IN THIS CHAPTER
All right, everyone keep their hands off the browser and no-one gets hurt!” How many times did you hear a browser tell you that? Does that browser really know what is good for you?
You probably have had the feeling that somehow you were secondary to things such as control, privacy, and security. Sometimes lack of control occurs because the browser makers want to keep the large players happy. This can translate into minimal pop-up blocking and minimal protection for the user. Privacy has taken a back seat many times, as people are asked to register before being allowed to use a website. And in too many instances user information is accessible to many others besides the true owner of the information—a clear case of compromised security.
Do you want others to know which websites you visit? When you visit a mortgage site, you automatically become prospect material for mortgage promoters. Or maybe you visit sites that are more socially fringe than the big name sites. Maybe you visit sites that are politically oriented. You quickly see the need for privacy.
Many operating systems allow for file- and folder-level security. Many users are either ignorant about this or just not inclined to properly set up security. Sure, file and folder security takes some effort, but it is necessary—especially when some systems are designed to disable security by default.
With Firefox, you can protect yourself from many of these privacy and security hazards.
In Firefox, security starts in the Tools, Options menu selection. This displays the Options window, where you can click the Privacy option (see Figure 5.1).
Figure 5.1. The Options window has six main areas: General, Privacy, Content, Tabs, Downloads, and Advanced. You are working with Privacy in this chapter.
Caution
Of all the privacy items discussed, the cache is the least understood security and privacy hazard. With the cache, someone can determine which web pages you have visited, when they were visited, and what you saw on these pages.
I’m not suggesting or hinting that you (or anyone else) would do anything improper with their computer. However, some web pages you might visit could cause untold grief! Examples include job hunting (using your company’s computer), porn sites, or any site that might be deemed unacceptable. Being caught visiting the wrong sites could cost you your job, family, and freedom. You have been warned!
History—. Here you set the number of days to remember history. The default is nine days; most people use 7–14 days.
Saved Forms—. Saving form information can be turned off if you want. This is useful when visiting websites where you have to type sensitive information such as account numbers, addresses, telephone numbers, and so on.
Passwords—. Many websites require that you type usernames and/or passwords. This can be tedious. With this option, the saving of passwords can be turned off. You have the option to set a master password, so that a saved password is not used unless the user knows the master password. When Firefox is configured with a master password, the password cache is encrypted to prevent others from finding the passwords. Master passwords are discussed later in this chapter, in the section “Password-Protecting Firefox.”
Download History—. Firefox keeps a history of downloads, allowing you to see which files have been recently retrieved from the Internet. The download history can be cleared when Firefox exits, when a download is successful, or manually. One of these three options must be set.
Cookies—. Cookies can be allowed, or not. You might choose to restrict them to the originating website only. A keep-until date can be set, such as until the cookie expires, until Firefox closes, or by prompt. Additionally, you can allow or disallow sites to use cookies. Finally, cookies can be viewed, although in many cases the contents of cookies are nonsensical.
Cookies, if kept, are retained until the expiration (which can be many years) or until Firefox is closed, or you can have Firefox query you each time on whether to keep the cookie.
In the Stored Cookies dialog box, cookies can be removed and you can tell Firefox not to store cookies for any site whose cookie you have removed (the site will be black-listed with regard to cookie storage).
Keep in mind, however, that some sites use cookies for logon information, and you might not be able to log on to these sites if cookies are disabled.
Cache—. The browser’s cache is a collection of web pages and other objects (such as images) that are saved to your drive. When the browser retrieves a web page, it can determine whether the content of the page has changed since the last visit. For example, if you use your Forward or Back button and the content has not changed, the browser might be able to load the page or objects from the cache to improve performance.
For each of these Privacy dialog box areas, there is a button to clear existing information. Additionally, at the bottom is a Clear All button that clears all the privacy information, which is the same as if you had clicked Clear in each category.
