[sf-lug] (forw) Article attempting to broadly cover Firefox security risks

Rick Moen rick at linuxmafia.com
Tue Feb 2 18:02:09 PST 2010


Given past references on this mailing list to security risks from
Flash, I figure the referenced article might be of interest to SF-LUG,
too.

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 2 Feb 2010 17:45:54 -0800
From: Rick Moen <rick at linuxmafia.com>
To: lwn at lwn.net
Subject: Article attempting to broadly cover Firefox security risks
Organization: Dis-

Dear Jon and co.:

At the risk of being seen to beat my own drum, I'll mention my recent
article about Firefox configuration to attempt to correct a number of
security issues, in the February _Linux Gazette_, mostly because I get
the impression LWN doesn't usually look at the _Gazette_.  (That is not
a complaint, just an observation.)

   The Gentle Art of Firefox Tuning (and Taming)
   by Rick Moen

http://linuxgazette.net/171/firefox.html


Article briefly recaps Firefox history, cites the XUL interface as a
winning feature, and cites reasons for several open-source extensions,
with tips for configuration of each:

o  NoScript
o  AdBlock Plus
o  CustomizeGoogle
o  User Agent Switcher

The article goes on to recommend a number of tweaks in Preferences and
"about:config" to lower security risks, discusses the problem of Flash
cookies ("Local Shared Objects"), and gives recommendations about what
to do about them.  It also warns about sundry problems resulting from 
careless user selection of add-ons to Linux systems, not limited to
Firefox extensions, and argues for installing "upstream" software only
with great caution, if at all.  Last, it mentions the problem of Firefox
bloat, the fact that Swiftfox/Swiftweasel show how much better can be
done, and points out that the recommended tweaks improve performance
substantially.

I hope it is of interest.

The claim that proprietary extensions are unauditable was an error on
my part.  I learned immediately after going to press that all .XPI files 
are Zip archives incorporating full source, but that was too late to
correct my error, which I regret.

If I publish a follow-up, I'll correct that error, plus attempt to cover
Firefox (and Safari, incidentally) "DOM storage", another abuse-prone
persistent local storage facility hidden in
~/.mozilla/firefox/*/*.sqlite files (which I only recently noticed and
have not yet investigated).



----- End forwarded message -----




More information about the sf-lug mailing list