Differences

This shows you the differences between two versions of the page.

--- secure_browsing [2019/08/04 17:27] – neil
+++ secure_browsing [2021/07/06 09:26] (current) – external edit 127.0.0.1
@@ Line 2: / Line 2: @@
 ====Key points: ====
+  *[[#Use a VPN or Tor|Use a VPN or Tor]]
   *[[#Beware of "lookalike" domain names|Beware of "lookalike" domain names]]
   *[[#Use a trusted DNS server| Use a trusted DNS server]] (e.g. by using a VPN, or DNS-over-https, or Tor)
@@ Line 7: / Line 8: @@
   *[[#Use two-factor authentication wherever you can|Use two-factor authentication wherever you can]]
   * [[#Use "private browsing mode", but be aware of its limitations|Use "private browsing mode", but be aware of its limitations]] — use Tor Browser if you want more protection
+  * [[#Block ads and trackers|Block ads and trackers]]
+  * [[#Block third-party cookies|Block third party cookies]]
+  * [[#Block unnecessary JavaScript|Block unnecessary JavaScript]]
+====Use a VPN or Tor====
+Unless you trust the network to which you are connecting (e.g. your home or office Wi-Fi) and the Internet service provider which provides that Internet connection, connect to a [[virtual_private_networks|VPN]] before you open your browser.
+If you do not have a VPN, use [[tor|Tor]].
 ====Beware of "lookalike" domain names ====
@@ Line 18: / Line 28: @@
 (In this case, Google controls both g00gle.com and google-email.com — probably for the very reason of trying to lessen the risk to users.)
-But these all rely fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks.
+But these all rely on fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks.
 ====Use a trusted DNS server====
@@ Line 26: / Line 37: @@
 That's because:
-  * the system which handles the conversion of domain names to IP addresses — the domain name system — is fundamentally insecure. While some sites have adopted techniques to mitigate this, you are unlikely to know which sites have done this.
+  * the Internet's equivalent of a phone book, which handles the conversion of domain names to IP addresses — the domain name system — is fundamentally insecure. While some sites have adopted techniques to mitigate this, you are unlikely to know which sites have done this.
-  * networks often try to be helpful and offer you a DNS service — but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they've replaced some of the phone numbers with fake ones.
+  * networks often try to be helpful and offer you a DNS service, but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they've replaced some of the phone numbers with fake ones.
 The net result is that you could type the right URL into your browser, but still be directed to a fake site.
@@ Line 52: / Line 63: @@
 As a rule of thumb, be very wary giving personal data to a site which is not showing a padlock. But don’t rely on a padlock as a sign that everything is fine.
-====Use two-factor authentication wherever you can ====
+====Think carefully before accepting untrusted certificates ====
-In addition to a username and a password, some sites will let you also set an additional authentication factor, such as a time-limited code, which you have to enter before you can log in. This is very common for banks, and is increasingly common for other service providers.
+Sometimes, when you are browsing, you will see messages in your browser warning you of a security risk, that the site to which you are connecting is presenting an untrusted security certificate.
+{{::screenshot_2019-08-23_at_16.35.51.png?400|Security certificate error}}
+If you are connecting to a new piece of network hardware which you have just installed (such as a new router, or network-connected storage device) or new server software, and you are confident that the URL or IP address you have typed into your browser is correct, accepting the risk and proceeding should be fine. Even though there is a mismatch between the details in the certificate and the address to which you are connecting, your connection with the server will still be encrypted.
+If, however, you are just browsing and you stumble across an error like this, it is safest if you browse away from the site in question, without accepting the certificate. You might be fine, but it may also be an indication that someone is trying to intercept your browsing, or is trying to trick you into visiting a fraudulent copy of a site.
+====Use two-factor authentication wherever you can ====
-It would not stop a rogue site from getting your username and password but it should make it harder, if not impossible, for them to log in pretending to be you, as they would not have the ability to generate that unique time-sensitive code.
+In addition to a username and a password, some sites will let you also set an additional authentication factor, such as a time-limited code or a small hardware device, which you have to enter before you can log in. This is very common for banks, and is increasingly common for other service providers.
-Enable two-factor authentication wherever you can, but make sure you have a back-up mechanism.
+It would not stop a rogue site from getting your username and password but it should make it harder, if not impossible, for them to log in pretending to be you, as they would not have the ability to generate that unique time-sensitive code or possess the right hardware.
 More information on [[two-factor_authentication|two-factor authentication]].
@@ Line 66: / Line 85: @@
 There’s a strong chance that your browser offers a “private browsing” mode.
+{{::screenshot_2019-08-23_at_16.43.02.png?400|}}
 This was commonly discussed as a mode which you were supposed to use when buying a present for a loved one, so that they would not find traces of your secretive gift habits if they happened to use your computer. In reality, it’s pretty much universally known as “porn mode”, for much the same reason.
@@ Line 79: / Line 100: @@
 If you want to do that, then [[tor|Tor]], especially via [[https://www.torproject.org/download/|Tor Browser]], is a better option.
+====Block ads and trackers====
-====Cross-site and repeat-visit tracking====
+Many websites, and other third parties, will use different techniques to try and track you. This is mostly for the purpose of trying to learn more about you, in an attempt to show you what they think are relevant adverts.
-Loading images from remote servers
+Blocking adverts and trackers can cut down on this spying, and may also have the beneficial side effect of making web pages load faster.
-Every time you connect to a site, you are sending information to it — your IP address, and some information about your browser configuration.
+There are various techniques for blocking these things:
-Where a page hosts images from multiple other sites, you are sending your information to all of those sites.
+  * [[https://pi-hole.net|Pi-hole]] is a piece of software which you run on a computer on your network (it is named after the cheap, low-powered computer, the [[https://raspberrypi.org|Raspberry Pi]], which is excellent for this type of thing). You configure it so that all computers on your network (including computers, phones, and "smart" devices, such as TVs) use it as their chosen DNS server. It regularly checks online lists of known ad or tracking servers, and gives DNS look-ups for those sites a fake answer, so that you do not load them.
+    * As a bonus, if you use a VPN to connect back to your network, you can use your Pi-hole system to block adds on your computer or mobile device, wherever you are connecting from.
+  * on-device software, usually in the form of a browser plug-in, such as [[https://github.com/gorhill/uBlock#installation|uBlock Origin]] and [[https://www.ghostery.com|Ghostery]].
-So every time you load a page containing a Facebook element, your computer is talking to Facebook. Easy to build up a picture of your activity over time.
-Imagine every time you go into a shop, or visit a friend, or read a news story, you are ringing someone and saying “hi! I’m over here now!”. That is basically what is happening.
+====Block third-party cookies====
+Sites may store information on your computer, in the form of small text files known as cookies. They may also use other techniques, such as running bits of code in your browser.
-Technically, it does not matter if you are logged in or not — but staying logged in to Facebook, Twitter, LinkedIn etc can only help matters.
-====Clearing your cookies and cache====
-Sites may store information on your computer, in the form of cookies.
 You can delete these (or refuse to receive them in the first place) through your browser settings.
-Blocking all cookies might make some sites work poorly — if a cookie is used for keeping your login session active, for example, or maintaining the content of your shopping basket before you check out, disability cookies could result in a really poor user experience or failed transactions.
+Blocking all cookies might make some sites work poorly — if a cookie is used for keeping your login session active, for example, or maintaining the content of your shopping basket before you check out, disabling cookies could result in a poor user experience or failed transactions.
-Removing cookies will limit the information that a site can collect on you, but will mean you need to keep logging in.
-===“Supercookies”===
-Information injected into your browsing by your ISP. VPN may assist — assuming that your VPN provider is not modifying your traffic too…
-===Tracking without cookies===
+Blocking third party cookies, or enabling the option to prevent cross-site tracking, is unlikely to pose any usability problems, while increasing your privacy.
-Even without cookies, still possible to track you:
-Combination of IP address and browser-specific information.
+For example, in Safari on macOS, it is in Settings / Privacy, and it looks like this:
-EFF’s “panopticlick” tool: https://panopticlick.eff.org
-Looks at the variety of information available from your browser, and suggests how many other browsers will look indistinguishable from yours. When I tested my browser, it showed it would be pretty easy to identify it: 1 in 100,000 browsers.
+{{::screenshot_2019-08-04_at_19.20.14.png|}}
-===Blocking ads===
-A slightly controversial topic is that of blocking ads.
-This entails running software either on your phone or laptop, or else on the network itself, which attempts to detect requests your devices make for adverts embedded in webpages, and blocking them. The software to do this is readily and freely available.
+===Tracking without cookie is still possible===
+Even without cookies, it may still be possible for a website to single you out, using a combination of IP address and browser-specific information.
-The reason I say it is controversial is that, for all its sins, online advertising, especially targeted advertising, funds as lot of sites, and blocking ads may have an adverse impact of their viability. That’s increasingly why, if you have an ad blocker running, you see “ad walls” pop up on the page you are trying to visit, telling you to drop you ad blocker or else leave.
+You can see how unique you are using the EFF’s [[https://panopticlick.eff.org|“panopticlick” tool]].
-For me, that’s probably a good enough sign to leave, but others may feel differently.
+====Block unnecessary JavaScript====
-Generally, irritating though they are, particularly when they block the flow of text on a page, it is not the advertisements themselves which are objectionable.
+In addition to blocking ads and trackers, and blocking third party cookies, lots of websites use JavaScript. This can be for legitimate reasons such as improving the user interface, but they may also be malicious (such as using your computer's power to mine cryptocurrency) or else a vehicle for obtaining information.
-More usually, it is the fact that the advertisements are targeted. And, to achieve this, data about the sites you are visiting, and about your computer and software, and sent to third parties who run advertising networks, to enable them to try to shove you the advert which they think will get the best reaction from you.
+Switching off JavaScript is unlikely to be tenable, as it breaks core functionality of many sites, but there is no harm in trying it and seeing how you get on.
-You might be surprised just how many people are tracking you on your favourite websites — tools such as Ad Block Plus and Ghostery, which you add in to your browser, can help you see just how much is going on.
+If you find you cannot switch of JavaScript completely, tools such as [[https://noscript.net|NoScript]] are browser plug-ins which let you control what scripts get run.
-Unfortunately, there is no common way of accepting the advertising without the tracking, so your option is pretty much accept both or block both.