Secure Web Browser Settings

If you use Facebook, MySpace, Monster, or any online media with affiliate ad networks (that means everyone), then you should read further. If you don’t use a web browser, then you can stop reading. ;)

Web Browser Safety Settings

Using a web browser is dangerous. There are lots and lots of websites / people out there that want access to your computer, even if only to be used in a bot-net to attack the FBI or military computers. By default, no web browser is secure. Heck, even secure browser setups aren’t 100% secure. Every platform and browser has Zero Day exploits – which is just a way to say errors that we didn’t know about previously. We don’t know how long those exploits have been there, but 1 day is unlikely. It could be years and years – like a recently found Microsoft IE bug that was part of the OS since WinNT in 1996. That’s a long time. It was only discovered because it became used enough to be uncovered. If the crooks were smarter, they’d have used that exploit for very specific targeted hi-dollar attacks and not released it for world-wide use, so it would remain hidden longer. I must assume they have many other unknown exploits or they wouldn’t have released that last one.

Ok, so what settings and plugins can you use to mostly secure your PC from web-based attacks? Here’s my list:

  1. Use FireFoxfirefox logo, not IE. The jury is still out on Chrome/Chromium security. The main issue that Chrome brings is that Google, the guys making Chrome, are an advertising company. How much should you trust them? Apple’s Safari browser … no comment. I don’t use Apple-anything. I do know that Apple has historically delayed patching very well-known security holes in the operating system – sometimes for years.
  2. Use an AdBlocking extension, like AdBlockPlusAdBlockPlus logo – also, subscribe to an adblock signature service (free). Verify the settings make sense for you.
  3. Use BetterPrivacy extension. Verify the settings make sense for you.
  4. Use NoScriptNoScript logo. Only allow JavaScript for very specific websites that you visit, not all websites. Famous Security Writer, Brian Krebs, says you should use NoScript too
  5. Don’t install the Java plugin into the browser. If you must have Java for 1 specific website, you can use NoScript to all just that domain to run Java. Java and JavaScript are two different technologies.
  6. Don’t allow Flash by default NoFlash logo. Flash will slow your system down and allows the most annoying ads – that you probably don’t want anyway. NoScript let’s you control when Flash can run.
  7. Don’t install any toolbars. Why would you use a Google/Yahoo/Other toolbar?
  8. Disable 3rd party cookies. Only allow cookies from the website you are actually visiting.
  9. Use session cookies that expire when you close the browser. Don’t use permanent cookies.
  10. Delete Flash Objects daily – for me, that means `rm -rf ${HOME}/.macromedia/*` just before the daily backup. On Windows, there must be some settings under your user directory. I dunno, since I don’t have Flash installed on MS-Windows machines. Too dangerous for me.
  11. Don’t use SilverLight No SilverSlight logo – it has cookies like Flash does and there simply aren’t enough reason to use it. Ok, that’s harsh – and I like UniversalSports.com which requires SilverSlight. Most of the time, I only enable it when specifically going to watch a sporting event, then disable it.
  12. Set IE Security Settings to Highest for all Network Zones. Then go back and specifically allow the 3-5 websites that you use/need. For example, microsoft.com, intel.com, nvidia.com are in my list so I can get devices drivers and patches. These websites don’t work so well with non-Windows machines and assume IE as the browser. By making the IE default settings highly restrictive, you’ve blocked lots of applications that might attempt things you don’t want. Applications like Win7 Media Center, Hulu, and Quicken may need some specific websites added to the “Trusted” list so the media or application can work. Regardless of your default web browser settings, these programs only use IE for accessing content.
  13. Don’t install RealMedia/RealPlayer.RealPlayer logo Use VLC instead.
  14. Don’t install QuickTime.NoQT logo Use VLC instead.
  15. Automatically clear your browser cache files, weekly, if not daily.
  16. Don’t ever store any passwords inside the browser itself. Use an external password manager like KeePass or KeePassX. KeePassX logo
  17. Use Private Browsing mode by default when you are casually browsing the internet. This will limit any data that gets written to the local disk.
  18. Don’t play online Flash-based games. Why do websites create games and let you play them for free? I can think of only 2 reasons and you probably don’t want either.
    1. to show you ads so they make money.
    2. to get your private information.
  19. Don’t ever place any data in Facebook (or other online communities) that you want private.
  20. Don’t ever share private information or details over the internet. As soon as you let your real birth date be known and your real name known, all sorts of other data will be connected to you that you may not like known when grouped together.
  21. Don’t allow the web browser to open PDF documents inside the browser windows – you really want the PDF to be saved to disk, antivirus scanning performed, then open it in a non-Adobe PDF viewer.
  22. Don’t allow MS-Office documents to be opened inside a web browser window. No MS-Office logo Just like with PDF files, you really want to save the file to disk and open it.
  23. Check your google.com privacy settings.
  24. Some other suggestions that appear to be very good.

