Protect Your Digital Privacy: Browser Security

The Revolution Will Be Facebooked

It might seem hard to believe that Ben Ali’s Tunisian dictatorship tried to nip the Arab Spring in the bud by stealing Facebook passwords. Yet as the revolution spread by message and image on the popular social networking service, that’s exactly what the security services attempted. To its credit, Facebook reacted quickly, in part by ensuring that all transmissions between Tunisian users’ computers and Facebook were encrypted by a protocol called Secure Socket Layer (SSL).

Opt for HTTPS (SSL) Whenever Possible

The standard web protocol (http) can theoretically be read and intercepted by third parties, particularly on insecure connections such as WiFi. Typically, secure sites such as banking or online shopping sites will secure their web connections with SSL, a common form of encryption. You can tell that your connection is encrypted because the URL at the top of your browser will show the connection as https rather than http. In some browsers, clicking on the icon to the left of the URL will launch a pop up window that will display additional information about the identity of the website and the security of the connection.

Many of the most popular websites, including Facebook, will allow users to set their web connection to https by default, if they have not already set the default to https, like Gmail. For users of browsers such as Firefox, installation of a plug-in such as the Electronic Frontier Foundation’s HTTPS Everywhere will force many popular sites to encrypt their connections, helping to protect both your passwords and your data while it is in transmission from your computer to theirs. (Https says nothing about the security of your data once it is on their site.)

No Scripts

Modern web sites rely heavily on far more than just the basic Hypertext Markup Language (HTML) in which the first web pages were written and which still forms the backbone of the World Wide Web. On the server side, sites are often constructed using such computer “scripting” languages as Perl, Python, PHP, and Ruby. However, websites also run “client-side” scripts in your browser on your computer, using such languages as JavaScript or java. This is not a bad thing, in fact, it is necessary if you are going to enjoy all the features of modern websites. However, it can also be an invitation to code malware or spyware into a website and run the program in your browser with undesirable consequences. One way to limit your exposure is with a plugin such as NoScript in Firefox or ScriptNo or other variants in Chrome. Be prepared for some frustration initially, because these scripts will basically shut down your browsing until you click on their icons and enable safe sites as you surf to them. (A plus for most people is that the script-blockers will also eliminate many advertisements as well, although if this is your main goal you may want to search for plugins such as AdBlock or install software such as privoxy, which is likely to be the topic of a future installment.)

Know Your Friends

Thinking about responding favorably to that unknown Facebook friend request? Common sense is once again the best defense. Think carefully, as opening up the personal information on your page may reveal more about you than you intend, and hackers have been known to use the personal information on Facebook accounts to guess passwords and security questions. Not to mention that police and gangsters routinely use Facebook to gain intelligence on each other. And if the cops are spying on the bad guys, who is to say that they (or your boss) are not also spying on you?

What Were You Doing There in the First Place?

One more way to stay out of trouble on the web is to avoid sites that your mama would not approve of. Sites with a poor reputation on the Internet – including sites hawking porn and stolen software – are considered more likely to try to infect your computer with malware. And remember that Uncle Sam’s knowledge of your visit may be only a subpoena away. So if you can’t be good, be careful. And for heavens sake don’t download software if you don’t trust the source. Both Microsoft and some plugins for third-party browsers provide some guidance on sites’ reputations. Windows users should take a look at SmartScreen Filter; any browser user may want to look into the Web of Trust. At the risk of belaboring the obvious, software is never a substitute for good judgment.

Basic Surfing Security

If digital ink could be measured by the barrel, then the amount spilled on the comparative security of various browsers could be measured by the vat. A simple Google Search was enough to quickly make my eyes glaze over (256,000,000 results). Modern web browsers are highly complex with millions of lines of code, and the result is that trying to create a definitive measure of security is quite difficult. Although the average user can attempt to learn the strengths and weaknesses of his particular browser and ameliorate the weaknesses inherent in complex software that interfaces with the Internet directly, no security measures should give a false sense of security about sharing information on the Internet. Like driving, surfing the Internet admits of reasonable precautions but also carries unavoidable risks.

Choose Your Download

Set your browser to force you to choose where to save your downloads. That way you will be alerted to any download you didn’t anticipate and do not want. As most people are aware, a classic means of spying on people’s computers is to persuade them to download a “Trojan horse.”

