Privacy is hard, let's go
emulate Internet Explorer?
By default, Firefox 3 (and 2, and older) run JavaScript code on all domains, use potentially insecure plugins (which are not add-ons), and allow websites to store cookies until 2038. Firefox also provides websites with unnecessary information about how you arrived to a webpage (referrer headers). With the right add-ons and preferences, these behaviors can be fixed.
This guide isn't just for the paranoid — the web is a minefield with pages setting 30-year tracking cookies, hosting malicious JavaScript trying to hijack your webmail, black-hat advertisers unloading malware, and exploits targeting unpatched browsers and plugins.
Caveat: this is just my setup. I'm not a Firefox developer. If I'm wrong, email me and I'll update: ivan at ludios.org
Install NoScript; have it forbid everything, but disable the blocked script notifications. Install Adblock Plus and use EasyList or whichever filterset matches your region.
Install Nightly Tester Tools and “Disable add-on compatibility checking” to install some older Firefox 2 add-ons. Disable all plugins (not add-ons) except Flash with Tools->Add-ons->Plugins and use MediaPlayerConnectivity to send videos to VLC. Use Foxit Reader instead of Acrobat Reader for PDFs.
Create a list of trusted websites allowed to permanently set cookies, and have Firefox delete the rest on exit (Tools->Options->Privacy->Cookies->Keep until->I close). Install RefControl and set the default behavior to <Block>.
Use CustomizeGoogle if you fear Google's cookies, or want Gmail over HTTPS.
And now, the fine details...
The NoScript add-on blocks many security vulnerabilities (including undiscovered ones), protects your browser history from snooping, and stops various cross-site scripting attacks. NoScript blocks JavaScript and embedded objects on a page until you whitelist the domain (permanently or temporarily). Embedded objects (Flash/Java) can be activated by clicking on them.
NoScript would have completely prevented Google's GMail security failure and did stop the Quicktime 0day exploit for those who had it installed. The Javascript-related attacks listed at The Hacker Webzine are also rendered harmless with NoScript. It's a true killer extension and turns Firefox into a secure browsing environment.
The only real disadvantage is having to whitelist your favorite (hopefully trustworthy) websites and temporarily whitelisting domains which exhibit broken behavior without JavaScript.
Script blocking notifications aren't needed; if a webpage feels broken but looks trustworthy, temporarily whitelist it.
Not especially useful for security if you have NoScript, but has the handy effect of blocking all ads. It might stop a ad-based attack if it somehow makes it past NoScript.
In a better world, they would be listed as “attack vectors” in Firefox. Disable them all (especially video plugins). If you trust Adobe, keep Flash. To make up for the lack of Windows Media and Quicktime, install the MediaPlayerConnectivity add-on and configure it to use VLC (a standalone player; don't install the ActiveX control). You may need Nightly Tester Tools and “Disable add-on compatibility checking” for MediaPlayerConnectivity.
A side benefit of removing Windows Media/Quicktime is that Firefox will not crash repeatedly when playing a video. For Flash security, Adobe lists the latest versions for Flash Player and has Flash updater. If you must use Java, make sure it's up to date.
Instead of Adobe Reader, use the free Foxit Reader (Windows only) and configure Firefox to open PDFs with Foxit. It's faster and likely more secure: when Adobe Reader had a serious vulnerability, Foxit was less vulnerable: “Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.”
By default, Firefox allows all websites to set non-expiring cookies. Cookies are a nuisance to manage manually, and disabling them breaks just about every website. But, they remain a privacy problem since they allow websites to track your browser forever. A good compromise is to let trusted domains set cookies forever, and clear all other cookies when Firefox exits. Firefox supports this natively.
In Tools->Options->Privacy, add trusted websites to "Exceptions..." and select "Keep until: I close Firefox". Firefox will clear all untrusted cookies on exit. Note that this does not apply to cookies created before selecting "Keep until I close", so delete all cookies with the "Show Cookies..." dialog.
Any time you follow a link, or your browser downloads an image, the browser sends the URL of the source page to the destination server as the HTTP Referer header. Usually, this isn't a problem, except when:
RefControl easily fixes this with per-domain blocking or forging of referrers. Set "Default for sites not listed" to <Block>. This breaks very few sites; but, if you're unable to download a file, whitelist that site to "Normal" behavior in RefControl.
While not as universal as the extensions above, CustomizeGoogle can force GMail to use an encrypted connection (HTTPS), remove Google's click tracking code, and munge Google tracking cookies. However, CustomizeGoogle's default settings have “Google Suggest” enabled, which somewhat decreases privacy.
Without any extensions, Firefox downloads updates from only Mozilla. By installing any Firefox extension, you implicitly trust their authors and their web servers to not host a password-stealing or malware-infested update. There's no real solution besides completely separating unimportant browsing and important browsing (important passwords) with a virtual machine. Mozilla is starting to take add-on update security more seriously.