In an earlier blog entry I kind of promised to come back to explaining how I try to be more secure about how I browse using FireFox. So here it is. First of all there are two different ways I do this, one is on my Powerbook (laptop) which I bring with me and therefor has a higher risk being used by others (unauthorized) or worst case scenario: it can get stolen. And my Mac Pro in my computer room which doesn’t get used much by others, and when so, only by those who I trust. Regardless, in both situation, unknown people might try to hack into the system from the outside or steal traffic via sniffing and such. Preventing abuse is impossible, making it harder to do so is possible.
Over the last few years I have taken ‘being online’ a lot more serious, especially the security aspect. Trojans, rootkits, viruses, naughty cookies, xss exploits in sites and advertisements, and all that nasty stuff is now a day to day matter. Not to mention fraud, scams, spam and id-theft.
Particularly with being ‘on’ 24/7/365 because of high speed broadband internet. Participating in online communities, social networks, online loans, online banking, online dating and e-commerce, etc. brings risks with it.
Sure, you can run a bunch of software and addons to try and prevent all this, but it is a second level of defense. I think that it is more important to start at the beginning. Your first line of defense is your own browsing behavior.
Instead of just clicking dialog windows, links on sites, and entering details in forms, etc. As a user you should learn to take a second to read the screen, realize what is going on. And learn to say no. Don’t read emails you are not expecting, don’t follow links from emails. Don’t click on dialog windows that should not pop up; things like that.
Aside from trying to improve my online behavior I try to improve my own security, to lower the damage if something does go wrong. I am making sure I use hard to guess, long, and random passwords. One for each login. I try to make a unique less obvious login name if a web site supports this (and use a public obvious screen name so people recognize me easily still).
I do not follow links from unofficial sites that point to (claiming to be) official sites. I open a new tab and type out the url or use my bookmarks. I do the same with emails. I never click on email links, I load a browser and type in the url. This is to ensure I won’t accidentally click on a phishing link or xss exploit link for online banking, paypal, ebay, and such. As for email, I try to limit this to plain text email only. Avoiding html emails as much as possible to ensure no naughty script could get through a filter. And as for attachments, I don’t even open them unless I am expecting someone to send me something.
For web sites I try to not store the passwords (remember me off) on the laptop, but for convenience I do use this on the workstation. But, as an extra layer of security I turned on the master password feature in FireFox so no data is entered in any form unless I manually confirm this.
When I do browse to sites where I have to login and know that the information is privacy sensitive I try to use encrypted connections only. Before I explain that I want to add to this that I hardly ever (almost never) use a public proxy or some proxy / or a free VPN site or something like that to browse sites where I need to login. I simply can’t be insured that my data is not mirrored to some naughty admin who will abuse it. So, where possible I try to login using https. This has an ‘s’ in the url, instead of just http. The s means the session is encrypted over a secure socket layer protocol. Making the data unreadable to anybody snooping on the line (man in the middle idea).
Example, you could just type in your browser gmail.com and end up on your web mail. But I have a bookmark that brings me to https://mail.google.com and ensures my login is encrypted and my mail browsing / composing and reading session is encrypted.
Where possible: take and use https – gmail uses it, online banking uses it and most payment sites use it.
Talking about sites where you can buy stuff, make sure the line is indeed secured and your session is over https. Your browser will display a small lock icon in the bottom of the browser. Also, make sure that if you do enter your credit card details that you’re doing this on a third party official and well known CC processor site. And not in a normal web page on the companies own web site. Why give them your name, number and security code and expiry date? Do you really trust them?
At this point you probably think ‘wow this guy is paranoid’, and I might agree with you. But. I’ve slowly learned how to adjust my online behavior and it has helped me feel more secure and be more secure. Once you changed the simple things like unique passwords for accounts. Not clicking links in mails and from unofficial sites, using https where possible, etc. You will quickly find it is second nature. I don’t even think about it anymore really. And it helps me have more time to just open my mail client and read those emails I was expecting. Instead of browsing through 75% garbage and risking getting infected. I just delete the garbage on the fly.
So, have fun improving your online security. Well, it’s not really fun – but it helps make things easier for you. You will quickly find that you can identify the garbage and identify real emails (sites, logins, etc).
Feel free to register on the blog and leave a comment, suggestion or other feedback. And please come back to find another blog about how I secured my network / internet connection.
Update: Since 2010 I have moved to 1password, because of continues development, browser integration, and iOS support. Strongly recommended!
Since I’ve moved away from Windows I’ve found myself wanting to be more organized with the way I store important information such as logins to web sites, private web addresses, shell accounts and what not.
In the past I’ve either written it down (with the risk of finding out the o might be an O or a 0, or simply being unable to find the paper, or … finding out that password is now outdated. I’ve also just placed details into plaintext documents. This got spread over the directories on the computer, or even worse, spread over my local area network. A solution had to be found. If not only to get the information organized, but also to improve security.
After trying a few programs that promised a) security and b) autofilling-in forms, and c) have some unique features, I was simply not satisfied with the way they were doing things (or they were too expensive). A simple requirement is a single file encrypted backup, or the ability to create categories for personal, business, shells and web sites, or have unique custom fields so I could have an entry for url or ssh port, aside from just title, login and password. One of my friends Chris (chroder.com) also switched to the Mac and he started to use info.xhead. I gave it a try, despite the lack of motivation at this point. I was pleasantly surprised; it basically has everything I want (without going into detail on this: What I want more is the ability to optionally store a file with an entry).
The last few months I’ve been using it and started to get used to it. It is at a point where when I am not on a system where it’s installed that I really miss it and find myself troubled not having my details with me.
I’ve learned to simply take a few seconds and note down the information for a new blog login, a new shell account, a privacy detail from an email, and such, just to find out I have direct access to it from a central point. I also find out I keep the information up to date and that it is not a hassle finding it (in other words, it doesn’t disrupt my workflow).
The program is created by xheadsoftware.com and has a mac-feel to it. It’s easy to use, looks very clean and flexible, and properly integrates with Spotlight. It’s just $15, so certainly affordable to everybody. Once you open the program you can set it up the way you want to. Easy to manage categories, entries and items. I believe it uses 448 bit encryption method to ensure security. You secure the program with a single password. So if someone gets this very important (central point of information) file with your privacy details they will need a password too in order to get to it. Of course, if you forget that one entry password, you’re basically screwed.
A few additional cool features are .Mac support (so you can easily backup to .Mac and restore on another computer. Which I did for my powerbook) and data import. Other features that won me over is a one-click copy of data fields, and the easy instant search. About the import by the way. I’ve exported my FireFox form-data stored details with an add-on and converted this XML data to a CVS file with a spreadsheet program, and then imported it into info.xhead. It’s very cool, so I did not have to type-over those details or re-add all those details. However, it would have been nice if .xml import was supported.
Anyway, no more little files, little post-its, little entries on the whiteboard, outdated details on other systems, and what not. Just a quick little program to help me many times per day to get to my privacy data (that’s now also secure). Using the built-in password generator I have also improved my security since I am using a lot more unique passwords per login, that are very hard to guess, and are pretty damn long.
I don’t know what it is why having a Mac makes you want to be more organized with even the littlest of things like managing privacy details, but eventually it helped me speed up and smooth out my workflow. And that can’t be a bad thing right?
In a few future blog entries I will tell more about how I secure my system, network, and internet things such as email, ssl and FireFox.