Better Web Browsing

My web browser is by far the most threat-exposed application that I use on my laptop and mobile phone. Not only does it have to trust web developers and run the scripts they wrote, which probably aren’t all that great with respect to user security and privacy, it also has to deal with literally thousands of ad networks and other third party scripts that are specifically designed to invade your privacy by tracking you online.

The people behind these nasty things are not crooks or cyber criminals working from a shady basement, but are very smart people, working for the top Internet companies and making themselves and their employers more money than what you and I can imagine in our humble minds.

Given that billions of dollars are at stake, you and me as common Internet users don’t have much of a say in this. They will track you, trade your data, make money while you enjoy their ‘free’ services, and kick you out the moment you don’t comply with their policies or stop agreeing to their rules.

The only thing that we control is what data are we giving to these Internet giants. While not many people realize or even care about it, there are ways in which we can limit our data leaking to the Internet, and the first step in doing that is hardening your browser. This article is an attempt to cover a number of steps everyday Internet users can take to protect their identity online and improve their information security. I was inspired to take up this topic for writing after a detailed explanation on the same in Nathan House’s Network Security course on Udemy. Do check it out.

Know thy browser

Your browser is a very powerful piece of software. The level to which it can be fine tuned to serve you the content that you wish to see is huge. The about:config page has some very useful options for both privacy and security. While almost anybody might have a hard time configuring Firefox via the this menu, there’s a helpful website called ffprofile.com that does a great job at making sense of some of those options and exporting a pref.js file.

Make sure you read the options and select the ones that you need depending on your privacy and security needs. For example, I deselected the disable auto updates option because the privacy gain from doing it is minimal (for me), while the security trade-off is huge, potentially leaving me unarmed at times. If you, like me and most others, can’t go full Stallman-mode anytime soon, make sure you set up an alternate profile in Firefox (firefox -no-remote -ProfileManager) and set up non-secure browsing preferences there, selecting it via firefox -no-remote -P username, or using an addon. Learn more about Firefox profiling here.

Apart from that, try to use a non-tracking search engine like DuckDuckGo, StartPage etc, use incognito mode by default (in Preferences > Privacy and Security), and use history saving only when required and on trusted sites. Use HTTPS whenever possible (Check out EFF’s HTTPS Everywhere addon). There are addons available to notify you of certificate change in HTTPS enabled sites (which can hint a MITM attack), but they are of little practical value as sites update their certificates all the time. There are a bunch of useful addons that will come bundled with ffprofile, but you can also download them manually from Mozilla’s addon store.

Disable 3rd party cookies

3rd party cookies are used for tracking users on third party sites. It is usually harmless to disable them. What might not work after disabling them are your social like/share buttons and commenting platforms like Disqus, but that’s what we want in many cases. You can also consider setting up delete all cookies when you close the Firefox window.

Use a VPN

VPNs are not really part of browser hardening checklist, but they offer good privacy over any insecure network. A lot of middle men in your Internet packet’s journey can potentially know what sites you visit, especially on insecure HTTP connections. Even on HTTPS, your browser’s DNS lookup might give away some information about your browsing habits. On insecure HTTP website and a shared Wifi access point, you can assume at all times that the other users connected to that Wifi, the access point and the ISP can literally see each and every request that you make. VPN takes away this data leak by creating a virtual tunnel between your computer or mobile device and the VPN’s server. The connection is encrypted and hence sniffing cannot happen in between. All requests, even DNS can be (and should be) configured to use the VPN.

It is important to understand that sniffing can occur on the VPN’s end on an insecure connection, and hence you need to select a VPN provider with utmost care. Even after this, there’s a bit of trust involved when choosing a provider. Our best bet is to try to opt for a provider that maintains a zero knowledge service.

Use a password manager

Although it is an extremely bad practice to write passwords down, another very common mistake we as Internet users do is reuse passwords on many sites (I’m guilty as well), which in some cases is worse than writing down passwords for each individual online account. We know that at least some of the sites store your password in plaintext, while a lot more use weak hashing algorithms. Since we can never be sure, always assume that the password you submit to any site can be accessed by an adversary, and used against you. If you’ve reused your email provider’s password on any other site, the website’s admins or any attacker who has/gets access to the website’s database might be able to take over your email account and other services connected to that account. It is for this reason that using separate passwords become important.

However, as human beings, we have more important things to remember than random alphanumeric strings. This is where a password manager comes in. It takes away your responsibility of having to remember 15 different passwords by making you remember one master password. Sweet, huh? This might look like an extra point for failure, but in the broad scheme of things where an attacker might get one of your password and literally own your digital life, this is a much safer option. What’s more, the passwords are either never stored on the disk (generated on the fly based on the master password and website’s name) or stored in encrypted form on the disk (or in the cloud). On the downside, this also means that if you lose your master key, you lose all your accounts.

Use 2 factor authentication. Always.

Whenever it is an option, use a second factor of authentication. It can be anything; a phone call, SMS, email, authenticator app (like freeOTP) or whatever. The increased effort is totally worth it considering the alternative is to risk an asset, possibly an important one. Remember that defense in depth is an effective concept in security, both in the real and digital world, and we must make use of it wherever possible.

For the paranoids amongst us: Use a live operating system

A live operating system does not store any data in between sessions. Every time you log into the system, it is like logging into a freshly installed operating system. Naturally, there’s not much tracking that can be done, and as nothing is ever written to the disk, this method offers best privacy if done properly.

Using applications in virtual machines also protect users against sandbox escape vulnerabilities. Since we’re here, check out Tails Linux, a gnu+linux distribution that is designed to be used live and offers great tools to aid privacy. Another great live operating system is Whonix, which comes in form of a ‘gateway’ (connects to the tor network) and a ‘workstation’ (connects to the gateway). Then depending on your hardware, Qubes OS might be a good choice, something that I look forward to trying when I have compatible hardware.

Lastly, remember what Bruce Schneier told us

“The question to ask when you look at security is not whether this makes us safer, but whether it’s worth the trade-off.”

I’ll leave you with that TED talk here. Thank you for reading.