Email Programs – Outlook, Thunderbird

For your email client program, check for these privacy settings and enable them.

  1. Don’t display weblinks or web objects, ever. This can block those email harvester “bug” images, which are 1×1 pixel dots used to track your reading of the email.
  2. Don’t display images inline. Just like with PDF or MS-Office documents, you want to save them to disk, run AV on them, then use a non-OS image browser to view them. All sorts of bad things can happen with inline data that isn’t just text.
  3. Don’t return receipts, ever. This isn’t part of the email standard anyway.
  4. Don’t display full HTML email, ever. Plain text or simplified HTML are fine.
  5. Don’t open attachments that don’t make sense, even from people you know. Always save them to disk, run the antivirus on the before you open them. It is common for a friend’s PC to get a virus and then send email to everyone in their address book with a virus infected attachment. Hi Kacie.
  6. Don’t ever open a PPS file from anyone. PERIOD.

Other Things for Security

Check out my Security for Desktops and WiFi Router Security Checklist articles for more. Don’t forget to manage your privacy settings with Google.

Avoid installing many programs just to try them out. Every time you install a new program, you are taking a risk for your system, your privacy, and your data. Expect any new program that you install to crash your system and take precautions. Use application recommendations from people that you trust to help select the 20 programs you will install on your system. Having more applications isn’t always better for computer stability. The more things you have running, the more likely your system will crash.

The USA Computer Security Response Team has some specific examples of security settings for all browsers, not just Firefox. They also recommend NoScript.

Remember, You Are Never 100% Safe

Ok, so after you make all these settings, you still aren’t 100% safe, but you have become a harder target for the crooks. Hopefully, they will not bother you, since 90% of the other people on the internet are easier to hack that you know. You still have to practice safe browsing techniques. Even 1 slip on the wrong website can get you infested. Once there’s Don’t visit the bad parts of the internet – even just once. Don’t get lazy and enable Flash everywhere.

All these settings don’t prevent websites from tracking you and since you will allow session cookies, you’ll be able to login to websites and use them. This is a trade-off between security and usability.

These settings probably won’t work for a company owned computer since many companies have custom plugins for web sites and require non-secure settings for those to work. Also, your company probably has a security team which sets and controls security on your PC.

Not For Everyone

If you only use your PC to game on the internet, then many of these settings will make that tough. OTOH, if you are a normal information user on the internet, then these settings will let you keep doing most of the things you want with tremendously greater security.

Be careful out there.

If you do get into trouble and your PC gets hacked, you really can’t trust it again without wiping the disk and reloading the operating system. That’s why the corporate IT guys generally wipe a PC and start over whenever there is any issue. They don’t trust it on the company network. If you find yourself hacked/cracked with an unstable PC, just boot from a Linux LiveCD and you should be able to get on the internet and do those things without touching the hard disk inside the PC. Pick a liveCD here or just go and grab the Mint LiveCD

Do you have a comment about this article? Leave comments here.

Other Security-related pages here: