By Adam Marcus
As noted in the first installment of our "Privacy Solution Series,"
we are outlining various user-empowerment or user "self-help" tools
that allow Internet users to better protect their privacy online-and
especially to defeat tracking for online behavioral advertising
purposes. These tools and methods form an important part of a layered approach that we believe offers an effective alternative to government-mandated regulation of online privacy.
In the last installment, we covered the privacy features embedded in
Microsoft's Internet Explorer (IE) 8. This installment explores the
privacy features in the Mozilla Foundation's Firefox 3, both the
current 3.0.7 version and the second beta for the next release, 3.5
(NOTE - The name for the next version of Firefox was just changed from
3.1 to 3.5 to reflect the large number of changes, but the beta is
still named 3.1 Beta 2). We'll make it clear which features are new to
3.1/3.5 and those which are shared with 3.0.7. Future installments will
cover Google's Chrome 1.0, Apple's Safari 4, and some of the more
useful privacy plug-ins for browsers . The availability and popularity
of privacy plug-ins for Firefox such as AdBlock (which we discussed
here), NoScript and Tor significantly augments the privacy management
capabilities of Firefox beyond the capability currently baked into the
browser. In evaluating the Web browsers, we examine:
(1) cookie management;
(2) private browsing; and
(3) other privacy features
History of Firefox
Firefox descends from the very first graphical web browser, NCSA
Mosaic. Mosaic was developed at the National Center for Supercomputing
Applications in 1992. The co-author of Mosaic, Marc Andreessen,
co-founded Netscape Communications and was the lead developer of
Netscape Navigator, which was first released in 1994 and based in part
on NCSA Mosaic code. In 1998, Netscape publicly released the source
code for the latest version of its browser and created the Mozilla
Organization to coordinate its development. AOL acquired Netscape
Communications later that year, and when AOL scaled back its
involvement with the Mozilla Organization in 2003, the Mozilla
Foundation was launched to ensure the browser could survive without
Netscape or AOL. The Mozilla Foundation released Firefox 1.0 on
November 9, 2004. According to Net Applications, Firefox is currently the second-most popular Web browser after Internet Explorer, with 21.72% of the market in Q1 2009.
Cookie Management
To access Firefox's basic cookie management and privacy settings,
open the "Tools" menu, click "Options," and then click on the "Privacy"
tab to display the following options:
Instead of using a slider, as Internet Explorer does, Firefox gives
more direct control over cookies. Users can choose to refuse all
cookies, refuse all third-party cookies (see the previous post in this
series for an explanation of the difference between first-party cookies
and third-party cookies), and/or control when cookies expire. The "keep
until" box gives three options:
(1) "they expire" - Cookies determine their own expiration date.
(2) "I close Firefox" - Cookies are deleted when you close the browser.
(3) "ask me every time" - Every time a cookie is sent to the
user's computer, the user is asked if they want to "Allow" the cookie
(accept it and let the cookie determine its own expiration date),
"Allow for Session" (equivalent to the "I close Firefox" setting), or
"Deny." Firefox can also optionally save the user's preference for all
future cookies received from that website. The "Show Details" button
allows true power users to view the contents of each cookie before
making a decision, as seen here:
By clicking the "Show Cookies" button in the Privacy tab of the
Options dialog box, users can view all of the cookies already saved on
their computer and delete individual cookies or all cookies at once.
Finally, by clicking the "Exceptions" button in the Privacy tab of
the Options dialog box, users can specify which websites are always or
never allowed to set cookies.
In addition to having the option of deleting all cookies whenever
the browser is closed, users can clear other types of private data when
the browser is closed. The following dialog box is displayed when a
user clicks on the "Settings" button in the Privacy tab of the Options
dialog box.
