**Web and Browser Security** (TFL supports TLS 1.2 and SPDY)

**tyme** · July 22, 2009, 10:26 PM

Keep your software and operating system up to date.

For Windows, Secunia PSI (heavyweight, slow) or Filehippo's Update Checker (lighter weight) will help keep your apps current.

Browsers
Browser Market Share stats
There are currently 2 good browsers and several marginal browsers:

Google Chrome (good) - The web is google's business, so they have a lot of incentive to make their browser more usable and more secure for the average person.
Firefox (good) - Firefox is rapidly improving today because it is competing with Chrome. Before Chrome was popular, Firefox was bloated, slow, and not advancing very fast. Mozilla Foundation has more of a freedom-oriented ideology than Google does, and the Firefox plugin/extension system is much more powerful.
Internet Explorer 9.0+ - only available for Vista and Win7. IE9, the latest official release for windows 7 as of February 2013, is almost 2 years old. Microsoft has slower release cycles. Chrome and Firefox introduce major new features (including security and speed changes) every few months.
Safari - not bad, but it's a browser mostly for OSX users, like IE is a browser for users of recent MS operating systems.

SSL/TLS Support
IE on Vista and Windows 7 supports TLS 1.1 and 1.2, but only if you enable it. Tools (gear) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2.

Chrome starting with version 21 supports TLS 1.1, and 1.2 is hoped to land in version 31. Firefox support for TLS 1.1 is lagging.

Browser Extensions

In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on that for options that let you allow plugins once, or every time you visit that site. This is the equivalent of plugin blocking in Firefox with flashblock.

Recommended extensions (you can find them by googling the browser name and the extension name together):

Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy]
Noscript (firefox) - enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them.
Ghostery (chrome or firefox)
HTTPS Everywhere (firefox)

SSL-management extensions: CertPatrol and Convergence and Perspectives

You shouldn't use IE6 or IE7 unless they're mandatory, and in that case only use them for company-internal business (install Chrome or Firefox for general web browsing).
http://sociable.co/web/facebook-phas...pport-for-ie7/
http://googleenterprise.blogspot.com...-browsers.html
When a Microsoft goon says, "Friends don't let friends use IE6," there's probably something to it. More recently, an Australian Microsoft campaign compared using IE6 to drinking spoiled milk.

Email Security

Your login information for most websites, including TFL, can be reset if a hacker gains access to your email account. Your email account and login information is therefore the most important web account you have (other than financial accounts which hopefully will not reset your password so easily); you should take extra steps to keep your email account(s) secure. Do not reuse your email account password(s) or banking password(s). Ever. The primary cause of account compromise, other than malware, is password reuse. One site gets compromised, typically exposing your email and password if they don't store passwords properly, and then your accounts on other sites where you use that email+password combination can be hacked with no additional effort.

If you use gmail, you automatically use SSL to access that account. If you have a smartphone or a dumb cellphone with free text messages, you should enable google's 2-factor authentication unless you can articulate a reason not to. Google even offers a "google authenticator" app which eliminates the need to receive SMS messages; you can generate the authentication codes simply by running the app.
Google Authenticator install instructions for Android, iOS, and Blackberry

Yahoo mail users: turn on SSL:
step 1: http://thefiringline.com/library/yahoo-ssl-1.png
step 2: http://thefiringline.com/library/yahoo-ssl-2.png

Hotmail users:
[SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. Not sure yet.]

If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers if possible.

***What do email scams look like? Example of an Email Scam***
If you receive an email like that, the sender's email account has been hacked.

Set up recovery options in your email account, if possible. Typically that means a backup email address or a phone number or cell # for SMS. If your account gets hacked, that's bad, but it's even worse if you permanently lose access to the account, which can happen if google/yahoo/hotmail can't verify that you're the original owner. The best way to verify that is to link your account to another email address or to a phone number. Yes, there are privacy implications, but in most cases it's very minor compared to all the other information you send and receive via email. If it's such a big deal, then don't provide any backup contact info, and pray your account never gets hacked.