Note
Many computer users have fallen victim when they left sensitive information on a computer they didn’t have control of. Whether a work computer or a home computer that other people have access to, it is important to control what is written to the computer’s disk. One Massachusetts community had a computer recycling program. Companies and individuals who had old, unwanted computers could drop them in a pile at a drop-off site, and anyone who wanted a computer or accessory could take it. When several computer security experts checked, virtually every hard disk had easily recoverable, sensitive information on it!
Remember: Files deleted from a disk can be recovered in almost all cases. Deleting deletes nothing!
Most Firefox users are converts from Internet Explorer. Most users naturally start with the Windows-based default browser and then find they want something else. Differences do exist between Internet Explorer and Firefox that are sometimes significant and sometimes just terminology.
We discussed terminology differences in the Introduction. Now we’ll discuss what happens when you visit sites that have been written either expressly for Internet Explorer or that are different when viewed using Firefox.
Virtually all sites can be viewed using Firefox, even if they were originally written or optimized for Internet Explorer. Even Microsoft recognizes that Firefox exists, as shown in Figure 5.2.
Hard as it is to believe, some sites are organized for, are designed for, or attempt to utilize features that are specific to a certain browser. (I won’t single out Internet Explorer, but as the most commonly used browser, all web developers are aware of its capabilities.)
Note
This chapter assumes Internet Explorer version 6.x. This is the version of Internet Explorer that is supplied with Windows XP. There are rumors at the time of this writing that Microsoft will be offering a new version of Internet Explorer (Version 7.x) in mid or late 2005.
And some sites work better with Firefox than with other browsers. For example, Google now supports a feature called prefetching, which enables Firefox to prefetch the first item in the search results before you attempt to use it. (More information on Google’s prefetching can be found at http://www.google.com/webmasters/faq.html#prefetching.)
Some features Internet Explorer supports are supported differently in Firefox. This is not to say that Mozilla got it wrong or that Microsoft did—rather, it just means they’re different.
Most sites that are browser dependent work in any browser. The differences occur in the appearance, look and feel, and so forth. For a classic example, look at a typical Microsoft Knowledge Base article, at http://support.microsoft.com/?kbid=177078. In Internet Explorer the frame on the right side of the page, which contains translations, related support, support options, and other features, remains fixed at the side of the browser window. If the browser window is made smaller, the main frame is narrowed leaving space for the right frame. In Firefox, though, the frame on the right can (and often will) be located off the browser window. You then must scroll to see the entire page because Firefox cannot (or does not) adjust the width of the center frame that contains the actual article.
Some websites ask readers to vote on an issue. Firefox users have noted that their vote transactions do not complete sometimes. A few sites allow nothing but Internet Explorer to be used. An example of this is the HP Instant Support Professional Edition Tool site. This tool supports Internet Explorer but specifically does not support Firefox.
Because Firefox does not support ActiveX, any site that relies on this Microsoft technology will not work correctly, if at all. An ActiveX plug-in exists for some versions of Firefox. Search the web for “Mozilla ActiveX project”.
What do you do if the page won’t work in Firefox? Well, one good thing about Firefox is that you can switch between Firefox and Internet Explorer. Although a dedicated Firefox user would abhor the thought that another browser (especially that one!) might be used, sometimes it is inevitable.
Pop-ups are ads that are displayed in their own browser windows. There are two classes of pop-up ads: a pop-up, which displays on top of everything and has focus, and a pop-under, which is placed behind the browser, lurking and waiting for you to find it later. The logic behind pop-under ads is that you might not know from which site they originated. In this chapter we’ll refer to both as pop-up ads, even though some are pop-unders.
Another related technique is called a pop-over. These ads are displayed using JavaScript and are part of the web page (no separate browser window). Pop-overs are usually animated, covering the content you want to see.
For the longest time, pop-up ads were not blocked by Internet Explorer. Only after third parties started offering pop-up blockers did Microsoft realize that it had to do something. (And, yes, Firefox did figure into that as well!)
