A couple of our recent posts have covered how to keep your login information secure and how to secure your local environment. In the latter we briefly mentioned how important it was to browse the web safely. Malicious content being served from a website is by far one of the biggest and most common threats to the security of your computer. The best advice that I can offer concerning safe web browsing is simple: trust nothing.
It should come as no surprise that browsing unsavory websites, such as those containing adult or pirated content, comes with risks of infecting your computer. Unfortunately this same potential exists with every single website out there. Some might think that since they are visiting a reputable company’s website that it is safe and that is not the case. Back in February NBC’s website was compromised and ended up serving malicious content to users. Just this past August the New York Times’ DNS was hijacked leaving near endless possibilities for attackers to abuse. Again my advice on handling this would be to trust nothing.
As we discussed in prior posts, keeping your operating system and all software updated is a vital part of maintaining your computer’s security. When it comes to web browsing specifically, this will include your web browser and all plugins or add-ons. Malicious content on a website is typically going to target a vulnerability in the web browser itself or one of its plugins, which will frequently be Flash or Java. If you can manage to keep these patched at all times, you’re ahead of the game and well protected from known vulnerabilities. But what do we do about unknown or zero day vulnerabilities? Again the answer is simple: trust nothing. With all of the threats out there you simply cannot go around browsing websites with JavaScript, Java, and Flash enabled.
I’ve been a Firefox user for a very long time and this is mainly because of the add-ons that I use. I cannot stress enough how good the NoScript add-on is for general web browsing. In short, it will block JavaScript, Java, Flash, and other items on any website that you visit. You can then selectively enable these temporarily or permanently as you need them. Having these items blocked by default provides a very significant amount of protection should you stumble upon a compromised website.
Below is a small example of what you might see from NoScript when browsing a website.
In this case the user has visited the secunia.com website and all scripts have been blocked on it by default. Often times a website will display just fine with these blocked but in other cases you may have to allow them. Many websites will have several entries listed, such as google-analytics.com if they are using their statistics or youtube.com and ytimg.com if a YouTube video is embedded in the page. These can all be selectively enabled one at a time or you can even allow everything on the page if you like. If you’re constantly allowing everything, though, you’re largely defeating the purpose of this add-on. As you continue to use NoScript you will become more familiar with it and what may need to be allowed on a page. It really is a great tool once you get used to it.
Maintaining proper computer security is all about reasonably minimizing your risk because you will never be completely immune from infection. You can turn your computer off and avoid all of this, but then how would you browse the web? There are always additional steps that can be taken but you have to weigh the pros and cons of each. If you wanted to take this a step further you could opt to not browse any websites on your computer directly and instead use virtual machines. VirtualBox, VMware, and Parallels are all great for setting up virtual machines on your personal computer. This allows you to setup an environment where you can isolate your web activity and help keep it from directly impacting your base operating system. You could even use multiple virtual machines to separate different tasks, such as banking or financial related browsing and general browsing, reducing your risk even further.
This is by no means an all encompassing bullet-proof guide to safe web browsing. Working in the web hosting industry allows us to see what goes on behind the scenes, how websites are frequently compromised due to unpatched scripts, and the types of malicious content attackers try to publish. I just wanted to briefly share some tips with you on safe web browsing practices. If you have any suggestions of your own please feel free to leave them in the comments here, I would love to hear them!