Keeping Up to Date

The first rule for better security and privacy is to keep your software up to date, especially your browser. You have thousands of experts trying to defend you by plugging vulnerabilities that have been discovered in old software, but their efforts go to naught if you fail to download and apply the latest fixes and patches.

In light of the current diversity in browsing and ongoing shifts in usage, no single prescription exists for keeping your browser up-to-date. Common sense dictates several simple steps:

  • Keep your system software up to date In many cases, your system software can be set to update automatically. My impression is that IT professionals will often forgo this option to exercise more control over what is installed on their systems. I compromise by making sure that my system at least alerts me when updates are necessary, but my personal opinion is that I had rather have my system update itself automatically than have it languish in the same state it was in 2009.
    • Windows Look for Windows Update in your Start Menu or Control Panel. (Location varies from one version of Windows to the next.)
    • Macintosh The MacOS has a similar Software Update function in the Apple Menu. Note that while this function updates the system software, and allows scheduling of system updates, it does not necessarily update individual apps (including possibly alternative browsers). For third-party software, check the Mac App Store.
    • Linux If you are using Linux, you are probably already familiar with the package manager particular to your system. Popular distributions such as Debian and Ubuntu will prompt you to update your software.
  • Antivirus Protection Have it, use it, update it. On my personal Windows machines, I typically use a free version of AVG. However, I almost never use Windows on my personal machine; if I used it more frequently, with more sensitive data, on a more exposed network, I would likely use a more robust and comprehensive commercial package.
  • Make Sure Your Individual Browser is Up to Date In some cases, updating your system software will also update the browser that came with your system. In other cases, you may need to update a third-party browser such as Firefox, Chrome, or Opera manually. In some cases, the browser itself will let you know that a new version is available and allow you to download and update a new version from within the current browser. If in doubt, update the browser. In other cases, you may actually have to go to the website for your browser, check the latest browser version, and download a new copy. (You can generally find the current version of your browser by looking at the “About” item on your “Help” menu.)
  • A word on Cookie Control and Private Surfing Browsers today tend to have a “Private Browsing” or “Incognito” feature that will let you surf without saving cookies (which can track your movements) or leaving entries in the browser’s web history. This feature has some value if all you want is to avoid having your on-line shopping session pop up on the family computer right before the holidays. However, they do nothing to limit the ability of your network administrator or Internet Service Provider to monitor your surfing.
  • Password Management This is a topic for a separate post, but suffice it to say that your browser’s built-in password management is generally not considered to be your best choice. (The post-it-note-on-your-desktop method is also disfavored.) I go to settings or options and turn off the “Save Passwords” feature.

More to Come

Future related topics are likely to include such topics as password management, safety on WiFi networks, and anonymous browsing.

Further Reading (Citation is not necessarily endorsement.)

Notes

  • Macintosh: I do not currently own a Apple Macintosh, so any observations are based purely on research and not personal experience.
  • Disclaimer: Except where noted, these are the observations of a computer user, not a computer expert, based on personal use and experience; you are encouraged to do your own research and, if in doubt, to seek the advice of a professional. The foregoing information is provided “as is” with NO WARRANTY of any kind, including but not limited to merchantability or fitness for a particular purpose. While this information is intended to be helpful, I disclaim any liability, express or implied; if your computer is hacked, cracked, or spontaneously combusts, it is your sole responsibility.
Advertisements
This entry was posted in Post and tagged , , , , , , . Bookmark the permalink.

3 Responses to Protect Your Digital Privacy: Browser Security

  1. Pingback: Protecting your online privacy — a series by Bill Day | Montgomery County Civil Rights Coalition

  2. Just set my Facebook browsing to “https” — thanks for the prompt to do so! Took me a bit of time to find the “Account Security” aka “Security Settings” page — it’s kind of hidden in plain view, listed in a left hand column of the “Account Settings” page the Facebook blog post points to. The link above takes you right to where to place your check mark to get “https” secure browsing when possible.

    Like

  3. Thanks also for the EFF “HTTPS Everywhere” tip — I’m a Firefox user, so I can take advantage of it. One thing that might seem scary is a Firefox message some [many/most/all?/not sure] users will get saying it’s blocking the site. But of course just clicking the “Allow” button just below that message and then the “Install Now” button in the new window overrides that.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s