The internet is a dangerous place, people are trying to get your private data to sell it, track you across many sites, provide insecure connections so also third parties can get your data our they embed strange ads that try to slow down your browser until it is unusable. Last week I got asked during a talk about the tools that I use so I thought to publish the list here:
NoScript
NoScript is a Firefox Addon for blocking any kind of scripts, mostly javascript and flash apps. It also has a very good anti-XSS and anti-Clickjacking protection. Allowing html is mostly okay because this is only a markup language without any power on your machine (html5 has a few exceptions). But Javascript for example can do evil things like scanning your network, trying to bruteforce your local router or sending (private) data into the internet.
AdBlock
AdBlock (and all the alternatives like uBlock) parse the html layout of a page before displaying it. They remove ads and replace them with whitespace. Some ads are just annoying, some other are flash based and not trustworthy. In the past, advertisment provider failed to validate the submitted ads and they contained malware. Adblock can be extended by multiple filter lists, for example a list that removes social stuff like facebook/twitter buttons (they also track you!).
Ghostery
Ghostery is a smart little addon which blocks advertisement and tracking server. So the content isn’t downloaded to your computer (like it would be with AdBlock). Ghostery is developed by a company and not by a free organization, you never know why they do it for free. A cool alternative solution is Privacy Badger, developed by the EFF. Sadly I was unable to change the default policy from allow all to drop all (which ghostery can, why I prefer it).
HTTPS Everywhere
Encrypting your stuff is important. Two points that matter: encryption needs to be strong, and you need to encrypt as much as possible. Think about somebody intercepting your traffic and capturing it. If you only encrypt the important stuff (like online banking) than the hacker notices that most of the traffic is unencrypted and boring, which brings him to the conclusion that every encrypted traffic must be important and he will try to bruteforce it (or manipulate ssl certs). If all or most of your traffic is encrypted, the hacker won’t know which parts are important and he has to decrypt everything to find useful information. Here rules HTTPS Everywhere (another addon from the EFF), the addon detects if a website supports HTTPS, if this is the case it redirects you from the insecure HTTP version to HTTPS.
Certificate Patrol
Certificate Patrol detects if a website changes his SSL cert and notifies you. This is useful because in the past a few CAs where hacked or signed certificates for domains that weren’t operated by the issuer.