Password Security
Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $), or KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free but you have to ensure compatibility between desktop and mobile clients, and set up syncing yourself).

Anti-malware:
+ Microsoft Security Essentials is free and pretty good. If you want to pay for an antivirus/security service, Eset Nod32 has a great reputation, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall).

If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools:

TDSSKiller (by Kaspersky)
UnHackMe rootkit finder
Malwarebytes
SuperAntiSpyware
Spybot Search & Destroy
HijackThis is not recommended except as a last resort, because it is more aggressive. It is more of a boot-process and running-application auditor than a malware scanner. It helps when looking for suspicious programs. One of many forums where you can post HijackThis logs and get responses is at the HJT subforum of the MalwareBytes Forums.

Other Security Measures

For windows, Microsoft publishes a neat tool called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else.

There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library.

VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org

billyj571 · September 11, 2009, 11:00 AM

Thanks thats helpfull.

**Bud Helms** · October 17, 2009, 12:23 PM

Good post, tyme. I just noticed it.

Te Anau · March 12, 2010, 12:16 PM

A lot of the above (and in the security link) is great info but well beyond the scope of your "average" computer user. If I know someone who is having computer issues I recommend the following.

1.Open "My computer", go to your "C" drive and right click on properties. Click on tools and schedule an error check after checking both boxes to automatically fix errors and scan for and attempt recovery of bad sectors. Restart your computer and let scan commence.

2.Go to www.cnet.com and download Malwarebytes. Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly.

3.Go to www.cnet.com and download "Super anti-spyware free edition". Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly.

4.Go to www.free-av.com and download Avira AntiVir as your free anti virus program. Install, check for updates and run full scan. This program will monitor your computer as you surf and if set up correctly will automatically download updates. Run scan at least every week.

5.Go to www.cnet.com and download "CCleaner". Install program, leave on default settings with one exception. Go into the settings area and check one of the boxes for secure file deletion. I use and recommend 3 overwrites. This program should be run weekly and will remove a tremendous amount of garbage from your typical "abused" home computer.

**Brian Pfleuger** · March 12, 2010, 01:29 PM

Quote:

Originally Posted by Te Anau

If I know someone who is having computer issues I recommend the following.

I used to do all that too, well, if they refused to buy a Mac, which is the best solution but nowadays, Microsoft Security Essentials handles virtually all of those tasks, does it pretty well and is also free. You're right about the disk scan part too, most people never do that.

The correct answer is still "Buy a Mac" but some people are slow to listen.

Te Anau · March 12, 2010, 06:07 PM

Quote:

The correct answer is still "Buy a Mac" but some people are slow to listen.

They're too expensive and the amount of freebies is muuuuuucccchh smaller then that available for Windows machines.I guess new Macs may run some windows stuff.

Still too much $$$$$ however.

Jimmy10mm · October 7, 2010, 06:32 AM

Quote:

They're too expensive and the amount of freebies is muuuuuucccchh smaller then that available for Windows machines.I guess new Macs may run some windows stuff. Still too much $$$$$ however

There is also Linux. I run Ubuntu on a PC at home and another at work. I haven't spent a dime on anything but hardware in years.

