Securing Your Browsing

Hello armature and professional Cybersecurity people! Everyone is a Cybersecurity person, because although you may not make your living protecting a company’s data, you certainly must consider security in your personal life with your own data. I hope to make this post meaningful for everyone.

We have all seen the ads: “Secure your internet with <fill in the vendor> VPN.” But, does that really secure your Internet browsing? And if so, from what? I want to take a look at the types of risks that you can face on the Internet, and what options are available to mitigate those risks.

Defining the risk

When I talk to anyone about security, the first question I always ask is, “What you are trying to secure against?” The answer may seem obvious: “Bad stuff!” However, I submit that this question deserves a little more thought, because it drives your entire focus and approach to your security posture. There is no shortage of security products, all promising the silver bullet, all willing to take your money. However, they do not all approach security in the same way, and certainly do not provide equally effective protection against all types of attacks. So, let’s look at some broad categories of risks you may face on the Internet, and possible solutions which may mitigate those risks.

Nosey Roommates

If you share a computer with other people, you may be concerned about the privacy of your internet browsing. You may choose that you do not want your roommate to know that you visited facebook, twitter, and youtube when you were logged in paying your bills. How can you prevent your nosey roommate from seeing such things?

Many browsers, including Firefox, have settings which enable a user to delete such details automatically, making it more difficult to recover such history. As of this writing, I am using Firefox version 108.0.2 (64-bit). The following are my personal settings.

Admittedly, my settings are far more secure and strict than is required for most people, but almost all of these settings will work for everyone. I use these settings because I sometimes must browse around the dark corners of the Internet where all the spiders and snakes live. Your usage may not require such strict controls. However, there are some things that I would recommend regardless of your usage.

• Don’t ever save login information (username/password) in your browser; turn all of that off
• Don’t ever save credit card information in your browser; turn all of that off

If you save this information on in your browser, you are asking for trouble. This information is too easy to extract. Use a password manager instead.

Coffee Shop/Hotel Spies/Hackers

Another recent focus is to find a way to protect your computer from shared WiFi areas, which may cause you to be vulnerable to various LAN attacks. These attacks are rather effective, even for patched systems. An attacker can perform information gathering, malware planting, or just be a nuisance. Many new operating systems have some built-in automatic techniques to hide your identity from snooping from connected systems, but it is certainly still possible. A VPN is the only meaningful way to protect against this, but the VPN must be a “full tunnel”, or it is ineffective. I will discuss the details of VPN options later in this writing.

Internet Service Provider Snooping

A few years ago, “Net Neutral” was quiet the buzzword/debate. When Netflix started to transition to a streaming service, there was a push by local Internet Service Providers to force their customers to pay more for accessing such content. If you used a streaming service such as Netflix or Hulu, your provider may limit your bandwidth, or charge you a premium for using such services. The streaming services obviously didn’t like the idea, because many people would probably drop their service based on the instant cost increase. Also, many privacy advocates were against the Internet Service Providers tracking and developing different delivery rules based on the content that their customers were consuming. So, the “Net Neutral” initiative was born. Internet Service Providers grudgingly became “supporters” in word, but have never actually demonstrated the true spirit of the initiative. Many providers still track their customers’ actions. In some cases, this is useful because it helps the ISP build out capacity in needed areas. However, many ISPs also sell that information. So, many people would like to hide their browsing behavior from their local Internet Service Provider. There are a couple options for this, including VPNs or various TOR implementations which I will discuss later in this writing.

Anonymous Site Tracking

Even if you use a VPN or TOR, if you allow your browser to accept tracker cookies, you are still being tracked. This is why, when you search for a belt, for example, for the next couple weeks you suddenly start seeing sponsored ads on Amazon, Facebook, and others about belts. Stopping this means turning off the tracker cookies, and allowing each browser session to act independently. See my configuration for Firefox (above). This does not necessarily imply an imminent security risk. It is simply an annoyance for those (like me) that do not appreciate being watched.

Malicious Websites

Some websites have Javascript or other client-side content which is intended to infiltrate, spy, or even create a “Command and control channel”. A command and control channel allows an attacker to take control of your computer remotely. Simply visiting the site is enough to offer an attacker access to your computer. Many of these websites are often very well built and look completely legitimate, often mirroring an actual business website. Sometimes a google search for a legitimate company may also produce these websites. Most modern browsers do not automatically run the super dangerous content, but even the best controls continue to be rendered ineffective by new tricks. The best defense for this attack is a browser isolation strategy. There are a couple of ways to do this, which I will discuss later.

Malicious Software

Well, if you are going to download something bad, you can expect bad things to happen. However, it is not always easy to tell what is bad. Attackers are not only good at the technology; they are also good at making deceptively legitimate-looking methods to get access to a victim’s computer. If only they applied their skills to something useful, just think of how much good they could do?

There is no real way to ensure that you will not be infected. Virus scanners, “safe browsing” features, and all the other tools we use to help in this regard are based on signatures and lists. Those lists are developed by what has been seen, and identified as malicious because it impacted someone. Always remember that if you download something, you may be patient zero. You may not find out about it for months. There are some best-practices to help keep you safe, however.

• Don’t click links in emails… ever. No matter how legitimate the email looks, browse to the site to conduct your business.
• Don’t go to shady sites to conduct business or find software. Buy legitimate software from legitimate sources.
• If it looks odd or wrong, listen to your instinct and leave.

Government Spying

This is becoming a much bigger discussion within the United States, especially since the government unilaterally gave themselves power to intercept a massive amount of communication without warrants through a number of laws passed after the attacks of September 11, 2001. The current view appears to be that the data is no longer yours once it leaves your computer and travels through your Internet Service Provider’s network. Therefore, that data is no longer protected under the 4th Amendment. The Internet Service Providers have no interest in fighting the government over the data passing through their network, so they are happy to cooperate and provide the government with taps allowing “Lawful Intercept”. Many people feel that this is at minimum invasion of privacy, but in the future may be misused to target people with criminal charges based on completely legal behavior, or even be used for political targeting. Unfortunately, because you probably do not have a thorough a log of your activity, you are largely left at the mercy of of the government agency on what information is presented versus ignored.

Unfortunately, it is very difficult to know what tools are effective against government spying, because the government has a very large budget dedicated to hiring very skilled people and purchasing very powerful computers to make spying possible. They are also very skilled at hiding what they are able to do, and shooting anyone that reveals those national secrets, so we can only guess. Based on that, many people have represented TOR as the “solution” against government spying, but we should remember that the government developed the TOR project. As early as 2015 there were reports that the government was able to track a user’s path through the TOR network. I will discuss this more in the section on TOR below.

The only tool of which I know that can probably still be considered safe from government spying is PGP (Pretty Good Privacy) for email. However, this doesn’t help with browsing, and because it is rather slow, would drastically slow web pages even with very powerful computers. So, from my perspective, there is no current practical protection based on tools; just behavior.

Discussing the Tools

Ok, so how do we combat these risks? How do they work, and what can they do to help keep us safe? Well, I’m glad you asked! I will cover several of the most common tools available. If you know of others that I should have included, feel free to comment below.

SSL/TLS

When you browse to a page with “HTTPS” rather than “HTTP”, the traffic you send to, and receive from the server is encrypted. This prevents anyone from eavesdropping on the data within your session, but does not prevent your Internet Service Provider from knowing to what webpage you connect. Additionally, all the sites to which you connect will know your source IP, which gives information about your physical location, your Internet Service Provider, etc. Companies like google will use that information combined with your searches to build profiles around you personally, your geographic region, etc. This information can be marketed.

One word of caution. If you receive a security warning when you connect to a site, you should take it seriously. Don’t proceed unless you are certain that the condition described is not important. Here is an example.

Sometimes that alert may be warning you that the site forgot to update their certificate before it expired. However, it may also be warning you that the site you THINK you are visiting is not what you actually reached at all. It’s always good to look in the address bar before you proceed regardless of warnings, just to ensure that the site “domain name” looks correct, and that the browser is reporting the site as secure. The appearance may differ with each browser. Here are some examples from Firefox, but the same information will be available regardless of your browser.

Using HTTPS (SSL/TLS) only prevents people in the middle (Internet Service Providers) from seeing what you are actually doing on the website, but does not hide anything else about your visit.

Regardless, for most browsing, you should always expect to have HTTPS enabled. Very few legitimate sites use HTTP as the primary access these days. SSL/TLS is the most basic form of protection.

Browser Plugins

A browser plugin is a small program which can monitor the sites you try to visit, and the data the servers return. Normally, a security related plugin can use this information to alter the normal behavior of the website by preventing your computer from accessing “known bad” websites. It is also possible for the browser plugin to intercept the requests and redirect them to another site for analysis. An example of a very popular Firefox extension is “uBlock” which does a pretty good job at blocking a wide variety of ad sites that are part of almost every webpage. However, consider what information you are making available in order for this plugin to perform this magic.

The uBlock extension is considered safe. However, there are literally thousands of extensions just within the security group. Because the extensions are written by members of the community, there is no way of knowing which ones are legitimately helpful, and which may be covertly harmful. You should proceed with extreme caution if you download or enable extensions, and always check the permissions required. Often extensions may ask for more permission than is required for what you want the extension to do. Don’t use those extensions. Here is a webpage which offers some useful tips on how to check your particular browser for browser extensions, and some best-practices related to their use.

In general, browser extensions CAN be effective against things that YOU do on purpose. However, a browser extension can only stop what it sees. Malware may still connect to websites apart from your browser, or may choose a different browser, so the extensions are not effective at controlling such activity. They can provide some protection against anonymous trackers and malicious websites based on the lists. They can also offer some nice features and enhance your browsing experience, but proceed with extreme caution.

Virtual Private Network (VPN)

A VPN provides a way for sending some, or all of your data to a remote system across a network by packaging up your traffic inside another request. It is exactly as if you were package up something for someone including addressing, then take that box and put it inside another box and mail it to a friend to send. The postman will not know what the final destination is for the contained box. In the same way, the Internet Service Providers will not know what your final destination is; only that you are using a VPN, and which VPN you are using. Likewise, the sites that you visit will not see your true source address, but the VPN exit node’s address. This makes it possible for a VPN to make it look like you are from another country.

Most (if not all?) consumer VPN services, such as NordVPN, ExpressVPN, Surfshark (just to name a few popular offerings) offer a FULL VPN tunnel. This means that your computer will use the VPN for all connectivity, and will not even be able to connect to the local network. This provides protection against the snoopers in hotels or in coffee shops. This will protect your computer from the majority of attacks and most dangerous access available to hackers on the same WiFi network. However, most corporations which use VPNs to connect to their network do NOT use full VPN tunnels, but instead use a split VPN. Such a VPN design does NOT provide any protection against local network snooping.

Also, as long as you are not logging in, or providing any details about yourself, the websites that you visit have less useful information to track you. You appear to be coming from the VPN node, so they know that you are using a VPN, but have little information to determine your actual location (provided you disable the location feature in your browser).

A VPN as a technology does NOT, by itself, provide any protection against tracker websites, malicious websites, or malware. Additionally, a VPN is an authenticated technology, so it is entirely possible that your behavior is being tracked by your VPN provider. Even if the provider is not officially tracking your activity, it is entirely possible (likely?) that the government has requested, and received a feed for “lawful intercept” and therefore can track exactly what you are doing regardless of the VPN.

Secure Browser

There are a few browsers that claim to be privacy focused. TOR is certainly at the top of the list, but I will deal with all things “TOR” later in this writing. For now, let’s look at Brave as a browser.

The advantage of a secure browser is that it should, by default, not leak all the information that the more common browsers will leak. That is not to imply that Firefox cannot be secure. I would argue that with the proper settings, Firefox is a perfectly secure browser. In general, using secure browsers (or using the secure setting in your browser) will protect against your nosey roommate and against anonymous trackers. When combined with other features discussed here, it can be a powerful tool. I would go further to say that if you are using a VPN or TOR via an insecure browser, you are wasting your time, because your browser may be leaking all the information you are trying to protect.

Secure Web Gateway

The concept of what a SWG does is not new. Content filters and proxy servers have existed for decades. However, the branding as “Secure Web Gateway” is new, even though the technology is old, or perhaps I should say mature. The SWG offers a powerful way of filtering access and preventing you from accidentally wandering into dangerous locations.

Unfortunately, running a SWG takes some technical acumen and expense, and historically has been relegated to the corporations. However Cloudflare offers their SWG service for free for those that wish to take on the challenge.

A SWG can provide protection against anonymous browsing trackers, malicious websites, and even block some malicious software. However, it is based lists of “known bad” stuff. Therefore, it provides no guarantee of protection.

Some versions of SWG operate in the cloud, which provides a small level of protection by hiding your local IP address. However, they may open you to other attacks and exposures. Generally, SWG should be paired with other technologies for good protection.

Remote Browser Isolation

In general, this is one of the most secure ways to surf the internet. The actual browser session lives within a separate system, and the user only sees the final rendered page. This is perhaps the most effective block against all trackers and malicious websites, and also does a good job of blocking your personal data and location for anonymous browsing. An RBI takes some technical acumen to operate, or costs money, and thus is often relegated to the corporations that invest in such protection.

However, the technically adept user can accomplish this using a docker container on your local PC. I use this when I am really wandering into the dark corners of the web. The only risk is that I must choose to use it, where the commercial solutions are always on and usually paired with a secure web gateway. An ideal scenario is to use a docker container for a browser which then references a TOR or VPN proxy. That provides the best protection from just about everything. I can provide more details on setting up such a solution if interested.

TOR

“The Onion Router” is a method of hiding certain details of the source/destination from systems in the middle of the network. In many ways, it is like a VPN. Actually, TOR is something like a Russian Nesting Doll of VPNs.

TOR is usually more focused around browsers, but it certainly can tunnel other protocols. There is an official TOR browser based on Firefox. This browser has many of the security settings already done for you.

The principle of TOR is to create multiple VPN-like tunnels. The packets sent from your computer are encrypted several times. Each hop will decrypt the packet and forwards the remaining data to the next VPN endpoint, which will decrypt the packet and forward to the next endpoint, and so on, until it reaches the exit node. The exit node then forwards the traffic to the final destination. This makes it very difficult for each hop along the way to know anything about the source (you) or the destination. The entry node to whom you forward your traffic knows that you are using the TOR network, but they don’t know your destination; they just know the next hop that they are supposed to forward your traffic towards. In the same way, the exit node does not know that the traffic came from you, but does know the final destination. Connecting those pieces of information is very difficult, but is still possible. In theory, TOR is a great way to hide your online activity. However, what value would this be if one single organization ran all the TOR nodes? It would be trivial to track someone’s path through TOR network.

TOR provides a very effective defense against Internet Security Providers and anonymous browsing trackers, much as a VPN would. It has often been praised as the way to overcome government spying, but that is not really true or practical.

The real problem with TOR is that the node ownership is distributed, with very little oversight. As such, there have been TOR nodes which have been malicious, and, contrary to the goal of TOR, tracked user access. Some exit nodes have even injected malicious content into data sent back to the user. Also, TOR nodes may be owned by the government agencies from which some people are trying to hide. For those interested in more details on some risks related to TOR, here are a couple good write-ups.

Summary

Here is a chart which shows how each technology may help provide protection against the risks.

So, let’s wrap this up. For the average individual, you can do a great deal toward improving your online security by the settings in your browser. Feel free to emulate my settings above. The arrows point to the settings I believe are most important, except that most people could use “normal” or “strict” as their primary setting.

For the “power user” which finds a need to occasionally walk around the edges of the Internet, the risk associated with the sites you visit should drive your level of care. Proceed with caution.

For the “crazy user” (like me) that occasionally needs to kick over the rocks in the far edges of the Internet, consider some form of remote browser isolation via docker or commercial solution, mixed with VPN and/or TOR. That solution provides the most secure solution, although it is very heavy, technically, to setup and maintain.

Final Thoughts

For everyone, however… DON’T store passwords or any other meaningful data in your browser. Be careful about auto-complete in browsers.

I hope you found this useful. Feel free to share if you wish.

If you would like to talk through any of these options, or how to better secure you or your company’s network, feel free to reach out to me at my office. If you have any other suggestions on anything I may have missed or misrepresented, feel free to drop it in the notes below.

Be safe out there!