As web development has matured so to have the applications and interfaces of websites and the browsers used to view and access them. The fact that we can do so much more on the web now than ever before comes with greater opportunities for criminals. Here, we go though some of the things people can do to ensure that they are browsing more safely.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Today we're looking at browsing the internet more safely in small and medium-sized organisations, in we're going to talk about using browsers securely and preserving privacy. We’re going to start by looking at what users get wrong with browsers and browsing.
What Users get Wrong with Browsers
Security professionals often suggest that if a user can ensure that their basic security hygiene is good, then they only need to be aware of the web sites they browse. Some of the basic things that users get wrong about browsers before they even start browsing include the following:
- Not updating the browser – for everyday secure browsing it is important to update each browser that the organisation authorises for use. This activity is a basic cyber hygiene activity that can easily be automated in most browsers. Attackers rely on this to exploit older versions of browsers.
- Understanding the difference between security and privacy – these are two different concepts that are often intentionally confused by many service providers where they may want end users to compromise one for the other. Many of the big internet technology companies have been known to do this regularly. Users should insist on both, not one at the expense of the other. Whereas security is concerned with Confidentiality, Integrity and Availability (CIA), privacy is mainly concerned with Confidentiality (C).
- Encryption – in particular, this is encryption of any data not just between the browser and the website being visited, but also encrypting all other data. This does include encrypting the network connection, the Domain Name Server (DNS) service. Users often forget that their internet service provider is able to track all their browsing, unless they change their default DNS settings on their router, devices and or browsers. Or, that when they connect with a Wi-Fi service in a public place unless the connection is encrypted all their data will be sent in plain text to the router and can be accessed by anyone. Attackers can use this information to plan how they may be able to attack a user.
- Saving Authentication Credentials in the browser – the functionality to save usernames and passwords within the browser has been around for many years, however, this is something that is likely to be targeted by attackers. Because of this it is often better to save authentication information in a password manager which can be accessed on all devices and browsers more easily. Attackers may try to exploit this to gain access to all passwords.
- Third party plugins / extensions – these have been a feature of modern browsers for many years and there have been many examples of plugins being used to track users, or even turn out to be malware. Many of the most useful uses of plugins and extensions have been incorporated into the browser over time, for example the functionality of being able to view different file types are now built right into the browser through html and stylesheets. The different internet bodies responsible for standards have made things more consistent than they were in the past, thus reducing the need for those plugins and extensions which often slowed down the browsing experience. Later we include a list of plugin and extensions which are still useful today for security and privacy.
- The lie of the “Private Browsing Mode” – this mode has often been thought of by users as a functionality which stops websites from knowing or being able to track and collect user data. However, the reality is that it is nothing more than not allowing someone on the user’s end from identifying which sites the user has visited. So, this functionality has been used by many users believing that they are browsing websites anonymously, when in fact they are not. This misunderstanding has wrongly given users confidence to visit sites they would not have visited with no added privacy at all – be they visiting social media, dating or any other services.
- Mobile browsing is different to PC browsing – as mobile operating platforms are essentially run by two competitors; the competition is less intense now. However, both operating systems were developed to attract applications developers to develop more apps for their systems, and in both cases, this meant allowing the developers to collect as much user information as they wanted without any user consent. Although this is changing, and we cover it later, mobile browsing on Android is far from private and has just got better on Apple’s iOS devices.
Now let’s take a look at how some of these can be overcome with different tools or techniques to provide a more secure and private browsing experience.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.