As web users, we have little influence over the security of the sites we visit. However, we can ensure our browsers, and browsing experience, remain secure by following a few easy steps. Why not start off the year with the knowledge that your browser is better off than it was last year?
|Update your browser||Chrome | Firefox | Internet Explorer | Opera | Safari|
If your browser doesn’t support HTML5 content, you’re living in a technological past.
If your browser version is more than three months old, you’re living in an insecure past.
If your browser version is more than a year old, you’re infected with malware.
|Enable HTTPS Always||Sites like Facebook, Google, and Twitter now use HTTPS by default. LinkedIn has an opt-in setting to force HTTPS. Demand this from others. The best protection comes from sites that implement HTTP Strict Transport Security (HSTS) and support DNSSEC. Sadly, these are scarce.|
Update your bookmarks for each of these sites so you visit the
Encryption improves your privacy and defenses against sniffing or interception attacks when using Wi-Fi networks like those found in cafes, airports, or other public spaces.
Note that a public network that provides encrypted Wi-Fi using WEP or WPA/WPA2 with a pre-shared key doesn’t improve your privacy; anyone with the shared WEP or WPA key will be able to sniff your traffic. Shared secrets have less secrecy than you desire and more sharing than you expect.
HTTPS only works if your browser (and you!) pay attention to the certificate’s validity in the first place. Lots of mobile Apps rely on HTTPS connections, but not all of them bother to verify certificates — missing the entire point of this protocol.
|Uninstall Flash||When was the last time you installed a non-critical update for Flash?|
Removing Flash from your system removes a significant attack vector for malware and browser exploits. It also removes one vector for “evercookies“. (You’ll still be tracked by ad networks using other techniques.)
With Flash gone you might not be able to view some videos, but there are plenty others that use HTML5’s
|Chrome bundles its own version of Flash, which is unaffected by the stand-alone installer (and uninstaller). You must disable it within Chrome’s settings.|
|Disable Java||When was the last time you found a useful site that needed to run Java?|
Disabling Java removes a significant attack vector for malware and browser exploits.
Don’t uninstall it completely, though. You’ll want it around to run Zed Attack Proxy.
|Internet Explorer 10, 11|
|Review Privacy Settings||Review settings for Third-Party Cookies, prefer to reject them outright.
Know how to enable the browser’s mode for “Private Browsing” (Firefox, Safari), a.k.a “Incognito Window” (Chrome), “InPrivate Browsing” (IE), “Private Window” (Opera).
Turn on Do Not Track headers. At the moment, this setting likely adds minimal improvement to your privacy. The background and controversy around this setting requires more than one article; check back for more details.
|Internet Explorer 10, 11|
(Understand benefits of Enhanced Protected Mode.)
|Safari iOS 6|
|Safari iOS 7|
|Mobile Device Settings||iOS 6 (iPad & iPhone)|
|iOS 7 (iPad & iPhone)|
|Manage Your Passwords||Your email address is often the primary password recovery method for accounts on other web sites. Choose a unique password for your email account. If the credentials for another of your accounts are compromised, then the attackers will not be able to immediately expand their reach into the “master key” that is your email.
If a web site supports it, enable account recovery and login verification with a mobile device (e.g. text messages). It’s more difficult for an attacker to gain control of a physical device in your possession than an email account on the web.
Updated January 2014 with Safari 7 and iOS 7 recommendations.
Updated January 2013 with IE10 and password recommendations.