Sunday, November 24, 2013

Securing Your Firefox

While its popularity suffers from a decline in the past year or two, Firefox is still a great browser which has a lot of things to offer. One of those things is the ability to control whether a plug-in will start automatically when the relevant content is being loaded, or should the browser ask for the end-user’s permissions to activate the plug-in on a per-site basis.

When can the above functionality be most useful? When defending against malware. The sad truth is that being infected via a drive-by malware is something that can happen to anyone, regardless the security measures being taken (e.g using Linux or OSX, having an anti-virus running or using a browser which is not IE). Due to the increased efforts in making it secure, Firefox has very little known vulnerabilities in the core browser engine, forcing the bad guys to opt for its plug-ins as the attack vector.

Unfortunately, Adobe (maker of Flash and Reader) and Oracle (maker of Java) are still doing a so-so job in terms of making secure software, thus it is recommended to have their plug-ins run only when the user approves them to run.
As a matter of fact, I’d recommend getting rid of Java and Reader entirely, yet Flash is still needed for many sites, thus cannot be discarded easily.

So how could one make Firefox ask for a permission to run such plug-ins? Easy:
  1. Open the “tools” menu and choose “add-ons” (ctrl-shift-a for non OSX users).
  2. Choose the “plug-ins” tab on the left panel.
  3. Choose “ask to activate” for the not-so-secure plug-ins.

That’s it. Have a safe browsing.


  1. This is funny, because you've enabled click to play for Adobe products, but not to other plugins which are rarely in use. I'd like to suggest enabling click to play to every plugin, and even to disable or remove plugins you never use such as Nvidia, Microsoft and Google stuff. This is not just about security but also about performance.

  2. Thanks Tomer, you are very correct. The above screenshot was meant only for the demo and is taken from a Windows VM.