Browser setups to stay safe from malware and unwanted stuff

Question

I have to set up a browser to surf the internet. I'm trying to stay safe from malware as much as possible. (I already know that there's no way to stay 100% safe.)

My idea is to use Firefox with these extensions: Adblock Plus, uBlock Origin, HTTPS Everywhere, and particularly NoScript Security Suite. I also thought about clearing the cache when Firefox is closed.

But since I'm not an expert, I searched for recommendations on the internet. I found this Security.SE that says:

• disabling JS should not be considered a silver bullet for browser security

• Take into consideration that NoScript will also increase the attack surface

Before reading it, I was pretty sure that No Script would have been enough to make browser very very safe. But now I'm wondering if there are safer ways to secure the browser, and I have these questions:

• Is my idea good? If so, what can I improve?

• Should I use Chrome instead of Firefox? I read Is Chrome more secure? which is why I'm asking.

• Are the extensions that I mention above good? I know that both Adblock Plus and uBlock Origin block more or less same ads, but I prefer to keep both. Browser performance is not a problem.

• Is there any other extension that I should install?

• Is there some other browser setting that I should enable/disable? (such as the option to clear cache when Firefox is closed)

I already know basic rules, such as update browser and OS, don't open unsafe link etc etc. I would like to know advanced tips. I know that it also depends on the operating system and other stuff, but in this topic i would like to talk about the browser

PS: I know that instead of NoScript I could just disable all scripts with the browser settings, but I like the way I can allow a script in a site because some sites don't without a specific script.

Answer 1

First of all, good job on choosing Firefox and the right plugins, it's really the browser to go privacywise.

To extend upon the points that nobody mentioned yet, an important part of you hardening your browser would be the configuration of your Firefox browser! You can do that by typing about:config into the address bar and accepting the risks. Then you search for the specific string I specify in this answer. I will draw a line where the security completely destroys functionality (judging from my experience, since I myself use this setup). First off, you're better off disabling WebGL: Motivation

webgl.disabled = true

Disabling WebRTC will prevent from getting your IP leaked behind VPNs (yes, NoScript SHOULD protect you but you can never be too safe):

    media.peerconnection.turn.disable = true
    media.peerconnection.use_document_iceservers = false
    media.peerconnection.video.enabled = false
    media.peerconnection.identity.timeout = 1

You're better off disabling third-party cookies:

network.cookie.cookieBehavior = 1 (Only accept from the originating site (block third-party cookies))

Never store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data:

browser.sessionstore.privacy_level = 2

Activate integrated privacy measures:

privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true (disables cryptomining on piratebay)
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0 (Firefox doesn't remember your recent closed tabs anymore)
browser.urlbar.speculativeConnect.enabled = false (disable preloading of autocomplete URLs)
media.navigator.enabled = false

This enables the integrated privacy guard (uses mostly Disconnect.me filters, also breaks Captchas, but you can disable it for certain sites, since it will be like 1% of your total surfing):

privacy.trackingprotection.enabled = true

Disable the DOM Clipboard Event:

dom.event.clipboardevents.enabled = false

Protect yourself against punycode phishing attacks:

network.IDN_show_punycode = true

Disable WebAssembly:

javascript.options.wasm = false

In the normal browser settings you can also disable Pocket, erase history, cache, cookies upon exiting Firefox. That should be more than enough.

---

DANGER ZONE

• disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc. This will break Netflix et al.!

media.eme.enabled = false
media.gmp-widevinecdm.enabled = false

• Send Referer only when the full hostnames match:

network.http.referer.XOriginPolicy = 2

• Only send scheme, host, and port in Referer:

network.http.referer.XOriginTrimmingPolicy = 2

If you're near-paranoid you can even disable Referer:

network.http.sendRefererHeader = 0

If you need even more privacy check this out.

You can also blacklist hosts if you haven't already so other apps don't have such a huge attack surface.

There is also a plugin called LibreJS which blocks proprietary, non-trivial and obfuscated JavaScript code.

Also setting the locale to en-US in your browser is a good approach to privacy.

Answer 2

As you correctly point out, there is no 100% guarantee that you cannot be infected by malware through a browser.

I think it would be best to adhere to a multilayered strategy here. How deep you go of course depends on your security and other requirements.

The first layer is to be mindful of the websites you visit. If you limit yourself to a few very well known sites that have been bookmarked this severely limits your exposure.

Second layer is to always stay current on security updates, not only for your browser but also for the operating system. Malware is usually dependent on some sort of misconfiguration or known security vulnerability. The second one and sometimes the first one can be solved by keeping current on updates.

Third layer would be the tools that you mentioned. I am not going to discuss them separately, since there are already good pointers in the comments. Keep in mind, however, that every additional tool that you use might also be a security risk in itself for various reasons.

Fourth layer is to separate the environment in which your browser is running from your other (important) data. This can be done by using a virtual machine or even a physically different host. This, however, is some work because you would have another operating system to configure and maintain.

The order of layers can be argued about, but you get the picture.

Answer 3

… to stay safe from malware as much as possible. …

… Is there any other extension that I should install? …

Yes: a malware-oriented extension.

I use Malwarebytes Browser Guard and Emsisoft Browser Security. Primarily the Malwarebytes extension.

---

Take into consideration that NoScript will also increase the attack surface

Consider both the commentary:

It means that NoScript is also a target for exploitation. As browsers get harder to exploit, attackers focus more on pluggins and addons. NoScript parses a lot of input so there are a lot of possibilities for buffer overflows and other attacks.

– and the date of that comment:

• 2013-01-13

In the seven years since that comment, Firefox has become more secure, less prone to attacks.

With, for example, the constraints of WebExtensions APIs it's no longer possible for extensions to do much of what was possible seven years ago. It's reasonable to assume that extensions for Firefox in general (not NoScript in particular) have a far smaller attack surface.

Re: NoScript as a potential attack surface:

• https://forums.informaction.com/viewtopic.php?f=8&t=25856