Top tips for safe browsing and online security
Web browsers are our gateway to the digital world. We spend hours on it every day, making it not only a vital tool for legitimate users, but also a valuable target for threat actors. Over the years, they have become a repository of credentials, cookies, web searches, and other juicy information that could be targeted by cybercriminals. They can even use attacks to control your computer remotely and gain access to the network it is connected to. The threats go beyond malicious third parties. Many users may also feel slightly uncomfortable about third-party advertisers and others accessing and tracking their personal information through the browser. Fortunately, there is a lot you can do to manage these risks.
Top Browser Threats
There are many threats, some targeting browsers more directly than others. Here are some of the best:
Exploitation of vulnerabilities in browsers or any plug-ins/extensions you may have installed. This tactic could be used to steal sensitive data or download additional malware. Attacks often start with a phishing email/message, or visiting a site that has been compromised or is controlled by the attacker (drive-by-download).
Malicious plugins: There are thousands of plugins in the market, which users can download to enhance the browsing experience. However, many have privileged access to the browser. This means that malicious plugins spoofed to appear legitimate could be used to steal data, download additional malware and more.
DNS poisoning: DNS is the Internet’s address book, converting the domain names we type into IP addresses, so that our browsers display the sites we want to visit. However, attacks on DNS entries stored by your computer, or on the DNS servers themselves, could allow attackers to redirect browsers to malicious domains like phishing sites.
Session Hacking: Session IDs are issued by websites and application servers when users log on. But if attackers manage to brute force these credentials or intercept them (if they are not encrypted), then they could connect to the same sites/apps impersonating the user. . From there, it is only a short step to stealing sensitive data and potentially financial details.
Man-in-the-middle/navigator attack: If attackers manage to insert themselves between your browser and the websites you visit, they might be able to alter traffic, such as redirecting you to a phishing page, delivering ransomware, or stealing credentials. This is especially true when using public Wi-Fi networks.
Operation of web applications: Attacks such as cross-site scripting can still target applications on your machine rather than the browser, but the browser is used to deliver or execute the malicious payload.
The privacy angle
These scenarios all involve malicious third parties. But let’s not forget the vast amounts of data that ISPs, websites, and advertisers collect about visitors every day as they browse the web.
Cookies are small pieces of code generated by web servers and stored by your browser for a period of time. On the one hand, they record information that can help make the browsing experience more personalized, for example by displaying relevant advertisements or ensuring that you do not have to log in to the same site several times. But on the other hand, they represent a privacy issue and a potential security risk, if hackers get hold of them to gain access to user sessions.
In the EU and some US states their use is regulated. However, when presented with a pop-up of options, many users simply click to accept the default cookie settings.
How to browse the web more securely
Users can do a lot to mitigate security and privacy risks when browsing the web. Some involve the browser directly; others are best practices that can have a positive ripple effect. Here are some key best practices:
- Keep your browser and plugins up to date to mitigate the risk of exploiting vulnerabilities. Uninstall any outdated plugins to further reduce the attack surface.
- Only visit HTTPS sites (those with a padlock in the browser’s address bar), which means hackers can’t spy on the traffic between your browser and the web server.
- Be “phishing aware” to reduce the risk of browser threats delivered through email and online messages. Never reply to or click on an unsolicited email without verifying the sender’s contact information and do not transmit any sensitive information.
- Think before downloading apps or files. Always go through official sites.
- Use a multi-factor authentication app to reduce the impact of credential theft.
- Use a VPN from a reputable provider, not a free version. This will create an encrypted tunnel for your internet traffic to protect and hide it from third party trackers.
- Invest in multi-layered security software from a reputable vendor.
- Enable automatic updates on your operating system and device/machine software.
- Update browser settings to prevent tracking and block third-party cookies and pop-ups.
- Disable automatic password saving in the browser, although this will impact the user experience when logging in.
Most of the navigation tips above are optional and will depend on the strength of your privacy concerns. Some users are willing to accept a certain amount of tracking in exchange for a smoother browsing experience. However, security tips (like HTTPS, automatic updates, security software) are essential to reduce your exposure to cyber threats.
Phil Muncaster is Eset’s guest writer
Read: Cybersecurity: Are we doing it the right way?