Probably the best known pop-up blocker is the Google toolbar for Internet Explorer. This add-on to Internet Explorer has proven immensely popular. My Google toolbar pop-up blocker has blocked about 1,400 ads since it started counting! That is a lot of ads that I don’t have to be bothered with.
Caution
Adware, spyware, and other malicious software are often used to pop up spurious browser windows, even when the user is not actively on the Web! Usually nothing in the browser is able to block these types of programs, although you might be able to block the sites from which the ads come. This can be done with an extension such as Adblock (covered later in this chapter). The best way to avoid adware and spyware is to not allow these programs on your machine. Be very cautious of websites that offer games, tools, and so on for free. On computers that are not well configured, just visiting a website can cause undesirable software to be installed. However, the most common way to install adware or spyware is to ask and hope the user doesn’t realize that adware or spyware is being installed. Firefox allows software to be installed only from sites that have been preapproved, either by Mozilla prior to installing Firefox or by the user. Only install software from companies you know and trust.
Two technologies are used to create pop-up ads. The first, and most easily blocked, is to use HTML to create a new browser window. The other technology is to create a pop-up using something such as JavaScript or Flash. These pop-ups are more difficult to stop because, once started, they do their dirty work without any further interaction with the browser!
Some websites attempt to use pop-ups to interact with the user, such as to get a username and password. This is certainly not the best way to interact with users. I still remember one site where I sat for almost a minute wondering why nothing was happening, only to realize the site had tried to pop up a new window. Microsoft’s Exchange Server web interface uses pop-ups, and that requires the user to enable pop-ups for that site.
What is a banner ad? A banner ad runs along the top of a web page and is a hyperlink—as are most other embedded ads. Typically, a banner ad is 468 pixels wide by 60 pixels high (this allows them to fit on smaller browser windows, for example).
You can limit banner ads in several ways. If you control your own proxy server, you can configure it to block certain sites. When an attempt to access these sites is made, the proxy server simply discards the request. Another technique, for those not using a proxy server, is to configure your firewall to block certain sites. Most firewalls allow this type of configuration.
A write-up, or script to configure your proxy server, can be found at http://www.schooner.com/~loverso/no-ads/.
An example of a banner ad is shown in Figure 5.3. This example is only a demonstration, but it does reflect what a banner ad looks like.
Figure 5.3. A sample banner ad, along with the image’s properties. Placement is typically at the top or bottom of a page.
Are banner ads more annoying than other inline ads? I don’t think so—they are all annoying. But, there is hope because you can block ads like these with Adblock! Read on....
Many advertisements can be blocked in Firefox by using an extension named Adblock. Adblock lets you create, import, and export filter lists to block content.
Installing Adblock is relatively easy: Start at http://adblock.mozdev.org/ and read about the Adblock project. On the navigation bar at the top of the page click Install (see Figure 5.4). This option takes you to the Adblock installation page.
Figure 5.4. The Mozilla Adblock home page (http://adblock.mozdev.org) is the Adblock home page. Note the navigation bar at the top.
When you’re at the installation page, install the latest build. (Most likely the latest build is the only build available.)
Adblock is an easy extension to use. You configure Adblock by selecting Tools, Adblock in Firefox. This displays a second level of menu selections:
List All Blockable Elements—. This option scans the currently displayed page and lists all the elements that can be blocked. You can also reach this list by clicking Adblock at the right end of the status bar.
Overlay Flash (for left-click)—. This allows context clicking Flash objects.
Preferences—. As with all extensions, Adblock has a Preferences window. This window is covered next.
Tip
By default, Firefox is configured to block installation of software or extensions except those on the approved list. If this blocks your installation of Adblock, an error status bar appears below the Firefox toolbar (or the tab bar if you have a tab bar displayed). By default, the various Mozilla sites are preapproved.
Figure 5.5 shows the Adblock Preferences window. This window enables you to create new filters by typing them in the New Filter box and clicking Add.
In addition to allowing you to create new filters, the Adblock Preferences window also lets you set Adblock options and display help (this actually comprises two links—one to the Adblock home page and a second link to a page that describes regular expressions).