July 22, 2009, 10:26 PM	#1
tyme Staff Join Date: October 13, 2001 Location: Novalis 978-0553586251 Posts: 2,999	Web and Browser Security (TFL supports TLS 1.2 and SPDY) Keep your software and operating system up to date. For Windows, Secunia PSI (heavyweight, slow) or Filehippo's Update Checker (lighter weight) will help keep your apps current. Browsers Browser Market Share stats There are currently 2 good browsers and several marginal browsers: Google Chrome (good) - The web is google's business, so they have a lot of incentive to make their browser more usable and more secure for the average person. Firefox (good) - Firefox is rapidly improving today because it is competing with Chrome. Before Chrome was popular, Firefox was bloated, slow, and not advancing very fast. Mozilla Foundation has more of a freedom-oriented ideology than Google does, and the Firefox plugin/extension system is much more powerful. Internet Explorer 9.0+ - only available for Vista and Win7. IE9, the latest official release for windows 7 as of February 2013, is almost 2 years old. Microsoft has slower release cycles. Chrome and Firefox introduce major new features (including security and speed changes) every few months. Safari - not bad, but it's a browser mostly for OSX users, like IE is a browser for users of recent MS operating systems. SSL/TLS Support IE on Vista and Windows 7 supports TLS 1.1 and 1.2, but only if you enable it. Tools (gear) -> Internet Options -> Advanced tab. Scroll down to the bottom and select TLS 1.1 and TLS 1.2. Chrome starting with version 21 supports TLS 1.1, and 1.2 is hoped to land in version 31. Firefox support for TLS 1.1 is lagging. Browser Extensions In Chrome, go to the config menu, (top, far right), "Settings", scroll to bottom, click "show advanced settings", click "Content Settings", scroll down to the Plug-ins section, and select "Click to play". If you run into a site that doesn't work properly without flash, and you trust the site, on the right side of the URL bar there will be a puzzle piece logo (it's right next to the favorite-site Star). Click on that for options that let you allow plugins once, or every time you visit that site. This is the equivalent of plugin blocking in Firefox with flashblock. Recommended extensions (you can find them by googling the browser name and the extension name together): Adblock / Adblock Plus (chrome or firefox) [subscriptions: Easylist and EasyPrivacy] Noscript (firefox) - enable blocking globally, then whitelist individual sites that need javascript/plugins, and that are important to you, as you run across them. Ghostery (chrome or firefox) HTTPS Everywhere (firefox) SSL-management extensions: CertPatrol and Convergence and Perspectives You shouldn't use IE6 or IE7 unless they're mandatory, and in that case only use them for company-internal business (install Chrome or Firefox for general web browsing). http://sociable.co/web/facebook-phas...pport-for-ie7/ http://googleenterprise.blogspot.com...-browsers.html When a Microsoft goon says, "Friends don't let friends use IE6," there's probably something to it. More recently, an Australian Microsoft campaign compared using IE6 to drinking spoiled milk. Email Security Your login information for most websites, including TFL, can be reset if a hacker gains access to your email account. Your email account and login information is therefore the most important web account you have (other than financial accounts which hopefully will not reset your password so easily); you should take extra steps to keep your email account(s) secure. Do not reuse your email account password(s) or banking password(s). Ever. The primary cause of account compromise, other than malware, is password reuse. One site gets compromised, typically exposing your email and password if they don't store passwords properly, and then your accounts on other sites where you use that email+password combination can be hacked with no additional effort. If you use gmail, you automatically use SSL to access that account. If you have a smartphone or a dumb cellphone with free text messages, you should enable google's 2-factor authentication unless you can articulate a reason not to. Google even offers a "google authenticator" app which eliminates the need to receive SMS messages; you can generate the authentication codes simply by running the app. Google Authenticator install instructions for Android, iOS, and Blackberry Yahoo mail users: turn on SSL: step 1: http://thefiringline.com/library/yahoo-ssl-1.png step 2: http://thefiringline.com/library/yahoo-ssl-2.png Hotmail users: [SSL details for outlook.com interface to follow. SSL might be mandatory on hotmail/outlook now, like it is on Gmail. Not sure yet.] If you use some other email provider for your main email account, make sure they support TLS/SSL. If they don't, switch email providers if possible. *What do email scams look like? Example of an Email Scam* If you receive an email like that, the sender's email account has been hacked. Set up recovery options in your email account, if possible. Typically that means a backup email address or a phone number or cell # for SMS. If your account gets hacked, that's bad, but it's even worse if you permanently lose access to the account, which can happen if google/yahoo/hotmail can't verify that you're the original owner. The best way to verify that is to link your account to another email address or to a phone number. Yes, there are privacy implications, but in most cases it's very minor compared to all the other information you send and receive via email. If it's such a big deal, then don't provide any backup contact info, and pray your account never gets hacked. Password Security Password security is beyond the scope of this post, since TFL is not a very critical site. Password management applications include LastPass (some features free for desktop use, mobile client costs $12/yr), 1Password (costs $), or KeePass (KeePass1, KeePass2, KeePassX, KeePassDroid -- all free but you have to ensure compatibility between desktop and mobile clients, and set up syncing yourself). Anti-malware: + Microsoft Security Essentials is free and pretty good. If you want to pay for an antivirus/security service, Eset Nod32 has a great reputation, and Comodo Internet Security is also frequently used (mostly for its sandboxing and firewall). If you suspect an infestation, running multiple scanners gives the best chance of catching the malware. Here are some commonly recommended tools: TDSSKiller (by Kaspersky) UnHackMe rootkit finder Malwarebytes SuperAntiSpyware Spybot Search & Destroy HijackThis is not recommended except as a last resort, because it is more aggressive. It is more of a boot-process and running-application auditor than a malware scanner. It helps when looking for suspicious programs. One of many forums where you can post HijackThis logs and get responses is at the HJT subforum of the MalwareBytes Forums. Other Security Measures For windows, Microsoft publishes a neat tool called the Microsoft Enhanced Mitigation Experience Toolkit [EMET], which uses several techniques to try to prevent malware from exploiting security problems in applications. It theoretically might cause problems for some applications, so if you experience strange problems with an program, disable EMET features for that application before trying anything else. There are some miscellaneous security-related (and some not-so-security-related) links at software tools and sites in the TFL library. VMs are a good idea if you're serious about security; the idea is to run stuff like web browsers or other untrusted programs in a VM sandbox (using software like VirtualBox or VMware) (or Xen or KVM for the technically inclined), to keep any malware you may pick up isolated to that VM. Snapshots make it even better. If you're paranoid, check out http://qubes-os.org __________________ Proud reseller of little geisha dolls with big heads that wobble. "Want to keep guns out of the hands of felons? Make fewer felons in the first place." --Vanya Last edited by tyme; May 9, 2013 at 05:43 AM.

