The Firing Line Forums - View Single Post - **Web and Browser Security** (TFL supports TLS 1.2 and SPDY)

**tyme** · July 22, 2009, 10:26 PM

Keep your software and operating system up to date.

For Windows, Secunia PSI (heavyweight, slow) or Filehippo's Update Checker (lighter weight) will help keep your apps current.

Browsers
Browser Market Share stats
There are currently 2 good browsers and several marginal browsers:

Google Chrome (good) - The web is google's business, so they have a lot of incentive to make their browser more usable and more secure for the average person.
Firefox (good) - Firefox is rapidly improving today because it is competing with Chrome. Before Chrome was popular, Firefox was bloated, slow, and not advancing very fast. Mozilla Foundation has more of a freedom-oriented ideology than Google does, and the Firefox plugin/extension system is much more powerful.
Internet Explorer 9.0+ - only available for Vista and Win7. IE9, the latest official release for windows 7 as of February 2013, is almost 2 years old. Microsoft has slower release cycles. Chrome and Firefox introduce major new features (including security and speed changes) every few months.
Safari - not bad, but it's a browser mostly for OSX users, like IE is a browser for users of recent MS operating systems.

SSL/TLS Support
IE on Vista and Windows 7 supports TLS 1.1 and 1.2, but only if you enable it. Tools (gear) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2.

Chrome starting with version 21 supports TLS 1.1, and 1.2 is hoped to land in version 31. Firefox support for TLS 1.1 is lagging.

Browser Extensions

In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on that for options that let you allow plugins once, or every time you visit that site. This is the equivalent of plugin blocking in Firefox with flashblock.

Recommended extensions (you can find them by googling the browser name and the extension name together):

Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy]
Noscript (firefox) - enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them.
Ghostery (chrome or firefox)
HTTPS Everywhere (firefox)

SSL-management extensions: CertPatrol and Convergence and Perspectives

You shouldn't use IE6 or IE7 unless they're mandatory, and in that case only use them for company-internal business (install Chrome or Firefox for general web browsing).
http://sociable.co/web/facebook-phas...pport-for-ie7/
http://googleenterprise.blogspot.com...-browsers.html
When a Microsoft goon says, "Friends don't let friends use IE6," there's probably something to it. More recently, an Australian Microsoft campaign compared using IE6 to drinking spoiled milk.

Email Security

Your login information for most websites, including TFL, can be reset if a hacker gains access to your email account. Your email account and login information is therefore the most important web account you have (other than financial accounts which hopefully will not reset your password so easily); you should take extra steps to keep your email account(s) secure. Do not reuse your email account password(s) or banking password(s). Ever. The primary cause of account compromise, other than malware, is password reuse. One site gets compromised, typically exposing your email and password if they don't store passwords properly, and then your accounts on other sites where you use that email+password combination can be hacked with no additional effort.

If you use gmail, you automatically use SSL to access that account. If you have a smartphone or a dumb cellphone with free text messages, you should enable google's 2-factor authentication unless you can articulate a reason not to. Google even offers a "google authenticator" app which eliminates the need to receive SMS messages; you can generate the authentication codes simply by running the app.
Google Authenticator install instructions for Android, iOS, and Blackberry

Yahoo mail users: turn on SSL:
step 1: http://thefiringline.com/library/yahoo-ssl-1.png
step 2: http://thefiringline.com/library/yahoo-ssl-2.png

Hotmail users:
[SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. Not sure yet.]

If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers if possible.

***What do email scams look like? Example of an Email Scam***
If you receive an email like that, the sender's email account has been hacked.

Set up recovery options in your email account, if possible. Typically that means a backup email address or a phone number or cell # for SMS. If your account gets hacked, that's bad, but it's even worse if you permanently lose access to the account, which can happen if google/yahoo/hotmail can't verify that you're the original owner. The best way to verify that is to link your account to another email address or to a phone number. Yes, there are privacy implications, but in most cases it's very minor compared to all the other information you send and receive via email. If it's such a big deal, then don't provide any backup contact info, and pray your account never gets hacked.

Password Security
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $), or KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free but you have to ensure compatibility between desktop and mobile clients, and set up syncing yourself).

Anti-malware:
+ Microsoft Security Essentials is free and pretty good. If you want to pay for an antivirus/security service, Eset Nod32 has a great reputation, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall).

If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools:

TDSSKiller (by Kaspersky)
UnHackMe rootkit finder
Malwarebytes
SuperAntiSpyware
Spybot Search & Destroy
HijackThis is not recommended except as a last resort, because it is more aggressive. It is more of a boot-process and running-application auditor than a malware scanner. It helps when looking for suspicious programs. One of many forums where you can post HijackThis logs and get responses is at the HJT subforum of the MalwareBytes Forums.

Other Security Measures

For windows, Microsoft publishes a neat tool called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else.

There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library.

VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org

July 22, 2009, 10:26 PM	#1
tyme Staff Join Date: October 13, 2001 Location: Novalis 978-0553586251 Posts: 2,996	Web and Browser Security (TFL supports TLS 1.2 and SPDY) Keep your software and operating system up to date. For Windows, Secunia PSI (heavyweight, slow) or Filehippo's Update Checker (lighter weight) will help keep your apps current. Browsers Browser Market Share stats There are currently 2 good browsers and several marginal browsers: Google Chrome (good) - The web is google's business, so they have a lot of incentive to make their browser more usable and more secure for the average person. Firefox (good) - Firefox is rapidly improving today because it is competing with Chrome. Before Chrome was popular, Firefox was bloated, slow, and not advancing very fast. Mozilla Foundation has more of a freedom-oriented ideology than Google does, and the Firefox plugin/extension system is much more powerful. Internet Explorer 9.0+ - only available for Vista and Win7. IE9, the latest official release for windows 7 as of February 2013, is almost 2 years old. Microsoft has slower release cycles. Chrome and Firefox introduce major new features (including security and speed changes) every few months. Safari - not bad, but it's a browser mostly for OSX users, like IE is a browser for users of recent MS operating systems. SSL/TLS Support IE on Vista and Windows 7 supports TLS 1.1 and 1.2, but only if you enable it. Tools (gear) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2. Chrome starting with version 21 supports TLS 1.1, and 1.2 is hoped to land in version 31. Firefox support for TLS 1.1 is lagging. Browser Extensions In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on that for options that let you allow plugins once, or every time you visit that site. This is the equivalent of plugin blocking in Firefox with flashblock. Recommended extensions (you can find them by googling the browser name and the extension name together): Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy] Noscript (firefox) - enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them. Ghostery (chrome or firefox) HTTPS Everywhere (firefox) SSL-management extensions: CertPatrol and Convergence and Perspectives You shouldn't use IE6 or IE7 unless they're mandatory, and in that case only use them for company-internal business (install Chrome or Firefox for general web browsing). http://sociable.co/web/facebook-phas...pport-for-ie7/ http://googleenterprise.blogspot.com...-browsers.html When a Microsoft goon says, "Friends don't let friends use IE6," there's probably something to it. More recently, an Australian Microsoft campaign compared using IE6 to drinking spoiled milk. Email Security Your login information for most websites, including TFL, can be reset if a hacker gains access to your email account. Your email account and login information is therefore the most important web account you have (other than financial accounts which hopefully will not reset your password so easily); you should take extra steps to keep your email account(s) secure. Do not reuse your email account password(s) or banking password(s). Ever. The primary cause of account compromise, other than malware, is password reuse. One site gets compromised, typically exposing your email and password if they don't store passwords properly, and then your accounts on other sites where you use that email+password combination can be hacked with no additional effort. If you use gmail, you automatically use SSL to access that account. If you have a smartphone or a dumb cellphone with free text messages, you should enable google's 2-factor authentication unless you can articulate a reason not to. Google even offers a "google authenticator" app which eliminates the need to receive SMS messages; you can generate the authentication codes simply by running the app. Google Authenticator install instructions for Android, iOS, and Blackberry Yahoo mail users: turn on SSL: step 1: http://thefiringline.com/library/yahoo-ssl-1.png step 2: http://thefiringline.com/library/yahoo-ssl-2.png Hotmail users: [SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. Not sure yet.] If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers if possible. *What do email scams look like? Example of an Email Scam* If you receive an email like that, the sender's email account has been hacked. Set up recovery options in your email account, if possible. Typically that means a backup email address or a phone number or cell # for SMS. If your account gets hacked, that's bad, but it's even worse if you permanently lose access to the account, which can happen if google/yahoo/hotmail can't verify that you're the original owner. The best way to verify that is to link your account to another email address or to a phone number. Yes, there are privacy implications, but in most cases it's very minor compared to all the other information you send and receive via email. If it's such a big deal, then don't provide any backup contact info, and pray your account never gets hacked. Password Security Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $), or KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free but you have to ensure compatibility between desktop and mobile clients, and set up syncing yourself). Anti-malware: + Microsoft Security Essentials is free and pretty good. If you want to pay for an antivirus/security service, Eset Nod32 has a great reputation, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall). If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools: TDSSKiller (by Kaspersky) UnHackMe rootkit finder Malwarebytes SuperAntiSpyware Spybot Search & Destroy HijackThis is not recommended except as a last resort, because it is more aggressive. It is more of a boot-process and running-application auditor than a malware scanner. It helps when looking for suspicious programs. One of many forums where you can post HijackThis logs and get responses is at the HJT subforum of the MalwareBytes Forums. Other Security Measures For windows, Microsoft publishes a neat tool called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else. There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library. VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org __________________ Proud reseller of little geisha dolls with big heads that wobble. Last edited by tyme; May 9, 2013 at 05:43 AM.