The Adblock options you can configure include
Obj-Tabs—. Obj-Tabs are small tabs displayed on content that Adblock is capable of blocking. If you click this tab, the content is automatically added to your filter list.
Collapse Blocked Elements—. When content is blocked, you can collapse (remove) the space that was used by that content. Some pages look better with this option utilized.
Check Parent Links—. This option causes Adblock to block not only the ad server, but also the site to which the ad is pointing. It’s a bit radical, but for some users the target is as bad as the advertising pusher.
Site Blocking—. If this option is set, Adblock blocks the site; otherwise, it displays the site but not the blocked content.
Keep List Sorted—. The Adblock filters list can be sorted to allow easier management. In addition, you can sort the list by exporting it and sorting with a sort utility. Once sorted, the filter list must have
[Adblock]as its first line.Import Filters—. Even though users can create their own filters, they also can import filters from other sources (such as from the Internet) into Adblock.
Export Filters—. A wise user will export and save his customized filters to a safe location. This allows recovery if the installation of Firefox is lost as well as sharing.
Remove All Filters—. Sometimes things just get too messed up to continue. We’ve all done it—made some rules and later found that one (we don’t know which) was causing a problem. With this option, you can remove all the filters.
Deinstall—. It is always a good idea to remove all the installed extensions before upgrading your version of Firefox. As well, if you find that Firefox becomes unstable, try removing extensions. The Deinstall option is available in case you need to remove Adblock.
Note
There is nothing to prevent you, or anyone else, from creating all the necessary filters. But, an old rule of computing says, “Don’t reinvent the wheel!” This means that, if filters already exist that work well, then use these instead of writing your own. One site that has Adblock filters that are updated every few days is at http://www.geocities.com/pierceive/adblock/.
Adblock allows you to import, export, and remove filters. This capability is the heart and soul of Adblock’s functionality. Sites that serve advertisements change frequently, old sites disappear, and new sites pop up with startling regularity.
As well, sometimes it is best to just start with a clean slate. You can remove all existing filters if necessary.
Importing filters lets you load filters you have created and exported (see the next section, “Exporting Filters,” for details on exporting filters). A Google search shows many sites that list available filters.
Don’t ignore filter lists that originate from outside your country. A filter list from Germany can work just as well as one from the United States—usually. The best advice here is to try it and see if you like it.
Importing is done from Adblock’s Preferences window. Click Adblock Options, and select Import Filters from the menu displayed. This opens the Select a File window, which is the Windows Open File window, renamed. Select your text-based filter file. This file must have an extension of .txt; if it doesn’t, enter a filename of *.* to see all files available in the target folder. After a file has been selected, a Confirm window asks you whether you want to overwrite the current list of filters or append to the end of the list.
The filter file format is a simple text file. However, Notepad will not effectively edit this file because the lack of carriage returns in the file causes Notepad difficulty. Instead of Notepad, edit this file with WordPad, and you should be set!
The first line (and only mandatory line) contains
[Adblock]
Each subsequent line contains one filter per line. The filters can be URLs, with an allowed * as a wildcard character. Also allowed are GREP, such as regular expressions. In Adblock regular expressions begin and end with a forward slash (/).
Note
Regular expressions are strings that contain a complex wildcard syntax to allow matching multiple strings. If you want to learn all about regular expressions, many sites on the Internet can help you. One that I can recommend is http://www.regular-expressions.info/reference.html. Anyone familiar with GREP utilities should understand regular expressions.
Adblock lets you export their filters. When exporting, Adblock prompts for a filename to save to. I recommend supplying both a filename and an extension of .txt—which is not supplied by default. An exported filter set can be directly imported into Adblock as desired.
Exporting filters provides a great way to both back up and share your filters.
Adblock stores filters and Adblock option settings in prefs.js. There are a number of lines in this file for Adblock, as the following code shows:
user_pref("adblock.enabled", true);
user_pref("adblock.fastcollapse", false);
user_pref("adblock.frameobjects", true);
user_pref("adblock.hide", false);
user_pref("adblock.linkcheck", false);
user_pref("adblock.pageblock", false);
user_pref("adblock.patterns", "ads.com adserv.com advertise.com");
Settings are saved for a number of Adblock options, including the following. (Please note that not all versions of Adblock support all the options listed here.)
enabled—. This Boolean setting turns Adblock on and off. Its values allowed aretrueandfalse.fastcollapse—. This Boolean setting turns on fast collapsing of frames and content to areas where advertising was removed.frameobjects—. This Boolean object is used to control whether objects are framed.hide—. This Boolean object controls whether objects are hidden (which does not alter the page layout) or removed (which collapses or changes the layout of the page).linkcheck—. This Boolean object controls whether Adblock will check the links in JavaScript for spaces.pageblock—. This Boolean object controls whether Adblock will block pages.patterns—. This string object contains the patterns (filters) the user has defined.
The best source of Firefox extensions is Mozilla. Its website, at https://addons.update.mozilla.org/extensions/, lists popular extensions and optionally all available extensions.
Sometimes, however, you might want to install an extension that is not available on the Mozilla website. Before Firefox allows these to be installed, you need to approve, or allow, Firefox to do the installation. Allowing Firefox is done on a site-by-site basis (see Figure 5.6), as well as globally. Conservative users should simply uncheck Allow Web Sites to Install Software, whereas more advanced or trusting users should check the Allowed Sites list to control which sites may (or may not, if they are not in the list!) install software.
In my allowed sites, I have three that are Mozilla.org sites.
In addition to extensions, Firefox also supports plug-ins. The most popular plug-ins include Adobe Reader, Java Plug-in, Macromedia Flash Player, QuickTime, RealPlayer, and Windows Media Player. In addition to these, there are more than 50 additional plug-ins that work with Firefox.
Is JavaScript bad or good? And what’s the difference between Java and JavaScript?
Java is a programming language that is platform independent and usually interpreted. It is primarily used to build HTML pages, allowing the developer to create platform-independent pages. Java programs are often called applets. To run Java applets, Java must be installed.
JavaScript is a scripting language that is also primarily used to build HTML pages. It is used to make the pages more dynamic, or interactive. Despite the similar names, JavaScript is separate from Java and does not require Java to be run.
So, are they the same or not? The true answer is a vague yes and no. Yes, they have the same basic concepts, but no they are separate entities. One can exist without the other.
In Firefox you can control whether to allow Java and whether to allow JavaScript. Either can be allowed or disallowed. The Java option does not have any options other than to enable or disable Java. Both Java and JavaScript can create a security risk (although it may be slight) if enabled.
JavaScript in Firefox does have options, as shown in Figure 5.7. These options ensure that JavaScript does not do anything that is not acceptable to you.
Figure 5.7. With JavaScript, you can set options to control how much freedom you will allow it to have.
These options include
Move or Resize Existing Windows—. Allowed by default, JavaScript will be able to move and resize screens it is using.
Raise or Lower Windows—. This refers to giving a window JavaScript focus, making it the topmost, current window. I find this behavior most annoying because I don’t like software controlling what I am doing and when I do it. When I need the window, I have a mouse, and I know how to use it.
Disable or Replace Context Menus—. Context menus are displayed when you right-click an object or content. This is a useful feature. Context menus are unobtrusive and provide a great shortcut to the main menu. (That’s why they are often called shortcut menus.)
Hide the Status Bar—. The Firefox status bar is normally at the bottom of the screen. It is used to display information about the current page, such as the destination of hyperlinks. This permission is not set by default.
Change Status Bar Text—. Generally, Firefox manages what is displayed in the status bar. However, JavaScript can change that display if you allow it. Sometimes this feature is used to trick a user into believing that a hyperlink points to a location other than what it really points to. This permission is not set by default.
Many websites, especially newspaper sites, require registration to read an article. Often they ask for your name, age, gender, and other personal information. They then send a confirmation email that is used to log on to the site. This means you must give them an email address that at least works for a short time.
To avoid this registration hassle, Firefox has an extension called BugMeNot, which consists of a large database saved at bugmenot.com (BugMeNot has moved from bugmenot.mozdev.org to http://www.bugmenot.com.)
After installing BugMeNot, go to a website that requires registration. In the box where you enter your username, right-click and select BugMeNot from the context menu. The BugMeNot extension queries the database at BugMeNot.com and enters a username and password. All that is left for you to do is press Enter or click Logon—or whatever the site expects you to do.
A typical website registration is shown in Figure 5.8. In this example, the website asks for the user’s age, gender, address, phone number, and income. I don’t know about you, but to me that is outrageous!
Figure 5.8. Just look what this website is asking for. Isn’t this a bit personal? After all, we haven’t even had our first date yet.
All in all, BugMeNot is an effective and useful tool. It is often faster than doing an “official” registration.
There are many preconceived notions about what a website cookie is and how it can be used. Some of these ideas are not terribly factual. Let’s set down a few truths first.
Cookies are not evil.
Second, cookies can be read only by the domain that saved them.
Third, cookies contain only information that you provide (either directly or indirectly).
Fourth, all cookies contain information that the server already has.
Fifth, the server could store this information on its local storage and you’d never know.
Cookies are capable of tracking usage over multiple sessions and sessions to computers that are behind a NAT firewall. In the latter case, many computers might visit a site and cookies can help that site keep track of the visits.
Now ask yourself this question about cookies: Would you rather this information be stored on the server’s computer or yours? I’ll go with mine, thank you—at least then I can delete the cookies when I want.
First, any information stored in a cookie could just as easily be stored on the web server’s end. That’s right, any website could store exactly the same information about you at its end instead of your end. So, then, why use cookies? Why not just put the information on the server? Cookies allow two things that a server-side solution doesn’t: speed (big websites have thousands of visitors every day and millions of unique visitors over time) and storage space. If the server were to save information about millions of users, the storage requirements might begin to add up. We aren’t talking just hard disk space, but backup, integrity, management, and other storage issues. Finally, cookies enable a website to store information that allows the site to determine that it is probably you it’s seeing and not someone else.
Why do people object to cookies? The issue is usually that they don’t like sites to store information about them on their drive. More generally, they don’t want the site saving information about them at all! But remember that the site already has the information it puts in the cookie.
Also, people object to cookies because they don’t want that information on their computer to be available to others. From outside (the Internet, for example), cookies are safe because only the creating website can open its cookies. As well, most sites encrypt cookie information to prevent issues of remote and local users obtaining the information and being able to utilize it.
Cookies are here to stay, and they serve a useful purpose. I’ve been at this Internet game for a long time and have yet to see one documented case in which cookies were improperly used.
Firefox lets you control cookies. For example, the Options Manager has settings for cookies in its Privacy section. The Firefox cookie settings include
Allowing or disallowing sites to store cookies. If you disallow cookies, no site can store a cookie on your computer.
If you choose to allow sites to store cookies, you can choose to allow only the originating website.
You can choose to have cookies deleted upon expiration or upon closing Firefox, or you can choose to be prompted for deletion.
You can choose to either allow or block specific sites from using cookies, either permanently or just for the session.
Cookies stored on your computer can be viewed. While viewing cookies, you can delete either just the currently viewed cookie or all cookies.
Firefox supports caching of passwords, just as most other browsers do. By doing this, you usually only have to enter your username and password one time because Firefox saves this information to the password cache. The next time the site asks for identification, Firefox supplies the cached username and password information.
My password list, which I maintain in an encrypted file on my desktop, contains more than 100 usernames and passwords and almost 500 lines of identification information! It is huge.
Generally, Internet Explorer manages my passwords for those machines on which I use Internet Explorer. The same is true for my Firefox systems: I let Firefox manage my username and password information.
