In an earlier blog entry I kind of promised to come back to explaining how I try to be more secure about how I browse using FireFox. So here it is. First of all there are two different ways I do this, one is on my Powerbook (laptop) which I bring with me and therefor has a higher risk being used by others (unauthorized) or worst case scenario: it can get stolen. And my Mac Pro in my computer room which doesn’t get used much by others, and when so, only by those who I trust. Regardless, in both situation, unknown people might try to hack into the system from the outside or steal traffic via sniffing and such. Preventing abuse is impossible, making it harder to do so is possible.
There are a few things I’d like to discuss, one is how I browse trying to use an encrypted connection. And the other is where I use (strong) passwords to prevent being able to do something with any gained information.
In regards to the latter I have a strong and hard to guess password for logging into my computer systems. And I have a policy that each login has a unique password. So the login for my Powerbook won’t work on my web site, or my email, or online banking, or my other systems. Hopefully limiting the breach if there’s ever any.
More importantly for the Powerbook I have FireFox set to use a Master Password. This is a built-in feature you can find through Preferences. It sets a single Password that helps you prevent others from accessing the stored passwords and certificates stored on your system in plain text (it also encrypts them). Without it perhaps someone might somehow get access to it and using an extension for FireFox even export it to a single .xml file and run away with it – without your knowledge. Now they will be prompted to enter the password before even coming close to that. Also, if you enter login details on a web site, it will now prompt for this master password first, before auto-populating the form. This means if you leave the laptop or it gets stolen and someone else sits behind it they can’t login as you anymore.
If you travel a lot, are in school or at work, and am taking privacy and security seriously: Turn this on. At the workstation at home I also have this turned on, but because nobody else is really using it I have set a weak password that’s easy to guess to make it easier for me to use it constantly. I just don’t want to be stupid and risk someone exploiting me through some FireFox bug and remote-steal all these details.
Also a note about security and browsing the web. My Mac Pro has been set to store entered data for login forms, so I don’t have to freakin’ enter it every time I go to the sites I frequently visit. And there are sites where you can then still set it to ‘never store it for this site’, which I use too as a precaution. But on the Powerbook I have it set to never store any of this data. Again, as a precaution that others might sit behind it and abuse it. For sites where security and privacy is not really an issue like a random forum or blog or some social site (read: so not online banking or gmail) I have it set to store it.
Ok, a final note, once in a while I just clear my browse history (Mac Pro stores it, Powerbook doesn’t), and every once in a while I clear my temporary files and my cookies. Oh, and also every once in a while I check if there are FireFox extensions I no longer use, or perhaps need an update. But usually the browser informs you if there’s an update.
Moving on to encryption. My router security is a different blog posting worth, so I won’t bore you with that right now, but it is set to use WPA for security for the wireless devices in my house. But on the road the Powerbook is using a private secure VPN connection from a well known company so I know my traffic is encrypted. Simply because there are still enough open wifi spots that don’t use encryption and I don’t mind using them, but I do mind being on their net so they can catch traffic and such. I rather not fall for the trick of others storing every bit and byte that I browse, enter, etc when I use an open wifi spot from some hacker who opened his network for malicious reasons. It’s VPN and the Mac has a simple way of switching between VPN as a connection and the normal connection.
Additionally I browse sites over https:// where possible, I do this for example using Google Email (gmail.com). Not only the login, but also the session that you open can be over ssl, just go to https://mail.google.com/ and you secure both login and the session. Many sites with member areas offer this now, and if they don’t just ask them in an email. This also motivates them to consider it for the future. Remember: plain text == others can read that, even if you think they can’t. And garbled text due to encryption == can’t be read by others, even if they have access to it.
So there you go, that’s how I browse online, trying to be smart about the data I enter in forms, and using secured pages only if possible. And using VPN when I am on the road, and WPA everywhere else for Wifi if possible. And I either store or don’t store what I enter in forms, but use a Master Password in the browser to try and prevent others from being able to abuse having it auto filled in, or to read it out in plain text.