September 11, 2009, 11:00 AM	#2
billyj571 Member Join Date: November 5, 2008 Location: 30 Miles n of Seattle Posts: 25	support Thanks thats helpfull.

October 17, 2009, 12:23 PM	#3
Bud Helms Staff Join Date: December 31, 1999 Location: Middle Georgia Posts: 12,907	Good post, tyme. I just noticed it. __________________ "The irony of the Information Age is that it has given new respectability to uninformed opinion." - John Lawton, speaking to the American Association of Broadcast Journalists in 1995

March 12, 2010, 12:16 PM	#4
Te Anau Senior Member Join Date: June 17, 2004 Location: Somewhere south of the North pole Posts: 3,824	A lot of the above (and in the security link) is great info but well beyond the scope of your "average" computer user. If I know someone who is having computer issues I recommend the following. 1.Open "My computer", go to your "C" drive and right click on properties. Click on tools and schedule an error check after checking both boxes to automatically fix errors and scan for and attempt recovery of bad sectors. Restart your computer and let scan commence. 2.Go to www.cnet.com and download Malwarebytes. Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly. 3.Go to www.cnet.com and download "Super anti-spyware free edition". Install program, check for updates and run full scan. Manually check for updates about once a month and manually run a full scan weekly. 4.Go to www.free-av.com and download Avira AntiVir as your free anti virus program. Install, check for updates and run full scan. This program will monitor your computer as you surf and if set up correctly will automatically download updates. Run scan at least every week. 5.Go to www.cnet.com and download "CCleaner". Install program, leave on default settings with one exception. Go into the settings area and check one of the boxes for secure file deletion. I use and recommend 3 overwrites. This program should be run weekly and will remove a tremendous amount of garbage from your typical "abused" home computer. __________________ "Patriotism is supporting your country all the time, and your government when it deserves it." --American author Mark Twain (1835-1910) Last edited by Mal H; March 12, 2010 at 12:48 PM. Reason: Edited format