RHEL 6 for the Clueless: Securing Firefox

How secure is “secure”? Nobody can decide for you. What I offer here is the measures I take before browsing the Net. From what I can tell, these measures are effective in that the data-mining and marketing industry has a very poor idea of who and where I am. Try looking yourself up on sites like Spokeo or Zabasearch to get an estimate of your online data trail. While your webbrowser is not the only source, nor even a major source, of such information, it is a part of the bigger effort. The whole idea is to make those data mining sites as inaccurate as possible. And maybe you don't care, but for those who do, I'd like to suggest a few configuration changes to improve things.

In the Firefox menu, select Edit > Preferences, then go to the Privacy tab. It's almost blank, but if you hit the first drop-down button, you'll see the option “Use custom settings for history.” This gives you access to detailed settings otherwise hidden. I set my browsing history at 9, and consider that loose, but convenient. It also speeds up the response of the URL bar when typing directly into it, since it's not keeping a mile-long list. On the cookies settings, I accept third party cookies because too many sites I use require it for login. Then I select the “keep” policy at “Ask me every time.” That way I can train Firefox to block cookies I don't want.

The policy of cookie blocking is three levels: (1)accept always, (2) session cookies only (temporary until you close the browser) and (3) blocked. Every time you go to a site, you get to set the policy for each individual source of all the cookies that site tries to give you. It's work, but eventually your browser learns enough you won't see the popup control dialog so often. It helps if you are familiar with the major advertising and tracking companies out there, as I am. Also, if it matters to you, come back to this tab from time to time and click the button marked “Show Cookies…” to see what is in your browser's cookie cache at that time. To see what the policies are regarding each server domain name you've encountered — maybe you clicked the wrong button one one when the dialog popped up — try the button marked “Exceptions…” You can reset them by removing the server name, and even re-enter it manually right then if you like.

Now let's add some extensions which will make your security stronger. In the menu line, click Tools > Add-ons. At the top of the dialog window select “Get Add-ons”. This will take you directly to the repository for Firefox addons. First, type in the search box “flashblock” — the first item it lists should be the Flashblock add-on. This is more than just an annoyance issue of uncontrolled Flash advertising. Flashplayer keeps cookies, too, in a separate place. If you only play the ones you want, there are fewer Flash cookies to deal with. Install it and restart Firefox. You don't have Flashplayer, yet, but we'll fix that soon enough.

Next, in similar fashion search down Adblock. Again, it's not just the annoyance, but the images have cookies buried in them. They sit in your browser's image cache and can be read by other servers trying to assemble a profile by tracking your habits. Each image will contain an identifying tag which is invisible when the image is displayed. Configure this to connect to the default listing server.

Do this for the Ghostery add-on, too. This actively blocks the most egregious tracking companies. Once installed, it has a wizard to set it up. Among the options, you should enable the active blocking and click “All” for the listing it shows. For fun, I enable the “bubble” option which opens a tiny square listing the servers blocked on each page. The wizard doesn't show it, but if go back later and click on Ghostery in your Tools > Add-ons dialog, you'll see a button for setting preferences, which offers more detail. I set the bubble to appear in the lower right-hand corner.

Thus far, these are things you can do on Windows, Mac, and every other operating system for which you can get Firefox. I find the other security add-ons a nuisance to use, because it requires too much specialized knowledge or are simply annoying to use. I really do not like No-Script. Though I actively hate JavaScript in the first place, too many sites are simply inaccessible unless you happen to select the correct combination of scripts to allow. It's more control than I want or need.

Then there is the threat from “evercookies” — the cookies buried in some seven places in your system and can be regenerated each time you go online. In Windows land, you can install an add-on called “Click & Clean” and configure it to run CCleaner (from Piriform) every time the browser closes. CCleaner is quite intelligent about your cookies and keeps the ones you really have to have, and offers you a chance to change the default settings on them. The closest thing to that for Linux is BleachBit, which is Open Source and even has a Windows version. It's not fully developed yet, so it may eventually offer features competitive with CCleaner. For now, it's pretty darn good at eating evercookies.

Chase the link on that page for Linux, then notice they make a package for quite a few Linux distributions. There is currently no RHEL 6, but if there were, it would work fine with CentOS and Scientific Linux 6. Instead, we have to keep in mind: RHEL is basically built from the base of Fedora 13 (FC13). Remember that, and for now, download the Bleachbit package for Fedora 13.

Keep that download tool window open. You can install it from there. Just double click on the name once it has finished downloading. RHEL will pop up a dialog about installing it with the package manager. Once you say “yes” and give your root password, it should find the dependencies automatically, in this case, something called “python-simplejson”. If not, we'll have to work on that later. Right now, the point is this process is automated enough you shouldn't have to struggle with knowing too much detail.

Once it's installed, you can find Bleachbit in the menu: Applications > System Tools. Open the application and take a look at the check boxes for different applications it knows how to clean. For Firefox, I recommend you check only Cache, DOM Storage, Session restore, and Vacuum. Then you'll need to find where Flash is listed and click both items, Cache and Cookies. These are the places evercookies hide. I run it at the end of every day, to finish the process of what we accomplished in the other steps taken above.

That's about as much as we can do without some extended training on paranoid surfing habits. Your Firefox is now pretty secure from the worst of the online tracking measures.

By the way, I've not found any spyware or viruses online which affect Linux, particularly Red Hat. There are several reasons, the main one being no one writes malware for Linux. It isn't practical, though we could debate why. There is also this thing called SELinux, a set of measures developed by NSA so they could secure government Linux servers. In RHEL 5, it caused some trouble, and I always recommended folks disable it. But it's come quite a long way since then, and we will be keeping it for RHEL 6. Part of what it does is prevent harmful changes to the system. Also, RHEL has a default firewall which is pretty tight. Given there are currently precious few real online security threats to Linux computers compared to Windows, what you have right now is about as secure as it gets and is still reasonably usable on the Internet.

Ed Hurst is Associate Editor of Open for Business.