Mozilla FireFox Security Technical Implementation Guide
The Mozilla FireFox Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
FireFox is configured to ask which certificate to present to a web site when a certificate is required.
When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.System Administrator
Network shell protocol is enabled in FireFox.
Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the
underlying system. This check verifies that the default setting has not been changed.
Firefox is not configured to prompt a user before downloading and opening required file types.
New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. System Administrator
Firefox formfill assistance option is disabled.
In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.System Administrator
Firefox is configured to autofill passwords.
While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. System Administrator
FireFox is configured to use a password store with or without a master password.
Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.System Administrator
FireFox is not configured to block pop-up windows.
Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.System Administrator
Firefox must be configured to allow only TLS.
Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.System Administrator
Installed version of Firefox unsupported.
Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.System Administrator
Firefox automatically updates installed add-ons and plugins.
Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.System Administrator
Firefox required security preferences cannot be changed by user.
Firefox automatically checks for updated version of installed Search plugins.
Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.System AdministratorECSC-1
Extensions install must be disabled.
A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, a Chrome extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser. System Administrator
Background submission of information to Mozilla must be disabled.
There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.