Still, though, I must keep a record of these vital passwords and other bits and pieces of information. You should never rely on your browser’s password cache. However, Firefox does give you the ability to back up your cache of passwords. They are in the signons.txt and key3.db files. Save both to a safe location.
signons.txt is a text file, viewable in Notepad, although the sign-on names and passwords are encrypted to keep them safe.
When used with the master password option, signons.txt has encrypted usernames and passwords, and this information should not be indiscriminately distributed!
Windows XP users should consider applying security policies to all files in their profiles. If someone guesses your master password, all your passwords will be available to him!
To set security, right-click the profile folder, display its properties, and click the Security tab. Make sure that only you (and the administrator and system groups) has access to these files. In the Advanced settings, make sure that Replace Permissions Entries is checked so that all subfolders and files have these security settings applied.
With Firefox, you can set a master password. This password means you have to remember only one password, rather than hundreds (see Figure 5.9). (Hundreds? Well, it is recommended that you use unique passwords for each site that requires a password....) With the master password, Firefox prompts you for this master password as necessary and then uses this master password to encrypt your password cache files.
Figure 5.9. Firefox’s password saving is rather advanced and manageable. You can clear, view, and set a master password.
After you click View Saved Passwords, Firefox displays the Password Manager (see Figure 5.10). To see the saved passwords, you need to respond with the correct master password, if you set one.
Each time you enter a site that requires a password, Firefox first checks the Password Manager. If a username and password are stored for the URL, Firefox uses them. If no username or password is stored for the URL, Firefox prompts you for both. If you have selected Remember Passwords (refer to Figure 5.9), an active check box appears, instructing Firefox to save this username and password.
Sometimes you might wonder where all this magical information is stored. Firefox stores security- and privacy-related information specific to a user’s profile in the following locations:
bookmarks.html—. Your bookmarks (favorite sites) are stored in this file. The file is a basic HTML file.formhistory.dat—. Information regarding any web forms you filled out is stored in this file.history.dat—. A record of each URL you visit is saved in this file.cert8.db—. This file is the client certificate database.signons.txt—. This is a text file containing username and password information. The actual usernames and passwords are encrypted in this file.key3.db—. This is an additional file that is used withsignons.txtto manage usernames and passwords.secmod.db—. The file used by the security module. Information in this file includes certificates.cookies.txt—. Your cookies are stored in this file. Even though it’s a text file, you can use the Cookie Manager to delete entries.
Two options in JavaScript—Hide the Status Bar and Change Status Bar Text—are important in keeping the bad guys from sending you to where the sun don’t shine.
These options deal with the status bar. The status bar contains a text display area that usually displays the URL of the hyperlink over which the mouse is currently hovering. This is useful because you often find that you would like to know where you are going first, before you click. (Yes, even viewing the “wrong” website can cause problems!)
An example of such malicious behavior is shown in the following segment of HTML and JavaScript:
<HTML>
<!-- Example of JavaScript writing to the status text output area. -->
<HEAD><TITLE>Where do you go with these two links?</TITLE></HEAD>
<body>
<br>
<center><h2> Example of JavaScript writing to the status text output
area. </H2></center>
<UL> <br><br>
<font face="Verdana" size="2">
<LI>
Here is a real URL: <a href="http://www.hipson.net">www.quepublishing.com</a>
that will take you to www.hipson.net. Even if Javascript's Change status bar text
is turned off, you still have the correct display in the status bar.<br> </li>
</LI>
<br>
<a href="http://www.hipson.net"
onMouseOver="window.status='http://www.quepublishing.com';return true;"
onMouseOut="window.status=' '; return true;">
www.quepublishing.com</a>
<BR><BR><br>
<LI>
But, this url won't give us what you expect. With Change status bar text turned
off, you see nothing in the status bar. (Try this one with Internet Explorer, too)
<br><br>
Next turn on Change status bar text in Firefox, and again hover over the URL
and see what the status bar says. With Change status bar text on, you think you see
a hyperlink to our publisher's page. Regardless, what really happens is that this
link will take you <b>to my home page www.hipson.net</b>
</body>
</HTML>
If you type this short piece of code into a text file, naming it JavaScript.html, and then load it into your browser, you will see nothing for the URL in the status bar. That is, the status bar will not change as it would over a hyperlink. Too lazy to type? Go to http://www.hipson.net/javascript.html. After the page loads, select View, Page Source in Firefox’s menu.
