Updated as of April 2018

Browsing the Web these days is not as secure as it used to be. User fingerprinting is rampant but that’s just one facet of it. Online advertisements undermine the users and their experience in more ways than one:

Ads are commonly known to considerably fatten-up a website’s payload and decrease its performance, promote clickbait titles, fingerprint and stalk users, (ab)use their computer to mine cryptocoins, or lead them to scam websites phising their login credentials, among many more. And that’s just from advertisements. Sadly that’s not the only way users can get screwed on the Web today.

Luckily there are a few simple steps users of any level could take to be much safer when surfing the web. In this article we will focus specifically on some browser add-ons we can easily and quickly install in our browser to enhance our security.

This collection is put together primarily with the already privacy respecting Firefox browser in mind. However many of the add-ons can be found in Google’s Chrome Web Store with the same name or as very similar alternatives.

Let’s begin by reconsidering our chosen browser

While there’s a lot that can be done with browser add-ons, the actual browser we choose to use, being our window to the internet itself, is of highest importance. So let’s start off on the right foot, shall we?

Google’s Chrome browser became very popular, very fast, mainly due to it having been ahead of the competition performance-wise until now. One must always keep in mind, though, that Google is a corporation making 96% of it’s revenue from advertising, so while Chrome is an otherwise very secure browser, it cannot be expected to value our privacy to any degree.

Switching to an open source alternative browser like Firefox (from respected privacy advocate Mozilla Foundation) is highly suggested. Even more so, now that Firefox boasts the new Quantum rendering engine offering competitive, if not better, performance.

Brave browser (from former Mozilla CTO’s new company) is another suggested option. What’s setting it apart is that it takes a revolutionary approach to online monetization, by blocking all ads and trackers, yet letting users support websites directly via an automated credit distribution procedure.

This list wouldn’t be complete without mentioning the Tor browser. Based on Firefox, it comes preconfigured and with all the add-ons needed to browse the Web with unprecedented anonymity over the Tor network. It may not be the best for everyday use, but it’s the go-to option for maximum anonymity. When coupled with a password manager’s auto-login functionality, though, it is much less cumbersome even for everyday use.

Now let’s get into the Add-ons, shall we?

“Finally, an efficient blocker. Easy on CPU and memory.”

We’ve kind of already gone over how harmful the current state of online advertising is for the users (and arguably not ideal for content creators either). So the best way to handle ads is to allow none of it to reach us. Period.

uBlock Origin does exactly that. It knows most common advertiser URLs and blocks them elegantly. It also does so in a way more performant fashion than older alternatives like AdBlock Plus. It can handle blocking of popups and even youtube overlays or in-video ads seamlessly.

Whitelisting a website is done with a single click or with Ctrl + click for only a specific page. It also lets us manually hide any page’s element that isn’t already blocked (anything we don’t like, even if it’s not an ad!) with a handy eyedropper-like selection tool.

“Automatically changes HTTP addresses to using the secure HTTPS, and if loading encounters error, reverts it back to HTTP.”

Connecting to a website over HTTPS (commonly denoted with a green padlock in the addressbar) goes a long way to to protect the user from many attacks. HTTPS ensures that any data we receive or send to such a website, can not be read, or get tampered with along the way, from attackers.

But even when many websites support HTTPS today, not enough of them update the connection automatically to it if it begins over plain HTTP. And even if a website is served over HTTPS, it is very common that some of the resources getting subsequently requested, are fetched over HTTP.

The Smart HTTPS add-on makes sure that if any connection for websites or subsequent resources can be upgraded to HTTPS, then it will. In fact it is itself an upgrade from the very popular add-on developed by the EFF known as HTTPS Everywhere. The latter has been using a pre-configured list of known URLs upgradeable to HTTPS, whereas the former does it dynamically for each connection using no list, since they are bound to be finite and outdated.

“DuckDuckGo is the search engine that doesn’t track you. We also have smarter answers and less clutter. This extension adds DuckDuckGo (HTTPS / SSL version) to the search bar. For more features, see the DuckDuckGo Plus add-on. Enjoy!”

We’ve already established how Google is not to be trusted with our data, even more so those that characterize us most, like our browsing and search history. And while dropping their Chrome browser may help with the former, using Google Search still allows them to build a distressingly specific profile of us.

Thankfully we can avoid that and search the Web with the privacy-respecting alternative DuckDuckGo. Their add-on will automatically replace our browser’s default search engine to the one that doesn’t track us.

Rife on features like a multitude of community-backed instant results that promptly inspired Google Search to copy over, I would say it’s already good enough or better for everyday use, especial given that competitors that fingerprint the users have an inherent advantage in yielding relatively better search results (in return for paying with our privacy, no refunds offered by the way).

If that wasn’t enough to convince you to switch, you could read up on 15 Reasons Why You Should Ditch Google Search for DuckDuckGo.

“Open current page or link in tor browser for better privacy.”

Well what if we do want to search using Google, when we need to try again for possibly better results (not often, but sometimes still)?

Remember how we previously mentioned that Tor browser offers maximum anonymity? Well if you have it installed in your computer and the Open in Tor Browser add-on in your everyday browser, then you can type in the search kewords in Google Search and open the results link in Tor. Very handy for this and many other use cases so that we don’t have to copy paste links around or compromise our data either.

“Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the Web with multiple identities or accounts simultaneously.”

Does pretty much what it says on the tin. It allows us, for example, to be logged in to our Google account when browsing for work, but simultaneously be logged out the service for the whole Web while using the same browser in tabs assigned to the “Personal” tab container. It also helps to have our tabs organised in groups, color-coded by the way, which can be a big productivity boost. Did I mention it’s also built by Mozilla itself?

“ Protect your Passwords, Payments, and Privacy.”

Have you ever been hacked in the past? If you have, chances are your email and password were not hacked directly but were instead leaked when a service you have used in the past was compromised, with attackers getting access to all email and password combinations. This unfortunately happens scarily often, enough that you just have to always expect it unless proven otherwise. You can check if your email has been in a known such list in haveibeenpwned.com .

As I said, we should always expect our email, password and even credit card data to be leaked so one way to protect against that is to use unique ones for each website. And here’s where the Blur add-on comes in.

It lets us create unique strong passwords for each website so even if one is hacked, the damage is mitigated greatly. (For maximum protection, though, I would recommend using a much more secure dedicated password manager, preferably 1Password.)

Additionally it lets us use a unique email for each website, protecting us from (and letting us know of, which is neat) services that leak our email to spammers. Any email sent to any alias email addresses can be forward to our normal personal email address for us to read (or not, since we can block it in Blur).

Moreover, Blur lets us create credit card aliases, virtual prepaid cards essentially, so that we never expose our real credit card details to merchants. Yes this is a replacement for Paypal, which, by the way, you should not be using in the first place.

Lastly Blur has a tracker-protection feature, but we can disable that if we’re going to be using more sophisticated approaches for that (like uMatrix presented further below).

Honestly, Blur has too many features for my personal needs and most of them are for the premium version. But I still think the free e-mail masking it offers is vital, so this is how I have it configured:

Once the extension is installed, click the Blur icon on the top-right. Then on the pop-up click “Settings” and subsequently “Settings for all websites”. Here’s a screenshot of my settings (note I already use another password manager):

My personal Blur configuration

“ Send referers only when staying on the same domain.”

Yeah, I know the name’s spelled wrong but hey, it was built by a user named “meh”, so… :P

Did you know that whenever you click a link on the web, whoever owns the webpage where you land, can know the specific page you came from? Yup! That’s called a referrer and it’s a header fields of the initial request that opens the new page when you clicked that link.

The SmartReferer add-on ensures that this data is not leaked when we click on external links, but still allows it when a link takes us to another webpage of the same website (internal links), so that its owners can at least get some usage analytics to make our experience better in the future.

“Clean URLs that are about to be visited:

- removes utm_* parameters

- on item pages of aliexpress and amazon, removes tracking parameters

- skip redirect pages of facebook, steam and reddit”

There’s more to links leaking where we came from than the referrer HTTP field. Specifically, websites like facebook, amazon and anyone else really, can structure their link URLs in such a way that when we visit them they can can get data like where we came from and more. Moreover, websites like Facebook use this trick to “rat out” to other websites that we came from them.

The Link Cleaner add-on will trim most link URLs, cleaning them from passing on that data to the landing website. This also makes sharing links to friends much more responsible privacy-wise.

“ Prevent tabs opened by a hyperlink from hijacking the previous tab by adding the rel=noopener attribute to all hyperlinks (excluding same-domain hyperlinks).”

Remember how I said that clinking an external link can leak where you came from? Well that’s bad but what’s even worse is that it lets the new tab we just opened via the link have access to the source tab. That’s… very bad. And it could have actually been avoided if the source website’s programmer had put the rel=noopener attribute in the HTML code. For the more technical readers in the audience, here’s a link for more info.

The Don’t touch my tabs! add-on will always inject that little code snippet in the HTML code of pages we visit so that even when programmers are sloppy, we are safe.

“Easily stop coin miners from using your computer resources.”

With the surge of crypto-coins, there’s been a recent trend for new coins like Monero that are designed to be very CPU-friendly to mine. Some attackers have recently injected software in their ads or websites that takes over your computer’s CPU to mine these crypto-coins and generate money for the attacker.

The NoMiner add-on will detect such software and stop it on its tracks.

“ Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc.”

This add-on here, folks, is the nuclear microscope of all security plugins on the web, but keep in mind that such fine-tuned tools may not be as user-friendly to less advanced users. This is however a an ultra-powerful security tool for the power-users reading this.

The uMatrix add-on lets us inspect and allow or block any request a website makes, grouped as cookies, css, images, media, scripts, xhr requests, iframes and others. By default it will only allow loading assets from the same domain as the page visited, which is bound to break most websites until manually configured otherwise. Configuration is, as said in the description, point and click, but the user experience may still be overwhelming for the average user.

Users already familiar with the hugely popular NoScript add-on will feel right at home and can upgrade to uMatrix which offers the same functionality with global rules supporting wildcards, but it also does so for more request groups than just scripts. If you need help to get you started, here and here are some ready to copy-paste uMatrix rulesets.

“Protects you against tracking through “free”, centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.”

Unfortunately, when using script-blocking software like uMatrix, we sometimes can’t avoid whitelisting external requests to common libraries used around websites like jquery because if we do block them, such websites become unusable (shame on you, developers). And even when that software is usually safe in itself, it often ends up being the same library used by many websites. This means that those companies serving the library over the internet can know of all the websites we visited which are programmed to consume that same library.

The Decentraleyes add-on fixes that. It caches locally commonly requested libraries like jquery and instead of making the network request, it fetches it from the local cache. This also saves network bytes for us and helps websites load faster.

Parting words

While the Web is not thoroughly a safe place, switching to a safe browser with a couple of set-and-forget add-ons can go a long way in fixing that. Getting protected is not hard and even if it were, it’s totally worth the effort.

Reworking a bit what Benjamin Franklin once said and bringing it to the information age:

Those eager to compromise their security for convenience, deserve neither and will ultimately lose both.

Don’t go browsing the Web naked, folks.