Really basic web defense

Yes, your browser is under attack and dark forces want to know which sites you visit and what you click.

One thing going on is user tracking via cookies – bits of identifying stuff left on your computer as you browse. There’s no keeping up with all the various schemes used by major sites like Google, Yahoo, and others, but suffice to say they and other third party providers to web sites are doing their best to follow your web activity and then “customize” your view of the web. Some of this works when you’re logged in to sites like Facebook, My Yahoo, etc., but some also works just by the basic actions of loading pages and images. Almost all of it is hidden from casual users. It may not bother you, and you may be content to allow marketers to guide you to products and services they hope you’ll like. On the other hand…

To resist this to some degree, in rough order of increasing effort and increasing inconvenience:

DO NOT CLICK ON WHAT YOU DO NOT UNDERSTAND

The first, most vital rule. Delete all email or classify it as “spam” unless you are positive of its provenance. What’s the worst that could happen? You might delete a bill notification or a personal note. Usually those things have a way of working themselves out – clicking on a faux “Free $1,000,000 Watch If you Click the Hamster’s Cute Nose” inducement is guaranteed to lead only to tears.

DO NOT GO TO UNKNOWN SITES

Harsh, a restatement of the most vital rule, and not much fun, but isn’t a quick Google of a site’s domain name or vetting with a friend better than leaping into a boiling cauldron of corruption?

IE, NOT

  • Don’t use Internet Explorer. Just don’t. Sorry, if you like it. It’s worse on security and privacy. Yes, it is
  • If you insist, make sure Explorer is not saving your passwords and set the security level high – otherwise you’re insane

FIREFOX

  • Close your browser and restart it often, especially after visiting any encrypted or secure sites (sites like financial institutions, even shopping sites – anything with “https://” instead of “http://” in the URL.) This will flush (depending on Privacy Mode and cookies settings) cookies away and eliminate JavaScript “Klingons” that have accumulated, limpet-like, on your computer
  • On the Firefox browser, set to “Private Browsing”
  • Set your Preferences to “Allow cookies” but disable “Allow 3rd party cookies”
  • Turn off cookies altogether, or force cookie-by-cookie acceptance

You’ll experience failures and ugly pages on many sites if you do this. You’ll have to authorize MANY cookies if you choose to do so manually. You can always reenable to access a bank site or other cookie-requiring site, and you can also choose to accept cookies only from particular domains – but the proliferation of 3rd-party services used by sites means broken pages can still result.

ALL BROWSERS

  • Turn off Java support (only need this if a particular site does, be very wary)
  • Turn off JavaScript support (Painful – many pretty and useful sites use JavaScript extensively. Yet it has a lot of unpleasant new attack vectors. Notice it’s far down this list, as this one will annoy you and may require turning on for MOST places you like to visit)

SECURITY IS PROPORTIONAL TO INCONVENIENCE: THE HARD PART

  • Research additional software tools/add-ons that actually do block ads, monitor annoying cookies, and so on, which will work with YOUR particular computer and software
  • Learn how to use said software and actually use it
  • It would be great if I could offer specific suggestions that required no effort, but at the moment I can’t
  • If you don’t have time to learn a security tool and use it correctly, it will only drive you crazy and cause you more worry than the Bad Guys

Good luck!

Advertisements

1 Comment

  1. acilius

     /  August 1, 2010

    Thanks very much for this post, VThunderlad. I know I should take a more systematic approach to web security, and I think the thing I’ve most needed is a checklist to make sure I’m actually doing all the things I’m vaguely aware I’m supposed to do. I plan to use this post as such a checklist.

%d bloggers like this: