Browser Safety: Choose Your Weapon

Your web browser is your primary portal to the wild and woolly world wide web. For many people, the web browser effectively is the Internet. As such, it’s one of the most vulnerable areas of our attack surface (i.e., the sum of all the places where we might be susceptible to attack by digital bad guys). Therefore, it behooves us to choose the most formidable browser we can find, bolting on whatever extra ‘armor’ and ‘stealth’ technologies we can find.

How Do We Define a “Safe” Browser?

There are at least two primary aspects to ‘safety’ when it comes to web browsing: security and privacy. A secure browser will do whatever it can to prevent you from visiting bad web sites, warn you against entering sensitive information on insecure pages, identify sites that aren’t encrypted, and strictly enforce policies that prevent malvertising and other malicious web exploits.

However, while security is something that all browsers claim to seek, privacy is another matter entirely. Because much of the web is “free”, most web sites have turned to advertising for revenue. And unlike traditional newspaper and billboard ads from days of yore, web advertising is built on hordes and gobs of personal data. Companies like Google and Facebook collect intimate details on you in order to serve you highly targeted (and much more lucrative) ads. Data, as the say, is the new oil. In their lust for data, online advertisers have gone seriously overboard with their tracking technology, prompting many to use ad blockers. So a good web browser will help protect your privacy by severely limiting the ability of web sites and marketers to track you.

The Big Four

The four most popular browsers today are Chrome (60%), Internet Explorer/Edge (20%), Firefox (13%), and Safari (4%). It wasn’t long ago that Microsoft had a near monopoly on web browser use, but Google’s Chrome browser has come on strong and clearly holds the lead today. Internet Explorer and Edge are the default browsers on Windows PC’s and Safari is the default browser on Apple Macintosh computers. Firefox (which rose from the ashes of Netscape Navigator) is the only browser in the top four that is open source (meaning the source code is freely available for review). Firefox is made by the non-profit Mozilla Foundation, which is funded primarily by search royalties. Despite very different aesthetics, at the end of the day, all four of these browsers do basically the exact same things: they show you web pages. So how do you know which is safest?

Choose Your Weapon: Security

Let’s just get this out of the way now: it’s almost impossible to know which browser is the most secure. This is largely because all of these browsers are constantly rolling out new security-related features, fixing security-related bugs, and generally trying to claim the title of ‘most secure’. That’s a good thing – they’re competing to be the best, and so we all win. There are dedicated hacking contests to reveal bugs in browsers, but it’s hard to say whether the number of bugs found in these contests really reflect the security of the browser. How likely were bad guys to find these bugs? How severe are the bugs? What about the bugs they didn’t find? These hack-a-thons also don’t address factors like how quickly the browser maker fixes their bugs and whether the browser is smart enough to self-update (because if you don’t have the latest version, you don’t have the bug fixes). It’s really hard to compare the relative security of web browsers (see this article to understand what I mean).

However, if I had to pick a winner here, I’d probably have to choose Chrome. Google is doing some fantastic work in the realm of computer and web security. Furthermore, they’re using Chrome’s dominance to prod web sites to be more secure, as well. That said, I think Firefox and Safari are also fairly secure browsers. And you could argue that because Firefox is open-source, it can actually be audited by cybersecurity experts – unlike the other three major browsers. Ideally, this vetting leads to less bugs.

Choose Your Weapon: Privacy

Unlike security, there are significant and important differences between the four major browsers when it comes to privacy. And this (to me) is the real differentiating factor.

While Google has been a true leader in terms of security, they’re pretty much the worst in terms of privacy. They’re whole business model revolves around advertising (Google makes about 90% of its money from ads). And that leads to an enormous conflict of interest when it comes to protecting your personal data and web surfing habits. Apple has gone out of their way to basically be the anti-Google, making it a point of pride to collect as little data on their users as possible (and causing a collective freak-out by advertisers). But Firefox is also doing some great work in this area. In the coming months, Firefox will enable some wonderful anti-tracking technologies of their own.

So who’s the winner in terms of privacy? Today, I’d say it’s a toss-up between Firefox and Safari, with Chrome being dead last. Internet Explorer and Edge are somewhere in between, but with Microsoft’s recent penchant for collecting user data, I would put it closer to Chrome.

And the Winner Is…

Based on everything I’ve read, I personally choose Firefox as my main browser. No browser is 100% secure and it’s very hard for even the most erstwhile browser to completely protect your privacy. But I think Firefox, on balance, is the best of the bunch. Browsers are constantly adding new features, so I will have to revisit this periodically (and I will update this article accordingly).

That said, there is at least one reason to also have Chrome installed on your system. And we’ll talk about that below.

Beyond the Big Four

There are actually several other web browsers you might want to consider. This article covers some of them, but I’ll just mention three.

The fifth most popular browser is Opera, and many people enjoy using it. If you’re not satisfied with any on my list, you might give it a try. Opera is fast and works on both Mac and PC.

The Brave browser is an open-source browser built for privacy, with built-in ad blocking and tracking protection. However, in a move to try to acknowledge the need for ad-based revenue, it also has a mechanism to insert its own ads, which opens up a lot of issues. I would wait and see on this one.

Lastly, the Tor browser is all about privacy – in fact, it tries to achieve true anonymity (though that is extremely difficult in practice). It’s based on Firefox and builds in several kick-butt privacy tools that are too technical to sum up here. But if you really need to surf privately, you should give Tor a serious look.

Less Is More

Modern browsers all have the ability to add more functionality through plugins or add-ons. These extensions can both significantly raise and lower your level of security and privacy. So no discussion of browser security would be complete without discussing them. Let’s start with the plugins you should remove.

First and foremost, delete Adobe Flash. Flash was created years ago to enable all sorts of fun things – animations, video or audio, and online games. But Flash is horrendously buggy and mostly obsolete. So just remove it. (Note that the Chrome browser actually has Flash built-in and Google ensures that it’s up to date – so if you find a web site that requires Flash, you can use Chrome for that site… and then go back to Firefox!)

In the same vein, I would delete both Java and Silverlight plugins, if you have them. They’re buggy and mostly unnecessary.

Finally, go through all your browser plugins and just remove (or disable) any that you don’t need. Every one of those add-ons is a potential security or privacy risk.

If you later find that you do need any of these plugins, you can always just reinstall them… with the following major caveat…

DANGER! Beware Plugin Requests!

If you ever get a pop-up from a web site saying that you need some plugin in order to do something, never ever follow their link to install it!! This is an extremely common and effective way to install malware. When you see a pop-up like this, close it and then go directly to the site for this plugin and install from the source. A Google search should take you to the right place, if you don’t know where to go.

Plugins for Better Privacy and Security

The one plugin you should add to your browser to increase your security is a password manager like LastPass. Not only will a password manager help you to create strong and unique passwords for every web site, they will not be fooled by fake (“phishing”) web sites.

In terms of enhancing your privacy, Firefox and Safari already have a lot of built-in features to prevent tracking. However, there are a handful of add-ons I strongly recommend you install. It’s safe to add them all, they play nicely with each other.

  • uBlock Origin. This is a very good ad blocker, which protects you from tracking and malvertising. (Don’t get “uBlock” – you want “uBlock Origin”.)
  • Privacy Badger. From the wonderful folks at the EFF, this plugin watches for suspicious tracking behavior and blocks it – it even learns over time to get better.
  • HTTPS Everywhere. Also from EFF, this plugin ensures that any site you visit that can support encrypted communication will do it by default.
  • Decentraleyes. Kinda hard to explain briefly, but this plugin helps to limit your downloading of several common web page resources that could be used to track you when you request them.

To install a plugin, find your browser’s menu option for plugins, add-ons or extensions. You can search for the above plugins and install them directly into your browser.

Smartphone Privacy: Reining in Nosy Apps

Every application you install on your smartphone comes with a set of permissions – a list of things it would like to access. This includes things like your camera, microphone, location, contact list, photos, calendar and more. While these functions allow your apps to do amazing things, they can also compromise your privacy. These permissions are usually established when you install the app or first use it. Many of us don’t even give this a thought and just click “yeah, sure, whatever” (I’m pretty sure that’s what the button says). But have you ever stopped to question these requests? For example, should you really grant a Sudoku app access to your contact list? Or a dating app access to all your photos? It’s not uncommon for apps to request way more access than they truly need – maybe to enable some social features you don’t care about or perhaps even to gather intel on you that they might sell to third parties (like marketing companies).

Software developer Felix Krause recently published an article on how permissions in iOS apps (iPhone, iPad) can be easily abused, allowing them to take pictures or video with the front or rear camera, record audio, and even use facial recognition. Of course, you had to have given this app permission to do these things at some point. Maybe it even made sense for that application to have those permissions. But the point he’s making is that these apps can use those permissions for more than the obvious purpose. Furthermore, there may be no obvious way to know when the app is accessing these things.

Need to Know Basis Only

The bottom line is that you should only grant permissions that make sense for the given app’s real purpose, and that you should restrict those permissions as much as possible. For many iOS apps, you can grant permission to these sensitive functions and data only when the application is in use (it’s the foremost app, the one you can see). When the application is not in use (in the background), their access is cut off (or at least severely restricted). For example: why would you want to grant Google Maps access to your location when you’re not actually using it? What else might Google use that location data for? (You know that Google is an advertising company, right?)

Privacy Over Permission

Obviously, for Google Maps to work, it needs your location. And many other apps have a valid need for access to your camera, microphone, photos and so on. But you should question every one of those permissions and dial them back to the bare minimum.

This is fairly straightforward on Apple devices. You simply go to Settings, and then Privacy. There you will find the various privacy-related functions and features, and by clicking on each one you can see which applications can access them. You can then select “always”, “never” or (in some cases) “while using”. Dial them back as far as you can – you can always change it later if you find it’s necessary. This article has some more info, if you need more help. On the whole, Apple does a good job giving users power over their privacy.

Android apps were notorious for being all-or-nothing with requested permissions. However, in Android Marshmallow, Google allowed for finer-grain control. Android 6 gave users the ability to revoke permissions after initial install. The Android interface is often customized by the phone manufacturers and cell phone providers, so it’s harder to give blanket instructions on how to change app permissions on any Android phone. Generally, you go to Settings, then Apps. When you open any individual app and look at App Info, you should find the app’s permission settings. For more info, you can see this article or this one straight from Google.

Locking Down the Internet of Things (IoT)

With all the news of the Reaper malware that’s infecting Russia and Ukraine, and reminders of the disaster of last year’s Miria botnet, it’s a good time to review basic home network hygiene and best practices for securing the Internet of Things (IoT).

What is the Internet of Things (IoT)?

The Internet of Things, or IoT, is a hot marketing buzzword these days, but what does it really mean? Internet of Things refers to the recent phenomenon of connecting regular, everyday “dumb” devices to the Internet in order to enable cool new features. One of the most popular examples is the Nest Thermostat. Nest (who was bought by Google for $3.2B) created a ‘smart’ replacement for the dreary household HVAC thermostat. Not only was it beautiful and easy to use, it had built-in WiFi and could communicate with Nest’s Internet service. With the help of a smartphone app, Nest owners could monitor and even control the temperature of their homes from anywhere on the planet. Over the last few years, billions of devices have joined the Internet of Things: TVs, garage door openers, baby monitors, watches, appliances, and even light bulbs.

An Army of Robots

What might not be immediately obvious is that every one of these products is also a computer. While computer chips have found their way into all sorts of modern products, putting those computers on a network takes things to an entirely new level. Computers are hackable because they run software, and all software has bugs. But if that computer is not on a network, you have to be have physical access to hack it. Not so with IoT.  Cybersecurity professionals love to say that the “S” in “IoT” stands for security – meaning it has none – and it’s not far from the truth. Cost is a huge issue for most of these devices, and adding proper security adds a lot of cost – both in development and testing, but also hardware cost (faster CPUs, more memory, etc).

So what do you get with a massive influx of insecure computers on the Internet? A hacker’s dream come true. The security flaws in these products are widely known by the hacking community. Also, most of these devices have a special web page where you can configure them. And while most are protected with a user ID and password, these credentials are almost always set to default values, which are also well known. It’s trivial to write malware to exploit these weaknesses and gain control of these IoT devices. And when you have an army of devices you can control from anywhere on the Internet, you have what we call a botnet (shorthand for a ‘network of robots’). Hackers use these innocent-looking devices to do their bidding. One of the more common uses is to direct an unsurmountable wave of requests at some target web site to bring it to its knees – called a Distributed Denial of Service (DDoS) attack. That’s how the Mirai botnet took down a large portion of the Internet last Fall, and the Reaper botnet is poised to wreak similar havoc in the near future.

How Not to be Bot

So what are we to do? How do we keep our wonderful Internet of Things devices from being subverted and conscripted into a botnet? The primary thing we need to all do as consumers is to demand security for all our Internet-connected products. Do your homework, read the labels, compare products based on security and privacy features. Support regulatory or even voluntary initiatives to improve security and provide more transparency. We could really use some sort of Underwriters Laboratory for cyber security and privacy, providing independent analysis and a standardized product ratings. But until then, we need to do what we can on our own.

  • Change default passwords. If your device has any sort of administrative interface (probably a web page), change the default login password. Write it down or use a password manager.
  • Update the firmware. Not all IoT devices can be updated, which is a massive problem. But if your device has a way to update it’s firmware (which is what we call software that runs on these appliance-type devices), you must to keep it up to date. The admin web page should have a help/info link that will tell you how to check for updates and install them.
  • Register your devices. You should go ahead and register these devices online and get on the email lists. This is probably the most reliable way to get notified of bugs that need to be fixed. Yes, this will expose you to marketing crap. You can try to limit the spam by updating your ‘marketing preferences’ to only include security updates.
  • Dumb down your devices. If you don’t use the Internet features on your device, then don’t put it on the network at all. For example, most TVs today have an Internet connection because they come with built-in Netflix apps and such. But if you don’t use those features (for example, you use a FireTV, Apple TV or Roku), then you have no reason to plug into into your network or enable WiFi.
  • Unplug unused devices. If you have a device you no longer use (or trust), just get rid of it. Or if you use it only rarely, unplug it until you need it. For example, I have a web cam I use to watch my house when we travel. I only plug it in when we actually travel.
  • Quarantine your devices. Compromised devices on your network are basically beachheads for hackers within your home network. You can mitigate these risks by putting your IoT devices on your guest network. Don’t have a guest network? Most modern WiFi routers have this capability and it’s easy to set up. It’s a separate network for untrusted devices (including your guest’s devices, hence the name).
  • Restart your devices. Some of the malware that infects IoT devices can be cleansed just by powering the device off and back on. Unfortunately, unless you can update the software, it will still be vulnerable to re-attack.

As always, you can find these and over 100 more tips in my book. I also covered the topic of Internet of Things in a wonderful interview with John Graham-Cumming (CTO of Cloudflare) – check it out!

How to Send Files Securely (like Tax Info)

Editor’s Note: Yeah, this is a long article. But if you ever need to transfer a file that contains financial, medical, or otherwise personal/private stuff, you need to know the techniques and concepts in this article. So read it carefully.

Tax time is upon us once again here in the US of A… ah, that magical time of year when you take hours and hours to collect the info that the IRS already has and calculate what they already know.

According to this article, 56% of American filers pay someone else to do their taxes for them. If you’re one of those people, then you will inevitably have to send some sensitive financial statements and info to your tax preparer. But it’s also highly likely that there are other situations where you will want to be able to send private data to someone else over the internet – medical, financial, or just personal. You should never, EVER send this sort of info in an email – as an attachment or in the email body itself. Email is just not secure (unless you go to great pains to make it so).

Encryption Overview

Encryption is a proven, rock-solid mathematical technique for transforming normal, readable digital files (documents, pictures, emails, whatever) into complete gibberish, and then (crucially) converting them back. Encryption uses a key (sometimes called a passphrase or password) and some well-known algorithm to do the conversion and reversal (that is, encryption and decryption, respectively). Whoever had the right the key can decrypt the files. If you don’t know the key, even if you know the algorithm, you cannot recover the original file. Okay, you can – but if done properly, it would take all the computers on the planet working together for centuries to finally guess the key (despite what you see in spy movies). That’s cool stuff. (If you find this stuff the least bit interesting, check out The Code Book by Simon Singh.)

Let me just say right now that dealing with any sort of encryption today is just not convenient, to be polite. Encryption should just be the default for all communications today and you shouldn’t even notice that it’s happening. While we’re slowly getting there, we have a long way to go. (Don’t believe all the hype from law enforcement agencies about “going dark” – this is the golden age of surveillance.) The techniques I’m going to cover here are going to feel like a pain in the butt. But these are skills most of us will need at some point.

NOTE: I’m not talking Snowden-level security here. The techniques in this article are very good, but if your life depends on this, you need to looking at sites like privacytools.io and securedrop.org.

We’re going to be talking about two distinct flavors of encryption here: encrypting the files themselves (we call this ‘data at rest’) and encrypting the files as they are traversing the interwebs (‘data in motion’). Ideally, you will want to do both – that is, encrypt the files you’re sending and then send those files using an encrypted transfer mechanism.  But at a bare minimum, you need to encrypt the files themselves.

STEP 1: Encrypting Your File(s)

Whether you have one or many files to send, you should compress and zip them up into a single bundle. Fortunately, the same tools we’re going to use to encrypt the files will also take care of compressing and bundling them all into a single output file called a ‘zip file’. When your recipient decrypts this zip file, they will get all the original files back.

The trick here is finding a zip tool and format that your recipient can handle. There are many, many ‘zip’ file formats – but for pure simplicity, we’re going to use the 7zip format. (While you can make the arguably more-standard .zip file format work, getting the current free tools to actually use the better encryption formats is needlessly difficult.)

For some unknown reason, there is no single tool that works both on Windows and Mac to create an AES-256 7z file. There are many for-pay tools out there, but I’ll stick to two free tools that work quite well: 7-Zip on Windows and Keka on Mac. (Shout-out to this How-To-Geek article for inspiration.)

a) Choosing Your Zip File Password

Before we can encrypt the file, we need to choose a password. This is a crucial step in the process – don’t wimp out here and go with your name, “password”, or “12345678”. Just make it easy: go to this online password generator and have it create a killer password for you. You can tweak the settings on this page if you want to make it a little easier for the recipient to enter, but make sure it’s at least 12 characters long.

b-Win) Creating Your Zip File on Windows (7-Zip)

Start by putting all of your files into a single folder, say “My Private Files”. Then right-click this folder and select “7-zip -> Add to archive”. Don’t let all the options scare you. In the window that pops up, you only have to change three things:

  1. set the “Archive format” to “7z” (upper left)
  2. set the “Encryption method” to “AES-256” (lower right)
  3. enter your chosen password.

Note carefully where the file will be created (top of the window). Click “OK” and you’re done!

b-Mac) Creating Your Zip File on Mac (Keka)

Keka is handy, but a little odd to work with. Launch Keka. If not already selected by default, choose the tab for “7z”. Fill in your chosen password. I usually also select “exclude Mac resource forks” (harmless and invisible to Mac users, but confusing for Windows users).

Put all of your files into a single folder, say “private files”. Drag that folder on top of the Keka window and it will change (like below). Just let go and your encrypted 7z file will be created (by default, it will be in the same location as the original folder). That’s it!

c) Decrypting the 7z FIle

The process at the receiving end is much simpler – the receiver usually just has to double-click the .7z file. They will need some sort of application installed to handle this, of course. 7-Zip and Keka are obvious choices, but there are others that will decrypt these files (even if they can’t create them in the first place) like Unarchiver for Mac or PeaZip for Windows. Obviously, the recipient will also need the password (Step 2).

STEP 2: Sharing Your Zip File Password

As always, the devil is in the details… you have your strong password and you’ve used it to encrypt your zip file. Now… how do you get this crazy password to the other guy? Believe it or not, this one step is where so many people fail miserably. Don’t send the password along with the file! (Don’t laugh… people do this.) In general, you need to share the password using a different mechanism than whatever you used to share the file.

Here are some options. Note that in all cases, I wouldn’t say anything like “here’s the password”. Just send it with no other information, if possible.

  • The simplest and most secure way to share a password is to just call the recipient and read it to them.
  • If time is not an issue, you could mail it to them (like, a real letter).
  • If both you and the recipient use iMessage (ie, you both have Apple devices), you can feel fairly secure sending the password this way.
  • A regular text message isn’t great, but it’s not horrible, especially if you don’t say what it is.
  • Gold star: Send half the password one way and the other half some other way!

STEP 3: Sending Your Encrypted Files

Now that you’ve encrypted and zipped up your files into a single .7z file, and you’ve securely communicated the password to the recipient, now you need to actually send the zip file. While you could just email the zip file (because, after all, it is encrypted), I would still recommend that you choose an encrypted transfer mechanism. Why? Well, whenever you send something via email, copies of that message and the attachments can be made along the path between you and the receiver. Those copies may survive for a very long time and are subject to being stolen or copied. If you didn’t choose a good password or if in the future someone finds a glitch in the encryption algorithm (less likely), then those copies could be compromised. But you’ve done the most important part: you’ve encrypted the files and, as long as you have a good password, they’re very safe. If you want to email them and be done with it, that’s your call.

There are various ways to transfer a file to someone securely over the internet. Here are a few you could use:

  1. Use a share link with a cloud storage service
  2. Use an encrypted email service
  3. Use a real-time, encrypted file transfer tool

Using a share link with a cloud storage service is the least secure method, but it may be the easiest. There are three main problems with this technique. First, while most popular cloud storage services have some level of built-in encryption, they really aren’t super secure – in particular, the provider usually holds the master key. If compelled (or perhaps hacked), your files could be copied. Second, as a convenience to you, most of these services retain copies of files even after you delete them (see if they offer ‘undelete’ or ‘file recovery’). Finally, if you create a share link, anyone with that link can get to the linked file – at least until you cancel the link or delete the file. Again, you’ve already encrypted the file once, so this is less of an issue, but it’s still not ideal. However, if you want quick and easy, check how your cloud service creates share links and send it to the intended party. (You can often right-click the file to get this.) When your recipient has the file, cancel the share link and/or delete the file.

If you and your recipient happen to both have an account on an encrypted email service, then you can use that to send your file. Unfortunately, these services are not terribly common and they aren’t cross-compatible. However, most offer a free service option, so you could set up an account just for this purpose. This web site has good info and comparisons.

This last technique is dead simple. All you need is a web browser – no special tools to download or services to sign up for. The only trick is that you both have to be online at the same exact time – that is, they have to be there to ‘catch’ the file when you ‘throw’ it. There are several of these services and new ones keep popping up. I’ve personally used reep.io, but you might also check out sharefest.me and file.pizza. In all cases, you drag the file you want to transfer (your zip file in this case) onto the web page. The web page then gives you a special, unique link, which you need to send to your recipient (email, text, etc). When they click it, the file downloads to their computer. Ta da! This technique has one of the same problems as cloud storage share links: anyone with the link can download the file. However, they would have to somehow intercept that link and click it before your intended recipient. Once you close the web page, the link won’t work anymore. Also, some of these transfer services have the added option of setting a password on the transfer, which I highly recommend. (Use a different password from the one you used to encrypt the zip file!)

UPDATE (9-13-2017): There’s an even easier tool out there now called Firefox Send. The nice thing about this tool is that it will save the file in the cloud for your recipient: unlike reep.io and file.pizza, they don’t need to be online at the same time. You drag the file onto the page and it will upload. It then gives you a download link which you send to your recipient. They have 24 hours to download it. The file will be deleted as soon as it’s downloaded (one time only) or after 24 hours.

Conclusion

See what I mean? Sending a file securely today is not simple – and it really should be. Once you get used to using these tools, it’s not so bad, but it should still be simpler.

That said, I would be remiss if I didn’t at least mention a cool new tool called miniLock. If you’ve ever heard of PGP, miniLock is a hipper, modern version that is much, much easier to use. PGP and miniLock use what’s called ‘public key’ encryption (as opposed to the techniques we describe above which use ‘private key’ encryption). With public key crypto, you have two keys that are paired: a public key and a private key. You give the public key away freely to anyone that might want to send you an encrypted file – it’s not secret. The magic is that any file encrypted with the public key can only be decrypted with the private key (which only you have, hence the ‘private’). No need to try to figure out how to securely share a single, shared key! This is truly the best way to share stuff securely, but using PGP really sucks. miniLock has the potential to be a usable public-key crypto tool for the masses because it’s so much easier to use. This tool is currently only supported (well) in the Chrome browser, but hopefully will expand to Firefox and other browsers soon. If you want to give it a try, check out this how-to article.