In a few of my other blog posts I have already used the example of Gmail and https to improve security. But I feel with the recent improvements Google introduced that it is time to emphasize security and email again.
In an earlier blog entry I kind of promised to come back to explaining how I try to be more secure about how I browse using FireFox. So here it is. First of all there are two different ways I do this, one is on my Powerbook (laptop) which I bring with me and therefor has a higher risk being used by others (unauthorized) or worst case scenario: it can get stolen. And my Mac Pro in my computer room which doesn’t get used much by others, and when so, only by those who I trust. Regardless, in both situation, unknown people might try to hack into the system from the outside or steal traffic via sniffing and such. Preventing abuse is impossible, making it harder to do so is possible.
Over the last few years I have taken ‘being online’ a lot more serious, especially the security aspect. Trojans, rootkits, viruses, naughty cookies, xss exploits in sites and advertisements, and all that nasty stuff is now a day to day matter. Not to mention fraud, scams, spam and id-theft.
Particularly with being ‘on’ 24/7/365 because of high speed broadband internet. Participating in online communities, social networks, online loans, online banking, online dating and e-commerce, etc. brings risks with it.
Sure, you can run a bunch of software and addons to try and prevent all this, but it is a second level of defense. I think that it is more important to start at the beginning. Your first line of defense is your own browsing behavior.
Instead of just clicking dialog windows, links on sites, and entering details in forms, etc. As a user you should learn to take a second to read the screen, realize what is going on. And learn to say no. Don’t read emails you are not expecting, don’t follow links from emails. Don’t click on dialog windows that should not pop up; things like that.
Aside from trying to improve my online behavior I try to improve my own security, to lower the damage if something does go wrong. I am making sure I use hard to guess, long, and random passwords. One for each login. I try to make a unique less obvious login name if a web site supports this (and use a public obvious screen name so people recognize me easily still).
I do not follow links from unofficial sites that point to (claiming to be) official sites. I open a new tab and type out the url or use my bookmarks. I do the same with emails. I never click on email links, I load a browser and type in the url. This is to ensure I won’t accidentally click on a phishing link or xss exploit link for online banking, paypal, ebay, and such. As for email, I try to limit this to plain text email only. Avoiding html emails as much as possible to ensure no naughty script could get through a filter. And as for attachments, I don’t even open them unless I am expecting someone to send me something.
For web sites I try to not store the passwords (remember me off) on the laptop, but for convenience I do use this on the workstation. But, as an extra layer of security I turned on the master password feature in FireFox so no data is entered in any form unless I manually confirm this.
When I do browse to sites where I have to login and know that the information is privacy sensitive I try to use encrypted connections only. Before I explain that I want to add to this that I hardly ever (almost never) use a public proxy or some proxy / or a free VPN site or something like that to browse sites where I need to login. I simply can’t be insured that my data is not mirrored to some naughty admin who will abuse it. So, where possible I try to login using https. This has an ‘s’ in the url, instead of just http. The s means the session is encrypted over a secure socket layer protocol. Making the data unreadable to anybody snooping on the line (man in the middle idea).
Example, you could just type in your browser gmail.com and end up on your web mail. But I have a bookmark that brings me to https://mail.google.com and ensures my login is encrypted and my mail browsing / composing and reading session is encrypted.
Where possible: take and use https – gmail uses it, online banking uses it and most payment sites use it.
Talking about sites where you can buy stuff, make sure the line is indeed secured and your session is over https. Your browser will display a small lock icon in the bottom of the browser. Also, make sure that if you do enter your credit card details that you’re doing this on a third party official and well known CC processor site. And not in a normal web page on the companies own web site. Why give them your name, number and security code and expiry date? Do you really trust them?
At this point you probably think ‘wow this guy is paranoid’, and I might agree with you. But. I’ve slowly learned how to adjust my online behavior and it has helped me feel more secure and be more secure. Once you changed the simple things like unique passwords for accounts. Not clicking links in mails and from unofficial sites, using https where possible, etc. You will quickly find it is second nature. I don’t even think about it anymore really. And it helps me have more time to just open my mail client and read those emails I was expecting. Instead of browsing through 75% garbage and risking getting infected. I just delete the garbage on the fly.
So, have fun improving your online security. Well, it’s not really fun – but it helps make things easier for you. You will quickly find that you can identify the garbage and identify real emails (sites, logins, etc).
Feel free to register on the blog and leave a comment, suggestion or other feedback. And please come back to find another blog about how I secured my network / internet connection.