hampers usability, users are going to find a ways to enhance usability at the detriment of security. The classical example is users using easily guessable passwords or writing down their passwords on yellow notes. All of this, by the way, is nothing new and is common knowledge to all the good engineers out there that have thought about security for more than 5 minutes.
So I’ve been thinking recently about how to enhance the security of my Firefox setup. As I said above, I’m not inclined to just turn off everything for general browsing. There’s too much functionality to be lost that way. However, Firefox is able to take on multiple personalities, so to speak, and that feature can be used to our advantage. The trick is to create a new profile for Firefox and to set the configuration options for it as secure as possible. When Firefox is started without any parameters it uses a default profile but there are parameters that can be used to tell Firefox to use a different profile. Each profile can have a different Cache, different preferences, different cookies stored, etc. It is almost as if the different profiles represented different users. (It is not quite the case but I’m not going to get into those details.) Here is the procedure I used. It is conceived for a Linux system but I’m sure it is easily adaptable to Windows:
- Create a new profile:
$ firefox -CreateProfile [name of profile]
Replace “[name of profile]” with the name you want for your new profile.
- Start firefox with new profile:
$ firefox -P [name of profile]
- Go into Edit->Preferences:
- In Contents, turn off java script and java.
- In Privacy, turn off all History options.
- In Privacy, in the section Private Data, turn on “Always clear my private data…” and turn off “Ask me before clearing private data”
- In Security, turn off “Remember passwords for sites”
- Go into Tools -> Add ons and disable all extensions that were pre-installed. (On my Ubuntu system, “DOM inspector” is an add-on that is part of the Firefox packages I have installed, hence it comes pre-installed.)
- Exit this Firefox instance and start a new one.
From now, the way to start Firefox to access sensitive sites is to use “firefox -P [name of profile]”, leave the options as above and never install any extension for that profile. By doing this, it is possible to use Firefox with the default profile for general browsing and with the new profile for sensitive browsing. For general browsing Firefox can just be started the usual way. (For the curious, starting Firefox with a different profile results in a second executable being started. So the second profile runs in a different process than the first.)
Now, this does not protect against all possible attacks. Someone could install a keylogger and sniff passwords or compromise the OS. This procedure does not protect against that. Again, the idea is to find a balance between security and usability. Some people use a different computer for all their sensitive browsing. That does not work for me. Some people reboot in a controlled OS installation for sensitive browsing but again that does not work for me. Those are solutions that put too much constraints on usability. Some people boot a controlled OS installation in a virtual machine. This is something I might consider but it is not clear to me whether that would end up being a solution I’d want to use. What I’m proposing here is trivial to use. It does not require any advanced technical knowledge like would be required for managing a controlled OS installation.