Web browsers have become the de facto client interface to Internet based applications. As we travel around the Internet, whether for pleasure or business, we find ourselves creating personal profiles for various Web sites. These profiles usually include access credentials (usernames and passwords). Good password management practice calls for many distinct passwords. But this proliferation of passwords results in the need for strong password storage. In addition to password management we need to give some thought to encrypted communications. We typically just install a browser and start surfing without any thought for the decisions other people have made for us about who we should trust or how we should communicate. The default settings for SSL/TLS are a good example of this.

Password Management Settings

Firefox provides a convenient method of storing passwords using the built in password manager. However, recent articles [ref1, ref2] have highlighted the fact that some configuration is required to raise the level of security before using this feature. The following are some configuration settings that can improve the security of information stored in the password manager.

1. Use a master password. Enable the master password feature by navigating to the Security tab of the applications preferences. Check "Use a master password" and enter a strong password, a pass phrase is even better.
2. Enable FIPS. Enable the FIPS-104-1 internal cryptographic device to ensure proper handling of stored information. Navigate to the Advanced tab of the application preferences. Click "Security Devices" then click "Enable FIPS".
3. Remember passwords. If you haven't already, configure Firefox to remember passwords for Web sites by navigating back to the Security tab of the application preferences. Check "Remember passwords for sites."

NOTE: If you ever need to see a stored password for a particular site you can do this by navigating to the Security tab of the application preferences, click "Show passwords", click "Show passwords", enter your master password, and they will be presented along with the corresponding site and username.

ALTERNATIVE: If you really want to be paranoid, that's allowed here, you could choose not to allow Firefox to store any information and use a separate password manager like Password Safe [ref3] or pwsafe [ref4]. I do both since I use multiple machines.

SSL Settings

First a couple of recommendations, then a warning.

We've all seen the SSL warning messages stating that there is a problem with a certificate from a Web site. Most people simply accept the certificate temporarily and click through to the Web site without really understanding what they are doing. This is because most users have no idea what the messages mean. The most common warnings are 1) expired certificate or 2) unrecognized signer. My recommendation for an expired certificate is to contact the Web site owner and ask them if they are aware that their certificate is expired and when they plan to renew their certificate. Then make your decision about whether to proceed or wait. My recommendation for unrecognized signers is to view the signing certificate authority (CA) information and evaluate whether you want to trust the CA that signed the certificate. If you decide to trust the CA then you will want to locate the CA's public key(s) and install them, this is usually as simple as clicking on a link to the CA's public key. This will bring up a dialog box asking you to make some selections about what kinds of certificates you want to recognize the CA for (identify Web sites, e-mail users, and/or software makers). NOTE: It is not recommended to accept self-signed certificates unless you know the consequences.

WARNING: The following section is not for the faint of heart. If you don't want to do some research or are not willing to deal with the potential hassle that may result you should skip to the section on certificate revocation lists.

If you're still with me I'm serious, don't do this unless you know what you're getting yourself into. I'll try to explain it as best I can but don't blame me if you find yourself tracking down CA certificates so you can reinstall them later on.

Certificate Authorities

When we install Firefox, or other client software that supports SSL, it comes with a set of trusted certificate authorities. Most people never give this a second thought. However, decisions have been made by the other people about what CA's we will an won't trust. The process of getting a CA certificate into the distribution of a software package like Firefox can be a political and drawn out process, just ask CACert.org [ref5]. I would encourage you to review the list of CAs that are installed in your browser, do some research and make any changes you feel are necessary. I would also encourage you to consider installing CA certificates for CAs that you trust but are not already installed, such as CACert.org or company's CA.

To view the installed CAs navigate to the Advanced tab of the application preferences, select the Encryption tab, and click "View Certificates", then select the Authorities tab.

Certificate Revocation Lists

A certificate revocation list (CRL) is a list of all the certificates that a CA would like to revoke. I say it this way because unless you have configured your software to use the CRLs from the CAs that you trust then you will have no idea that certain certificates have been revoked. This is a very important and often overlooked aspect of SSL/TLS. Installing a CRL [ref6] is as simple as installing a CA's public key, simply click on the URL for the CRL and you will be presented with some choices about configuring automated updates of the CRL. It is recommended that you enable automatic updates.

Now that you've read this, you might want to configure Firefox for increased privacy.

References:

1. Password Management Concerns with IE and Firefox, part one
2. Password Management Concerns with IE and Firefox, part two
3. Password Safe
4. pwsafe
5. CACert.org
6. Certificate Authority CRL Links:
   • VeriSign and Thawte
   • GeoTrust
   • Starfield Technologies
   • CACert.org