There’s been a rash of browser exploits the last year or two, mostly centered around Java, Adobe’s PDF Reader, and Flash. “Best Practices” (Best Practices really means “You should do this because I think you should.”) suggests disabling all of them, which is fine, but doesn’t really address what most people need, which is a way to use plugins they need when they need them, but block them the rest of the time. It is important to keep in mind that much malware gets picked up when visiting major websites. A cracker finds a hole in a web site, and then inserts a piece of malware that can take advantage of security flaws in Java, Adobe’s PDF Reader, or Flash, and your browser executes that code as your visit the website. Major sites such as NBC have hosted such malware, and for a while, Google served up malware in sponsored ads.
Here’s what I’ve come up with as a means for reducing my risk. I’m not an expert, but these measures are pretty easy to do and can help reduce your exposure to attack.
Use Two Browsers or Two Logins
The more you can separate your regular surfing and working with sensitive materials, the better off you are. Dedicating a computer to sensitive work is the best approach, but not practical for most people. Another similar option would be to use a bootable optical disk, such as the Tail iso, and reboot your machine to that before accessing sensitive data.
At a minimum, don’t use the browser you like to use for general web surfing for anything that is a potentially sensitive. If you use chrome for your daily dose of youtube and facebook, use Firefox or Opera for your banking and accessing personnel data.
Another approach is to use two accounts. Create one account for general use, and a second for use with sensitive data.
Keep everything up to date
It’s hard to keep everything up to date, but you need to do that. An easy way is to use Qualys’s Browsercheck. Make that your homepage, and then when you start the browser it will scan your system for updates to applications, plugins and the operating system.
Use OpenDNS with your laptop
OpenDNS provides free DNS services, and one thing they do is redirect you from known or suspected malware sites and help protect you from phishing schemes.
I particularly like OpenDNS because they also offer DNSCrypt, which gives you a secured connection to their DNS servers, which can help prevent man in the middle attacks.
Block Popup Windows
Use Firefox’s preferences to block popup windows. If you need popups for a particular site, you can enable an exception. Chrome does this by default.
Plugins
There are a lot of plugins out there you can use to help tighten security. Here’s a short list of the ones that I think are the most effective.
Adblock Plus
Adblock Plus is pretty well known, but in case you haven’t heard of it, it will block banners, pop-ups and video ads.
LastPass
LastPass is a free service and plugin that stores your passwords, encrypted, in a little database, and will fill in web forms with your id and password as well as other data. You can choose to store the passwords in their cloud, or you can store them locally, and it can sync passwords between browsers. Similar programs are KeePass and 1Password. The real advantage to this approach is that you use a long, strong password that is unique to each web site and service you visit, and you don’t have to remember any of them. When you need a password, you unlock the vault, LastPass fills it in for you, and you’re done.
One caveat, if you use a browser plugin to manipulate passwords, you really should segregate your sensitive work from your random surfing–the nature of the beast is such that the passwords are temporarily stored in ram in clear text, so if some bit of malware can dump the ram, it may have access to the password. Using a system like this is much more secure than, but it something to think about.
HTTPS Everywhere
The Electronic Freedom Foundation has made a plugin that will test and use HTTPS if it is availabe for all the web sites you visit. It’s called https://www.eff.org/https-everywhere, and is available for Chrome and Firefox. This will help keep your broswer sessions from being sniffed or highjacked when you’re in the coffee shop.
NoScript
There are a number of plugins and settings you can use to control what runs in your browser, but for Firefox, http://noscript.net/ provides the finest control. When you load a page, it will block all scripts and show you a list, and you chose the sites from which you will allow scripts to run. For similar control in Chrome, try NotScripts.
Both of these are painful at first if you’re using them correctly, because you need to read through the list of sites you’re allowing and limit what you allow. But once you have visited your usual sites, they are less intrusive. And they will show you which sites are trying to track you.
Additional Info
For additional settings, see the following web sites:
CERT on Securing Your Web Browser. This one does a much better job than I could to cover secure settings in Firefox.
Insanity.bit.com has a nice guide for securing Chrome.
Thanks to Alex Everett for helping with this article.