Private Browsing
Similar to Internet Explorer 8's "InPrivate Browsing" feature (see the previous post
in this series for more information) and Chrome's Incognito, Firefox
3.5 will include a new "Private Browsing Mode" that protects so-called
"over the shoulder" privacy. To enable Private Browsing Mode, select
"Private Browsing" from the Tools menu. To disable Private Browsing
Mode and reload all tabs that appeared when you enabled Private
Browsing Mode, just uncheck the same "Private Browsing" menu item in
the Tools menu. There is a hidden way to make Firefox 3.1 Beta 2 always
start in Private Browsing Mode and a plan
to possibly provide an easier way to do this in the final 3.5 release,
but the only obvious use for this would be on public computers (e.g., at a library or coffee shop) where it can't be guaranteed that each user will close the browser before leaving.
Other Privacy Features
- Master Password - As more and more can be done online and more and
more sites require user accounts (and passwords), having all those
passwords stored in your web browser can be a security problem unto
itself. Firefox allows you to view saved passwords, but it also allows
you to protect all of your site-specific saved passwords with a single
master password. Your saved passwords cannot be used to automatically
log into websites and other individuals with access to your computer
cannot view your saved passwords unless the master password is entered.
Firefox also has a password quality meter to show you how secure your
master password is from cracking attempts.
- Instant Web Site ID - For all websites with an Extended Validation SSL Certificate,
this feature displays the website owner's name to the left of the URL
in the address bar. Clicking on the "favicon" on the left side of the
address bar displays additional information about the certificate
(whether an Extended Validation Certificate or regular SSL certificate)
and whether the connection is SSL-encrypted. A second click displays
the Page Info dialog box which reports whether you've previously
visited the website and how many times, whether the website is storing
cookies on your computer (which you can view with another click), and
if there are saved passwords for the website on your computer (which
you can also view with another click). From the Page Info dialog box
you can also view all of the media embedded in the webpage, all of the
meta tags in the HTML source code for the page, any RSS feeds on the
page, and the permissions in effect for the page.
- Optional automatic phishing and malware protection - Two options
in the "Security" tab of the Options dialog box, "Tell me if the site
I'm visiting is a suspected attack site" and "Tell me if the site I'm
visiting is a suspected forgery," allow Firefox to automatically
protect users from malware (attack sites) and phishing scams (forgery
sites). When either of these options is enabled, Firefox automatically
checks the URL of the page you're visiting against a list of reported
phishing and/or malware sites that it downloads in the background every
30 minutes. If you navigate to a page on one of these lists, Firefox
will double-check that the URL is on the list by sending a cookie to
google.com, who maintains the lists
of identified malware and phishing sites used by Firefox. The
anti-phishing site aspect of this feature is equivalent to Internet
Explorer's SmartScreen Filter.
Conclusion
In terms of privacy, what makes Firefox
unique compared to the other popular browsers is the extensive number
of add-ons (also called "plug-ins" or "extensions") designed to protect
users' privacy. Google's Chrome browser does not currently support
third-party add-ons but plans to do so in an upcoming release. Microsoft's Internet Explorer does support extensions, and Microsoft has a website devoted to cataloging those extensions, but offers nothing like the variety and complexity of the add-ons available for Firefox.
The two most popular Firefox add-ons (in terms of total downloads;
currently second and fourth most popular in terms of weekly downloads)
are specifically related to privacy. Adblock Plus
(ABP) uses dynamically-updated "subscriptions" to maintain a list of
unwanted third-party content and automatically block that content from
being displayed or run by Firefox. ABP can block Flash code, images,
external scripts, stylesheets, frames, tracking cookies, webbugs, html
elements, text ads, backgrounds, and any class, id, and any other HTML
or CSS tag. By default, ABP allows all such elements unless they are
blocked by a filter. NoScript,
by contrast, blocks all Java, JavaScript, Flash, and other plugins
unless you explicitly allow them on a particular website either (i)
temporarily for your current session (until you close the browser);
(ii) or permanently for all future sessions. Thus, with these two
add-ons, Firefox offers security-conscious users a much more secure
(and thus private) browsing environment than currently available in
other browsers. We already covered Adblock Plus in a previous installment of our Privacy Solutions Series. We plan to cover NoScript and other popular Firefox add-ons such as TorButton and FoxyProxy in future installments.
_____________
Additional Reading / Links: