secure_browsing
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
secure_browsing [2019/08/04 17:17] – neil | secure_browsing [2021/07/06 09:26] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 2: | Line 2: | ||
====Key points: ==== | ====Key points: ==== | ||
+ | *[[#Use a VPN or Tor|Use a VPN or Tor]] | ||
*[[#Beware of " | *[[#Beware of " | ||
*[[#Use a trusted DNS server| Use a trusted DNS server]] (e.g. by using a VPN, or DNS-over-https, | *[[#Use a trusted DNS server| Use a trusted DNS server]] (e.g. by using a VPN, or DNS-over-https, | ||
*[[#Check for a padlock, but it doesn' | *[[#Check for a padlock, but it doesn' | ||
+ | *[[#Use two-factor authentication wherever you can|Use two-factor authentication wherever you can]] | ||
* [[#Use " | * [[#Use " | ||
+ | * [[#Block ads and trackers|Block ads and trackers]] | ||
+ | * [[#Block third-party cookies|Block third party cookies]] | ||
+ | * [[#Block unnecessary JavaScript|Block unnecessary JavaScript]] | ||
+ | |||
+ | ====Use a VPN or Tor==== | ||
+ | |||
+ | Unless you trust the network to which you are connecting (e.g. your home or office Wi-Fi) and the Internet service provider which provides that Internet connection, connect to a [[virtual_private_networks|VPN]] before you open your browser. | ||
+ | |||
+ | If you do not have a VPN, use [[tor|Tor]]. | ||
====Beware of " | ====Beware of " | ||
Line 17: | Line 28: | ||
(In this case, Google controls both g00gle.com and google-email.com — probably for the very reason of trying to lessen the risk to users.) | (In this case, Google controls both g00gle.com and google-email.com — probably for the very reason of trying to lessen the risk to users.) | ||
- | But these all rely fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks. | + | Â |
+ | But these all rely on fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks. | ||
====Use a trusted DNS server==== | ====Use a trusted DNS server==== | ||
Line 25: | Line 37: | ||
That's because: | That's because: | ||
- | * the system | + | * the Internet' |
- | * networks often try to be helpful and offer you a DNS service | + | * networks often try to be helpful and offer you a DNS service, but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they' |
The net result is that you could type the right URL into your browser, but still be directed to a fake site. | The net result is that you could type the right URL into your browser, but still be directed to a fake site. | ||
Line 39: | Line 51: | ||
====Check for a padlock, but it doesn' | ====Check for a padlock, but it doesn' | ||
- | I’m going to talk about https and encryption in a couple of minutes,  | + | Before you send anything sensitive |
- | Now, hopefully, it would be pretty tricky for me to show a padlock | + | |
- | There are a couple of things I could do. | + | {{:: |
- | One would be to generate | + | If you see a padlock, it means that the connection between your browser and the web server is encrypted. Although people spying on your traffic can tell you are connecting |
- | Second, I could try to persuade you to accept | + | The padlock only means that the connection is encrypted. It is not a guarantee that the site is the right site, rather than one being operated by a fraudster. However, |
- | If I manage to do this, then you see the right URL in your address bar, and you see a padlock so you think “oh, good, the connection is encrypted”, | + | It is also no guarantee that the recipients of your data will not abuse it. |
- | To protect against this type of attack, you might consider something called two-factor authentication: | + | As a rule of thumb, be very wary giving personal data to a site which is not showing a padlock. But don’t rely on a padlock |
- | It would not stop the rogue site from getting your username and password but it should make it harder, if not impossible, for them to log in pretending to be you, as they would not have the ability to generate that one time token. | + | ====Think carefully before accepting untrusted certificates ==== |
+ | Sometimes, when you are browsing, you will see messages in your browser warning you of a security risk, that the site to which you are connecting is presenting an untrusted security certificate. | ||
+ | {{:: | ||
- | ====Https====Â | + | If you are connecting to a new piece of network hardware which you have just installed (such as a new router, or network-connected storage device) or new server software, and you are confident that the URL or IP address you have typed into your browser is correct, accepting the risk and proceeding should be fine. Even though there is a mismatch between |
- | I have already mentioned https — the secure version of hypertext transfer protocol, which is the series of messages for the transfer of data to and from a web server. | + | |
- | Generally told to look for the padlock. | + | If, however, you are just browsing and you stumble across an error like this, it is safest if you browse away from the site in question, without accepting the certificate. You might be fine, but it may also be an indication that someone is trying to intercept your browsing, or is trying to trick you into visiting a fraudulent copy of a site. |
- | Unfortunately, | + | ====Use two-factor authentication wherever you can ==== |
- | The padlock means just one thing: that the connection between your computer | + | In addition to a username |
- | Nothing more. Not that the operator is who you think they are, or that, even if they are, they are not doing something unwanted with your data. | + | It would not stop a rogue site from getting your username and password but it should make it harder, if not impossible, for them to log in pretending to be you, as they would not have the ability |
- | You may be sending data to a completely untrustworthy third party, | + | |
- | “secure” v “trusted”. No padlock, not encrypted. | + | |
- | As a general rule of thumb, be very wary giving personal data to a site which is not showing a padlock. But don’t rely on a padlock as a sign that everything is fine. | + | More information |
- | Check that the URL is what you are expecting. | ||
- | |||
- | Not good if you cannot see a padlock — but seeing one doesn’t mean that everything is fine. | ||
- | |||
- | Encrypts the communication between your browser and the server. Without it, anyone observing your traffic could see not only the other party to your communication, | ||
- | |||
- | Encryption does not make you invisible: DNS provider can still see your DNS lookups, and ISP can still see where you are going online. But not the pages which you are visiting, or the content of your transmissions, | ||
- | |||
- | So if you are sending your credit card details online, and don’t want them to be available to anyone observing your traffic, make sure you use an encrypted connection — but make sure you have verified that the site in question is what you are expecting. | ||
- | |||
- | Some degree of checking that the certificate has been issued to the right site? | ||
====Use " | ====Use " | ||
There’s a strong chance that your browser offers a “private browsing” mode. | There’s a strong chance that your browser offers a “private browsing” mode. | ||
+ | |||
+ | {{:: | ||
This was commonly discussed as a mode which you were supposed to use when buying a present for a loved one, so that they would not find traces of your secretive gift habits if they happened to use your computer. In reality, it’s pretty much universally known as “porn mode”, for much the same reason. | This was commonly discussed as a mode which you were supposed to use when buying a present for a loved one, so that they would not find traces of your secretive gift habits if they happened to use your computer. In reality, it’s pretty much universally known as “porn mode”, for much the same reason. | ||
Line 91: | Line 92: | ||
If you do not want your //browser// to retain a record of what sites you have visited, private browsing mode is reasonable way of doing this — it saves you having to clear your history, cookies, cache etc manually. | If you do not want your //browser// to retain a record of what sites you have visited, private browsing mode is reasonable way of doing this — it saves you having to clear your history, cookies, cache etc manually. | ||
- | But private | + | Private |
- |  | + | * the sites you visit from logging information about you, such as your IP address. |
- | And it does not change any visibility which your network provider | + | |
So it can be a useful tool if you do not want your computer to retain information about your browsing, but be aware that it does not hide your browsing from your Internet provider. | So it can be a useful tool if you do not want your computer to retain information about your browsing, but be aware that it does not hide your browsing from your Internet provider. | ||
Line 99: | Line 100: | ||
If you want to do that, then [[tor|Tor]], | If you want to do that, then [[tor|Tor]], | ||
+ | ====Block ads and trackers==== | ||
- | ====Cross-site | + | Many websites, |
- | Loading images from remote servers | + | Blocking adverts and trackers can cut down on this spying, and may also have the beneficial side effect of making web pages load faster. |
- | Every time you connect to a site, you are sending information to it — your IP address, and some information about your browser configuration. | + | There are various techniques for blocking these things: |
- | Where a page hosts images from multiple other sites, you are sending | + | * [[https:// |
+ | * As a bonus, if you use a VPN to connect back to your network, you can use your Pi-hole system | ||
+ | * on-device software, usually in the form of a browser plug-in, such as [[https:// | ||
- | So every time you load a page containing a Facebook element, your computer is talking to Facebook. Easy to build up a picture of your activity over time. | ||
- | Imagine every time you go into a shop, or visit a friend, or read a news story, you are ringing someone and saying “hi! I’m over here now!”. That is basically what is happening. | + | ====Block third-party |
- | Â | + | Sites may store information on your computer, in the form of small text files known as cookies. They may also use other techniques, such as running bits of code in your browser. |
- | Technically, | + | |
- | Â | + | |
- | ====Clearing your cookies | + | |
- | Sites may store information on your computer, in the form of cookies. | + | |
You can delete these (or refuse to receive them in the first place) through your browser settings. | You can delete these (or refuse to receive them in the first place) through your browser settings. | ||
- | Blocking all cookies might make some sites work poorly — if a cookie is used for keeping your login session active, for example, or maintaining the content of your shopping basket before you check out, disability | + | Blocking all cookies might make some sites work poorly — if a cookie is used for keeping your login session active, for example, or maintaining the content of your shopping basket before you check out, disabling |
- | Â | + | |
- | Removing cookies will limit the information that a site can collect on you, but will mean you need to keep logging in. | + | |
- | Â | + | |
- | ===“Supercookies”=== | + | |
- | Information injected into your browsing by your ISP. VPN may assist — assuming that your VPN provider is not modifying your traffic too… | + | |
- | ===Tracking without cookies===Â | + | Blocking third party cookies, |
- | Even without | + | |
- | Combination of IP address | + | For example, in Safari on macOS, it is in Settings / Privacy, |
- | EFF’s “panopticlick” tool: https:// | + | |
- | Looks at the variety of information available from your browser, and suggests how many other browsers will look indistinguishable from yours. When I tested my browser, it showed it would be pretty easy to identify it: 1 in 100,000 browsers. | + | {{:: |
- | ===Blocking ads=== | ||
- | A slightly controversial topic is that of blocking ads. | ||
- | This entails running software either on your phone or laptop, or else on the network itself, which attempts | + | ===Tracking without cookie is still possible===Â |
+ | Even without cookies, it may still be possible for a website | ||
- | The reason I say it is controversial is that, for all its sins, online advertising, | + | You can see how unique you are using the EFF’s [[https:// |
- | For me, that’s probably a good enough sign to leave, but others may feel differently. | + | ====Block unnecessary JavaScript==== |
- | Generally, irritating though they are, particularly when they block the flow of text on a page, it is not the advertisements themselves which are objectionable. | + | In addition to blocking ads and trackers, and blocking third party cookies, lots of websites use JavaScript. This can be for legitimate reasons such as improving the user interface, but they may also be malicious (such as using your computer' |
- | More usually, it is the fact that the advertisements are targeted. And, to achieve this, data about the sites you are visiting, and about your computer and software, and sent to third parties who run advertising networks, to enable them to try to shove you the advert which they think will get the best reaction from you. | + | Switching off JavaScript |
- | You might be surprised just how many people are tracking | + | If you find you cannot switch of JavaScript completely, |
- | Unfortunately, | + |
secure_browsing.1564939053.txt.gz · Last modified: 2021/07/06 09:26 (external edit)