Best Free Security Add-ons for Firefox

NoScript is the ultimate bodyguard for your Firefox! It selectively blocks active content like JavaScript, Flash, Java, etc on webpages, based on each element's domain of origin. It's the most effective way of keeping yourself safe from attacks and making sure spying eyes of 3rd parties are blindfolded.

On the downside, because it blocks everything that isn't whitelisted, it will also disrupt legitimate website features. Getting NoScript to work optimally takes some tinkering and trying for each individual website. It has a few helpful settings for that though, and whitelisting safe/required content is done very quickly and easily.

Domains and subdomains can be permanently or temporarily whitelisted or blacklisted. Furthermore, it also blocks certain forms of attack such as Cross-Site Scripting and what it calls "Clickjacking" (mouse clicks being intercepted by an invisible page element).

I've written a detailed and easy how-to that explains everything you need to know to get the most out of NoScript. I strongly suggest reading it if you're not overly familiar with the technical details of webpages.

RequestPolicy blocks unwanted 3rd party content. It lets you set up whitelist/blacklist rules to prevent pages from loading 3rd party content, along with one or two "default policy" rules. Such content includes scripts, images, video/audio, Flash gadgets, etc. The 0.5 interface is very similar to NoScript's (a dropdown with sub-dropdowns for each domain), while 1.0 beta has a new interface more like Self-Destructing Cookies'. The latter is slightly less appealing, but more adapted to the modernization of Firefox.

Both RP and NoScript block content by domain name, but NoScript focuses on blocking only scripts and preventing a few particular kinds of scripting attacks. RP simply removes any non-whitelisted 3rd (and 3rd only!) party content. The unwanted effect on legitimate page content that happens to be external is far greater, but it also blocks a great deal of ads and generally slowing/obnoxious content and scripts.

Secure Login is an extension to FIrefox's own password manager for safer and easier logins. It prevents the regular auto-filling of login forms for security purposes, and can even protect the form from JavaScript snooping (which I have personally experienced). If you want to log in, you have to click the new toolbar icon. It will fill in the form and submit it right away, automating that part of the process. It seamlessly supports multiple accounts on the same website, can highlight detected forms and can play sounds upon detecting and submitting said forms.

HTTPS Everywhere automatically switches to HTTPS/SSL when available. It allows you to automatically redirect HTTP connections to an HTTPS connection if the requested website supports it. This much improves your browsing safety and privacy in return for a small impact on speed.

In order to perform this redirection, HTTPSE contains 2 sets of redirect rules: one maintained by the developer/community, and a personal one you can make yourself, given that you can write Regular Expressions. Rules in either list can be disabled when needed.

The add-on also cooperates with the SSL Observatory, an organization dedicated to overseeing SSL certificates and ensuring your browser doesn't get handed a fake one. You will see an infomercial image after the initial installation, but nothing else will ever pop up after that.

Note that this add-on is not hosted on the Mozilla Add-ons website, but on the developer's own site. This may affect automatic updating.

HTTP Nowhere disables non-HTTPS traffic. Like it says on the tin, this add-on blocks all non-HTTPS traffic. Only secure HTTPS traffic is allowed to enter and leave Firefox, nearly waterproofing your security. Unfortunately, many websites simply do not support HTTPS, so be prepared to lose a lot of your daily browsing habits if you are intent on using this!

BetterPrivacy controls Flash's cookies or LSOs. Most Flash objects on webpages store data in a folder on your computer, not unlike how cookies are used. This data can be anything from benevolent configuration settings and game saves to malicious things such as tracking details.

The BP interface will show you a list of all stored LSOs and the domain they're associated with. For each one, you can choose if it should be protected from deletion within Firefox, deleted on the spot or simply ignored/handled as default. You'll also want to take a look at the settings on the 2nd tab, as they allow you to do things like deleting non-protected LSOs on exit/start.

While BP certainly achieves its practical goal of protecting and deleting Flash cookies, its clunky interface leaves much to be desired and development seems to have ceased.

Beef TACO blocks tracking cookies by overriding them. It's popular but not recommended.

Beef TACO sets read-only cookies on various malicious domains. This prevents those websites from storing their own data in your browser and achieving their sinister/annoying goals, such as tracking you across the web. Target websites include trackers and social networks such as Facebook.

The problem with this approach is that TACO creates hundreds of cookies for malicious domains in advance. These cookies clutter up your cookie management interfaces and cannot be deleted in any way. In addition, because it uses a blacklist, it only works on domains the developer includes in the list.

Beef TACO is a fork of the original TACO by Abine, but the original is so bad that I will not even link to it here. It's 1.5MB in size (Beef TACO is only 17KB and achieves the exact same thing) and is bloated with unnecessary graphics, almost as if wanting to give you trophies for ticking options.