Many attempts to hide the true URL are phishing attacks. Phishing is the improper gathering of information—including account numbers, passwords, usernames, credit card numbers, and so on. These attacks are becoming more and more sophisticated as time goes on. The bad guys try something, and the good guys find a way to stop or reveal them. It then becomes a vicious circle of good versus evil. Thunderbird’s anti-phishing feature is described in the Thunderbird sections dealing with privacy.
New in Firefox 1.5 is a useful feature named Clear Private Data. This function is controlled from the Firefox Options dialog box’s Privacy tab. Clicking the Settings button at the bottom of the Privacy tab displays the Clear Private Data dialog box.
Contained in this dialog box are check boxes to define what data you want cleared:
Browsing History—. The history cache is a record of which websites you visited.
Saved Form Information—. Forms you have filled in while browsing are cached to allow Firefox to reenter information when revisiting the site. This data can contain sensitive data such as IDs, passwords, or financial information.
Saved Passwords—. Firefox saves passwords by default (you can turn it off either on a site-by-site basis or globally).
Download History—. Files you have explicitly downloaded are retained by the Download Manager until you clear them by clicking the Clear button.
Cookies—. Cookies are created by websites to store information about you and your usage of the site.
Cache—. Firefox caches (saves a local copy of) content you have viewed.
Authenticated Sessions—. Sessions you have had to authenticate are stored by Firefox for later reuse.
Each of these collections of private data can be set so it is cleared when Firefox exits. Another option is to have Firefox, when it closes, prompt you as to whether this data should be cleared.
Most users who are on private computers (usually at home) do not clear this data; after all, it is saved for a reason—improved performance. However, users who are using public (or semipublic such as a work computer) normally do not want this data to be saved between sessions because this might allow someone else to have access to their private data.
In an emergency, you can force a clearing of your private data by selecting Tools, Clear Private Data from Firefox’s menu. Do remember, though, that once cleared, this data cannot be recovered by ordinary means—there is no undo!
Here are a few ideas from the experts:
Profiles are used by Firefox to store data that is specific to an individual user.
If you think you might want to share a profile between a Windows computer and a Linux computer, you can go to http://sillydog.org/netscape/kb/linuxwindows.html, which will give you the details. If you are running both platforms, I recommend you visit this site.
Web security is important. You must protect yourself, your family members, and your property from attacks. Firefox has some innovative security features, such as allowing you to configure various security settings.
Some sites are written for Internet Explorer exclusively, but virtually all sites display acceptably in Firefox.
Pop-ups, pop-unders, and pop-overs are all annoying ways to try to sneak advertising onto your computer.
Adblock enables you to import, export, and remove filters for advertising content suppliers.
Try to get your extensions from the official Mozilla website (Mozilla.org), but some interesting extensions are located at other sites, too.
You can choose to allow or prohibit software installations based on URLs using the Web Features section of Firefox’s Options dialog box.
Both Java and JavaScript can be used to make web pages more effective and usable. However, they both can cause risks.
If registering and providing personal information bugs you, use BugMeNot—an extension for Firefox that allows you to register anonymously.
Cookies are often misunderstood and maligned. Actually, cookies are not the Darth Vader of the Web!
Firefox’s master password lets it encrypt stored passwords and allows users to have to remember only one (master) password.
“Determining the Real Location of Sites” is an excellent discussion of how websites and HTML email mask the true destination of a hyperlink. You can find it at http://www.michaelhorowitz.com/linksthatlie.html, a very interesting site.