the_simple_computer

Baselines Part III: Web Browsers

Updated March 24, 2016.

This site is no longer being maintained so anything below could still be accurate, or very outdated.


From drive-by downloads and 0-day attacks to malicious ads and emails, a web browser will be your computer's biggest vulnerability. This will only increase as browsers' features and capabilities gain attack surface and complexity to become what are basically micro operating systems.

Know that all the big browsers phone home, and in the case of forks, you're often calling home to two companies instead of one. Rarely is there anything you can do about this without tedious logging of outbound connections for what you can attempt to block with a HOSTS file or firewall. And then, you may not be getting thorough browser updates, or any at all.

Since the browser is the biggest entry point for malware from the internet, you should take care to harden it as best you can. You'll be amazed though, at how much of the internet's pollution you can cut out of your life simply by restricting what's displayed in your web browser.


Objectives General Points Chrome, Chromium, etc. Firefox Internet Explorer Safari

Objectives

  1. Know the Two-Browser Rule: A personal computer should have at least 2 web browsers. Whichever they are is up to you.
  2. Minimize the amount of installed plugins, add-ons and extensions.
  3. Force HTTPS connections whenever possible, but especially for sites you log in to like email, social sites, etc.
  4. Minimize the amount of bandwidth-eating crap being served in the browser like ads, third-party scripts, cookies and frame content, beacons and other such conduits of malware and means of personal tracking.
  5. If password management is desired, offload that responsibility to a standalone application which can do the job better than a browser.

General points

Website cookies

Cookies are NOT needed for the majority of websites. Taking the 2 browser rule, you'll be well served to block all cookies in your main browser, then either allow cookies only for sites you log in to, or use the second browser as a fallback for when you do need cookies. There are also plenty of cookie management extensions/add-ons available.

Third-party cookies are generally malicious to privacy. If you choose to leave 3rd party cookies enabled, a content blocker will filter out 99% of the chaff from the legitimate but rare 3rd party cookies a site would need. Completely blocking 3rd party cookies in the browser is not an undesirable or inconvenient alternative, and Safari does it by default.

Content blocking (ads, trackers, general site bloat, etc.)

For this I prefer to start with uBlock*, a browser extension available for Chromium and Firefox based browsers (including Opera) and Safari. It's an alternative to (not a fork of) Adblock Plus and Ghostery but uBlock can block more content, has an optional advanced mode to give you finer control over what you're blocking and is streamlined to use less system resources than other ad blockers. uBlock is effective by default but you should also go into the 3rd-party filters tab and enable Fanboy's Enhanced Tracking List.

[*] There are two different branches of uBlock: uBlock Origin by the original creator, and uBlock. uBlock Origin is considered feature complete and will be maintained primarily for stability and bug fixes. uBlock (non-Origin) takes feature requests and plans to evolve the extension further. For more contrasting info, see: [1] [2].

On the other hand, NoScript and uMatrix give you much more fine-grained control than even uBlock's advanced mode, plus some extra features. With these extensions, you can allow JavaScript, frames and other page elements for individual domains or sites only, or create global allow and/or deny rules. They're for advanced users though, so you must be willing to tinker with the extension to un-break certain site elements. Both can be used with uBlock for a middle road of usability vs. security & privacy. NoScript is only available for Firefox-based browsers but uMatrix (by the same original creator of uBlock) is for Chromium and Firefox based browsers.

Ad Muncher, a blocking HOSTS file like MVPS (there are others) and Privoxy are some non-browser-based solutions but of course these can be combined with browser extensions in a more strategic manner.

Do Not Track

It may have noble intentions but in its current state, DNT is hopelessly impotent, mainly because it's entirely opt-in for the advertisers to adhere to. Content blocking will always be superior and keeping DNT disabled will save you some bandwidth. In the case of Internet Explorer which enables DNT by default, keeping it on will help your HTTP traffic blend in with other default IE users. Other browsers ship with DNT off by default, and enabling it will actually add to the uniqueness of your HTTP request headers and overall browser fingerprint.

Java browser plugins

If you need Java on the system but not the browser plugins, disable them. Thankfully, Java browser plugins are going away, but that doesn't mean the training course site your job needs you to access which was made to work with JRE 4 in IE7 will suddenly update itself overnight. If you do need Java plugins, make sure your browsers are set to ask before allowing Java to run or, if possible, consider switching to a service which does not require running Java in a web browser.

HTTPS bookmarks

Take a look through your bookmarks lists. For sites you log in to like financial, insurance, etc., make sure the bookmark URL begins with https://, not plain http://.

Password storage

A good password manager will generate strong passwords for you. Then you only need to remember the one needed to access the password manager itself and you're not using weak dictionary words everywhere. With a good manager, passwords are stored in an encrypted database and you can still have them autofill for sites you trust. Some services are cloud based like Encryptr, LastPass or Mitro and will sync across all your devices. Others like 1Password, KeePass and KeepassX will not without extra effort. When using an external password manager, disable the browsesr's password storage.

Web login for network devices

Another use for the two-browser rule; when logging in to the configuration page of your router or modem, always do it in a separate browser if you already have one filled with tabs of loaded pages. Do the same for sensitive online activities like banking and trading if not using a virtual machine or Linux live session.

Safe Browsing and SmartScreen

Google Safe Browsing is enabled by default in Chromium-based browsers, Firefox and Safari. A basic description is that Safe Browsing downloads a list of URLs for websites known to be malicious. When you visit a URL, it's checked against the locally stored blocklist and if a match is found, it sends a portion of a SHA2 fingerprint of the site's URL to Google. For file download checks, a local whitelist is used instead.

You can read more about Safe Browsing in Google's Chrome Privacy Whitepaper and under the section Information Google receives when you use the Safe Browsing feature on Chrome or other browsers from the Chrome Privacy Notice.

Of interesting note is that Google services, including Safe Browsing, set a Google Preferences cookie and this cookie has been revealed as one method the United States NSA uses to identify targeted computers. If the browser is set to delete cookies on exit, the PREF cookie will be removed and if you block all cookies, PREF won't be set at all.

Microsoft's answer to Safe Browsing is SmartScreen, enabled in Internet Explorer from version 8 and both in IE and system-wide from Windows 8. Instead of blacklists like Safe Browsing, SmartScreen checks site addresses you visit against whitelists.

Sites not on the allowed list and addresses from which you've downloaded files are sent to Microsoft, and potentially search or form data too. URL info sent is TLS encrypted but is otherwise plaintext, not hashed, and SmartScreen also has metrics reporting. For more info, see SmartScreen Filter in the IE 11 privacy policy.

Device and browser fingerprinting

I've written on fingerprinting in the past. To put it simply, there are 2 main sides to mitigating fingerprinting: On one side is the totally default browser which, to hosting servers and curious scripts & plugins, looks just like every other default browser. On the other side are the hardened browsers with no plugins, JavaScript disabled and other security precautions taken.

A hardened browser, even if not uncommon like Midori or Pale Moon, is still an uncommon configuration of a common browser, and that uniqueness makes it stand out. Unfortunately the best alternative as far as fingerprinting is concerned, is a totally default browser. This is no solution though, because it's so hostile to security and privacy that it's not a worthwhile tradeoff to make for everyday use.

There are so many strange and esoteric ways of fingerprinting browsers and systems that you'll never fully stop it in all certainty. If even a minimal amount of browser and/or system fingerprinting is of great concern to you, you should use virtual machine snapshots or Linux live sessions for isolating different personas as described on the previous page and in the fingerprinting link above. Absolutely no changes to the browser would be made so they appear as common as possible to sites you access. When the snapshot is restored or the session is shut down, all data from that session is destroyed.


Chrom{e,ium}, Opera, etc.

Google's Chromium Projects gave us the open source Chromium browser and Chromium OS. It's Chromium (the browser) which all other Chromium-based browsers are built from, including Google Chrome and Opera (post Presto).

General

chrome://settings

chrome://settings/content

chrome://flags

Considerations

General

About Google Chrome

If you use Chrome, know that there are actually two versions: The regular Personal Chrome from google.com/chrome, and then Chrome for Work. The main differences are that Chrome for Work can use administrative policies to restrict Chrome user profiles, and Chrome is packaged as an offline .msi installer for Windows.

Disable TLS cipher suites still using RC4 and MD5.

You'll get a stronger cipher suite instead but there will always be the chance you'll find a site which forces you into RC4, though this should be rare even with half-reputable services. To disable, you must use this command line switch and include the hex codes for the cipher suites you want to blacklist (see here for that). For Chromium in Linux, add this to CHROMIUM_FLAGS in /etc/chromium-browser/default instead of messing with desktop files.

Be wary of Chromium forks.

Some like Vivaldi and Yandex Browser focus on creating something new from the Chromium platform. Others, however, try to seduce you with claims of increased security and privacy when in actuality, they do nothing that Chromium and a few reliable extensions couldn't do. Less is more. In my experience, Chromium proper with several wisely selected extensions has always proven to be the more stable, secure, private and least bloated choice than any of the privacy-focused Chromium forks.

I'm not saying your experience will be the same as mine or that all Chromium forks are cheap spinoffs. I'm just saying that if you choose to use a fork of Chromium, go beyond its homepage to investigate both the browser and its creator(s) before committing to the install. Otherwise, the best source for Chromium and a lot of general info about the browser is http://chromium.woolyss.com/.


Firefox & Friends

Of the big browsers, Firefox and its forks offer the highest potential for privacy through the many about:config settings. By default, Firefox also sets all plugins to "Ask to Activate" except for Adobe Flash and the Cisco OpenH264 codec; this is Firefox's Click to Play equivalent. Restart browser for config changes to take effect.

General

Preferences > Privacy > History

about:config

Considerations


Internet Explorer 10+

With IE it's especially important to use the most recent version available to you. When you start IE for the first time, choosing the Recommended Settings will enable SmartScreen Filter.

Tools > Internet Options > General

Tools > Internet Options > Security

Tools > Internet Options > Privacy

Tools > Internet Options > Content > Autocomplete > Settings

Tools > Internet Options > Advanced > Security

Tools > Manage Add-ons > Toolbars and Extensions

Tools > Manage Add-ons > Search Providers

Tools > Manage Add-ons > Accelerators

Tools > Manage Add-ons > Tracking Protection

Considerations

In Tools > Internet Options > Safety


Safari 8+

General

Safari > Preferences > General

Safari > Preferences > AutoFill

Safari > Preferences > Search

Safari > Preferences > Security

Safari > Preferences > Privacy > Cookies and website data

Safari > Preferences > Advanced > SmartSearch Field

Considerations

Share this page.