Differences

This shows you the differences between two versions of the page.

--- secure_browsing [2019/08/06 20:00] – neil
+++ secure_browsing [2021/07/06 09:26] (current) – external edit 127.0.0.1
@@ Line 28: / Line 28: @@
 (In this case, Google controls both g00gle.com and google-email.com — probably for the very reason of trying to lessen the risk to users.)
-But these all rely fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks.
+But these all rely on fooling you with a similar, but not correct, URL and, with some additional scrutiny and care, you should be able to keep yourself safe from these type of attacks.
 ====Use a trusted DNS server====
@@ Line 36: / Line 37: @@
 That's because:
-  * the system which handles the conversion of domain names to IP addresses — the domain name system — is fundamentally insecure. While some sites have adopted techniques to mitigate this, you are unlikely to know which sites have done this.
+  * the Internet's equivalent of a phone book, which handles the conversion of domain names to IP addresses — the domain name system — is fundamentally insecure. While some sites have adopted techniques to mitigate this, you are unlikely to know which sites have done this.
-  * networks often try to be helpful and offer you a DNS service — but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they've replaced some of the phone numbers with fake ones.
+  * networks often try to be helpful and offer you a DNS service, but the outcome is that you are using the Internet equivalent of their own personal phone book, and you have no idea if they've replaced some of the phone numbers with fake ones.
 The net result is that you could type the right URL into your browser, but still be directed to a fake site.
@@ Line 61: / Line 62: @@
 As a rule of thumb, be very wary giving personal data to a site which is not showing a padlock. But don’t rely on a padlock as a sign that everything is fine.
+====Think carefully before accepting untrusted certificates ====
+Sometimes, when you are browsing, you will see messages in your browser warning you of a security risk, that the site to which you are connecting is presenting an untrusted security certificate.
+{{::screenshot_2019-08-23_at_16.35.51.png?400|Security certificate error}}
+If you are connecting to a new piece of network hardware which you have just installed (such as a new router, or network-connected storage device) or new server software, and you are confident that the URL or IP address you have typed into your browser is correct, accepting the risk and proceeding should be fine. Even though there is a mismatch between the details in the certificate and the address to which you are connecting, your connection with the server will still be encrypted.
+If, however, you are just browsing and you stumble across an error like this, it is safest if you browse away from the site in question, without accepting the certificate. You might be fine, but it may also be an indication that someone is trying to intercept your browsing, or is trying to trick you into visiting a fraudulent copy of a site.
 ====Use two-factor authentication wherever you can ====
@@ Line 74: / Line 85: @@
 There’s a strong chance that your browser offers a “private browsing” mode.
+{{::screenshot_2019-08-23_at_16.43.02.png?400|}}
 This was commonly discussed as a mode which you were supposed to use when buying a present for a loved one, so that they would not find traces of your secretive gift habits if they happened to use your computer. In reality, it’s pretty much universally known as “porn mode”, for much the same reason.
@@ Line 96: / Line 109: @@
   * [[https://pi-hole.net|Pi-hole]] is a piece of software which you run on a computer on your network (it is named after the cheap, low-powered computer, the [[https://raspberrypi.org|Raspberry Pi]], which is excellent for this type of thing). You configure it so that all computers on your network (including computers, phones, and "smart" devices, such as TVs) use it as their chosen DNS server. It regularly checks online lists of known ad or tracking servers, and gives DNS look-ups for those sites a fake answer, so that you do not load them.
     * As a bonus, if you use a VPN to connect back to your network, you can use your Pi-hole system to block adds on your computer or mobile device, wherever you are connecting from.
-  * on-device software, usually in the form of a browser plug-in, such as [[https://adblockplus.org|Ad Block Plus]] and [[https://www.ghostery.com|Ghostery]].
+  * on-device software, usually in the form of a browser plug-in, such as [[https://github.com/gorhill/uBlock#installation|uBlock Origin]] and [[https://www.ghostery.com|Ghostery]].