In a recent Tor security advisory, Roger Dingledine writes:
I am less concerned with linkability/fingerprinting than I am with security, i.e. maintaining the anonymity of my IP address by not getting owned.
The security advisory quoted above also touches on stuff Tor users can do at the OS level to increase security. This could involve using Tails or possibly a VM-based approach (examples are Qubes or Whonix). There are plenty of other OS options, like OpenBSD, Hardened Gentoo, and so on, each with its pros and cons.
Let's just focus on Firefox, though - regardless of OS.
Even then, this is a pretty broad question. Maybe it should be split into more than one question?
And when asking/answering it's easy to mess up security and anonymity. When it's just about security, you could disable features such as loading pictures. That would be more secure (less processing program code), but less anonymous.
adrelanos: Point taken about not mixing up security and anonymity. In response to your question, a steep learning curve is fine. I don't claim to be very sophisticated, but feel free to give advice even if you think it might be too advanced.
Another idea is to prevent the computer you run Tor on from knowing your external IP address by connecting it to the Internet via a NAT router. This helps mainly in combination with something like Tails which prevents Internet access except via Tor.
Even if your Firefox gets compromised it won't be able to send out requests directly to the Internet (due to the Tails firewall) and it will only be able to discover your internal IP address if it tries to send that back to the command and control server via Tor.
It would be better to connect to the NAT router via a wired connection and disable wireless on your computer, because if an attacker can see the MAC addresses of nearby wireless APs, they would be able to look this up on a geolocation database.
This won't stop all attacks, and in particular it won't stop an attack targeted against you, but it will make it harder to exploit a Firefox flaw.
Using Firefox and Tor Browser Bundle at the same time is not a great idea because the two interfaces are almost identical, and it is easy to get the two browsers mixed up, even if you know what you are doing.
If you still feel it is convenient to have both browsers open at once, a simple "low-tech" solution to that is to install a different theme in one of the browsers.
Since TBB 3.x they open up as different programs (and thus different icons), at least in Ubuntu. This makes determining the two apart quite easy.
I don't recommend installing a different theme in one of the browsers. Install a theme only on your Firefox if you want. If you do it on your TBB it makes you standout among other users and make it easier to track you.
(This answer is just about the Tor software without using any special OS or any other software.)
Keep your Tor Browser Bundle up to date
First of all, always keep your Tor Browser Bundle up to date. If there is a newer version available, don't use the old Bundle anymore. Download the new bundle and install it to a separate folder. Don't install over the old files. This ensures that no trace from the old installation which may compromise your security is left. Completely remove the old folder.
Forbid scripts globally
Second, click on the at the upper left area of Tor and click "Forbid Scripts Globally (advised)". The icon now should look like this: .
Click on the again and click on
Options. Chose the tab
Appearance. Make sure that
Allow Scripts Globally (dangerous)is unchecked.
Now switch to the Tab
Embeddings. Disable all embeddings like Flash, Java etc:
- Forbid Java
- Forbid Adobe Flash
- Forbid Microsoft Silverlight
- Forbid other plugins
- Forbid <IFRAME>
Check your config
about:configin the address bar. Search for
As a side note, upon looking further into the FF extension "Request Policy," additional Firefox extensions are no longer recommended on the current General FAQ page at torproject.org. The Tor Security Advisory referenced in the question above is dated 5 August 2013.
Can I install other Firefox extensions?
The Tor Browser is free software, so there is nothing preventing you from modifying it any way you like. However, we do not recommend installing any additional Firefox add-ons with the Tor Browser Bundle. Add-ons can break your anonymity in a number of ways, including browser fingerprinting and bypassing proxy settings.
Some people have suggested we include ad-blocking software or anti-tracking software with the Tor Browser Bundle. Right now, we do not think that's such a good idea. The Tor Browser Bundle aims to provide sufficient privacy that additional add-ons to stop ads and trackers are not necessary. Using add-ons like these may cause some sites to break, which we don't want to do. Additionally, maintaining a list of "bad" sites that should be black-listed provides another opportunity to uniquely fingerprint users
An undated past version (maybe August 2013?) of the same page:
Can I install other Firefox extensions?
Yes. Just install them like normal. But be sure to avoid extensions like Foxyproxy that screw up your proxy settings. Also, avoid privacy-invasive extensions (for example, pretty much anything with the word Toolbar in its name).
Generally, extensions that require registration, and/or provide additional information about websites you are visiting, should be suspect.
Extensions you might like include RefControl (referer spoofing), SafeCache, Better Privacy, AdBlock Plus (EasyPrivacy+EasyList), Cookie Culler, Request Policy and Certificate Patrol.