Keep your software and operating system up to date.
For Windows, Secunia PSI
(heavyweight, slow) or Filehippo's Update Checker
(lighter weight) will help keep your apps current.
Browser Market Share stats
There are currently 2 good browsers and several marginal browsers:
- Google Chrome (good) - The web is google's business, so they have a lot of incentive to make their browser more usable and more secure for the average person.
- Firefox (good) - Firefox is rapidly improving today because it is competing with Chrome. Before Chrome was popular, Firefox was bloated, slow, and not advancing very fast. Mozilla Foundation has more of a freedom-oriented ideology than Google does, and the Firefox plugin/extension system is much more powerful.
- Internet Explorer 9.0+ - only available for Vista and Win7. IE9, the latest official release for windows 7 as of February 2013, is almost 2 years old. Microsoft has slower release cycles. Chrome and Firefox introduce major new features (including security and speed changes) every few months.
- Safari - not bad, but it's a browser mostly for OSX users, like IE is a browser for users of recent MS operating systems.
IE on Vista and Windows 7 supports TLS 1.1 and 1.2, but only if you enable it. Tools (gear) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2.
Chrome starting with version 21 supports TLS 1.1, and 1.2 is hoped to land in version 31. Firefox support for TLS 1.1 is lagging.
In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on that for options that let you allow plugins once, or every time you visit that site. This is the equivalent of plugin blocking in Firefox with flashblock.
Recommended extensions (you can find them by googling the browser name and the extension name together):
- Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy]
- Ghostery (chrome or firefox)
- HTTPS Everywhere (firefox)
SSL-management extensions: CertPatrol
You shouldn't use IE6 or IE7 unless they're mandatory, and in that case only use them for company-internal business (install Chrome or Firefox for general web browsing).
When a Microsoft goon says, "Friends don't let friends use IE6,"
there's probably something to it. More recently, an Australian Microsoft campaign compared using IE6 to drinking spoiled milk
Your login information for most websites, including TFL, can be reset if a hacker gains access to your email account. Your email account and login information is therefore the most important web account you have (other than financial accounts which hopefully will not reset your password so easily); you should take extra steps to keep your email account(s) secure. Do not reuse your email account password(s) or banking password(s). Ever. The primary cause of account compromise, other than malware, is password reuse. One site gets compromised, typically exposing your email and password if they don't store passwords properly, and then your accounts on other sites where you use that email+password combination can be hacked with no additional effort.
If you use gmail, you automatically use SSL to access that account. If you have a smartphone or a dumb cellphone with free text messages, you should enable google's 2-factor authentication
unless you can articulate a reason not to. Google even offers a "google authenticator" app which eliminates the need to receive SMS messages; you can generate the authentication codes simply by running the app.
Google Authenticator install instructions for Android, iOS, and Blackberry
Yahoo mail users: turn on SSL:
step 1: http://thefiringline.com/library/yahoo-ssl-1.png
step 2: http://thefiringline.com/library/yahoo-ssl-2.png
[SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. Not sure yet.]
If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers if possible.
***What do email scams look like? Example of an Email Scam
If you receive an email like that, the sender's
email account has been hacked.
Set up recovery options in your email account, if possible. Typically that means a backup email address or a phone number or cell # for SMS. If your account gets hacked, that's bad, but it's even worse if you permanently lose access to the account, which can happen if google/yahoo/hotmail can't verify that you're the original owner. The best way to verify that is to link your account to another email address or to a phone number. Yes, there are privacy implications, but in most cases it's very minor compared to all the other information you send and receive via email. If it's such a big deal, then don't provide any backup contact info, and pray your account never gets hacked.
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $), or KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free but you have to ensure compatibility between desktop and mobile clients, and set up syncing yourself).
+ Microsoft Security Essentials
is free and pretty good. If you want to pay for an antivirus/security service, Eset Nod32 has a great reputation, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall).
If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools:
Other Security Measures
For windows, Microsoft publishes a neat tool called the Microsoft Enhanced Mitigation Experience Toolkit [EMET]
, which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else.
There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites
in the TFL library.
are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox
(using software like VirtualBox
) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org