Secure Your Browser

As web users, we have little influence over the security of the sites we visit. However, we can ensure our browsers, and browsing experience, remain secure by following a few easy steps. Why not start off the year with the knowledge that your browser is better off than it was last year?

Update your browser

Chrome | Firefox | Internet Explorer | Opera | Safari
If your browser doesn’t support HTML5 content, you’re living in a technological past.
If your browser version is more than three months old, you’re living in an insecure past.
If your browser version is more than a year old, you’re infected with malware.

Consider verifying your environment with an online version check like Qualys BrowserCheck or Mozilla Plugin Check.

Enable HTTPS Always

Sites like Facebook, Google, and Twitter now use HTTPS by default. LinkedIn has an opt-in setting to force HTTPS. Demand this from others. The best protection comes from sites that implement HTTP Strict Transport Security (HSTS) and support DNSSEC. Sadly, these are scarce.
Update your bookmarks for each of these sites so you visit the https: version by default.
Encryption improves your privacy and defenses against sniffing or interception attacks when using Wi-Fi networks like those found in cafes, airports, or other public spaces.
Note that a public network that provides encrypted Wi-Fi using WEP or WPA/WPA2 with a pre-shared key doesn’t improve your privacy; anyone with the shared WEP or WPA key will be able to sniff your traffic. Shared secrets have less secrecy than you desire and more sharing than you expect.
HTTPS only works if your browser (and you!) pay attention to the certificate’s validity in the first place. Lots of mobile Apps rely on HTTPS connections, but not all of them bother to verify certificates — missing the entire point of this protocol.

Uninstall Flash

When was the last time you installed a non-critical update for Flash?
Removing Flash from your system removes a significant attack vector for malware and browser exploits. It also removes one vector for “evercookies“. (You’ll still be tracked by ad networks using other techniques.)
With Flash gone you might not be able to view some videos, but there are plenty others that use HTML5’s <video> tag.

Chrome bundles its own version of Flash, which is unaffected by the stand-alone installer (and uninstaller). You must disable it within Chrome’s settings.Chrome disable Flash

Disable Java

When was the last time you found a useful site that needed to run Java?
Disabling Java removes a significant attack vector for malware and browser exploits.
Don’t uninstall it completely, though. You’ll want it around to run Zed Attack Proxy.

Internet Explorer 10, 11IE10 Disable Java

FirefoxFirefox disable Java

OperaOpera disable Java

SafariSafari disable Java

Review Privacy Settings

Review settings for Third-Party Cookies, prefer to reject them outright.

Know how to enable the browser’s mode for “Private Browsing” (Firefox, Safari), a.k.a “Incognito Window” (Chrome), “InPrivate Browsing” (IE), “Private Window” (Opera).

Turn on Do Not Track headers. At the moment, this setting likely adds minimal improvement to your privacy. The background and controversy around this setting requires more than one article; check back for more details.

ChromeChrome Privacy Settings

FirefoxFirefox Privacy Settings

Internet ExplorerIE9 Privacy Settings

Internet Explorer 10, 11IE10 Do Not Track headerIE10 Enable Enhanced Protected Mode
(Understand benefits of Enhanced Protected Mode.)

OperaOpera Do Not TrackOpera Cookies

SafariSafari 7 Do Not Track

Safari iOS 6
Go to Settings > Safari > Accept CookiesiOS Safari Accept Cookies

Safari iOS 7
Go to Settings > Safari. Review the PRIVACY & SECURITY section.iOS Safari 7 Privacy & Security

Mobile Device Settings

iOS 6 (iPad & iPhone)
Go to Settings > General > About > AdvertisingiOS Limit Ad Tracking

iOS 7 (iPad & iPhone)
Go to Settings > Privacy > AdvertisingiOS 7 Limit Ad Tracking

Manage Your Passwords

Your email address is often the primary password recovery method for accounts on other web sites. Choose a unique password for your email account. If the credentials for another of your accounts are compromised, then the attackers will not be able to immediately expand their reach into the “master key” that is your email.

If a web site supports it, enable account recovery and login verification with a mobile device (e.g. text messages). It’s more difficult for an attacker to gain control of a physical device in your possession than an email account on the web.

Updated January 2014 with Safari 7 and iOS 7 recommendations.
Updated January 2013 with IE10 and password recommendations.

Published by Mike Shema

Mike works with product security and DevSecOps teams to build safer applications. He also writes about information security, with an infusion of references to music (80s), sci-fi (apocalyptic), and horror (spooky) to keep the topics entertaining. He hosts the Application Security Weekly podcast.

%d bloggers like this: