Chapter 7
Protecting Your Web Browsing
For most of us, browsing the internet, or “surfing the world wide web,” is one of the top uses for our personal computer, tablet, or smartphone. Whereas in the physical world, it is relatively easy to distinguish good neighborhoods from bad, in the virtual world different neighborhoods, businesses, and even countries are all just a click away from each other. It is easy to confuse www.organization.gov (a government organization site), www.organization.com (a private company site), and www.organization.org (a potential nonprofit site). And those sites are just a few examples. There are also websites ending in “.info,” “.biz,” and country code websites like “.us” for the United States and “.ru” for Russia, to name just two of more than two hundred.
When we surf the web, we do not know when we are going to end up in a bad neighborhood, or when our favorite website may turn against us through a malicious ad, a malicious link in a friend’s posting, or a malicious e-mail. Search engines are amazing tools, but even innocuous searches can easily turn up content we would not want to share with our families. Safe web browsing involves avoiding the disreputable corners of the web, recognizing them when we stumble into them, and protecting ourselves when we find ourselves being attacked.
This chapter describes how you can use your computer to browse the web safely, and reduce risk to your computer, your data, and your privacy.
How the Web Works
To establish a presence on the internet, a person or business can do one of two things:
–Establish an identity online, like an e-mail address or a personal web page, using an established internet service like Facebook or Yahoo.
–Obtain a domain name and deploy a web server to display web pages that appear when people type that domain name into their web browser.
The first approach is free or inexpensive, while the second approach may require an investment ranging from a couple of dollars for a basic site to millions of dollars for a large, complex website able to support large numbers of users. In general, anyone can obtain any internet name they want, so long as it is available.
The end of the domain name is significant. It is called a top-level domain (TLD). The most common TLDs used in the United States are “.com,”.org,” and “.gov,” but there are over a thousand TLDs supporting infrastructure, business, nonprofits, and individual countries. Because of the large number of TLDs, it is difficult for legitimate organizations to control all possible versions of their names online. At the same time, it is relatively easy for attackers to register names similar to legitimate organization names. Attackers frequently use this similarity in names to trick internet users and take advantage of them.
When you type in the name of a website—like www.google.com—several things happen. First, your computer asks your network provider for an internet protocol address corresponding to www.google.com. This address is like a telephone number, and allows the computers to talk to one another. Once your computer has the address, it sends a request over the internet to the computers at Google, asking to see their website. Computers at Google then reply to your computer by sending the contents of the page. Similarly, when you click on links in an internet search result, your computer connects to other computers at other organizations to obtain the desired web pages.
Just as criminal elements in the physical world tend to set up shop in the shadows of the underworld, criminal elements set up shop on the internet as well. In practice, what has emerged over time are three distinct internets, all sharing the same global network and able to communicate with each other:
–The reputable internet, representing legitimate organizations and businesses intending to perform legitimate business, service, and commerce online.
–The disreputable internet, using the legitimate internet to conduct criminal and unethical activity, including fraud, theft, and extortion.
–The dark web, using internet technologies but operating hidden, private communities built to avoid infiltration by competing interests and the authorities.
The dark web is hidden from view and we are unlikely to stumble on it by accident, but a simple typo in the name of an e-commerce site can land you in the disreputable internet quite easily. In the next few sections we describe how the disreputable internet may target you and your computer.
Using Web Communication Protocols: HTTP versus HTTPS
Another important concept in how the web works is the concept of web security. In general, when you type the name of a site, or fill out a form on the web, the text you type is sent in the clear to the computer at the other end of the connection, and that computer’s response is sent in the clear back to you. If you are typing in your username and password for your checking account, or the bank’s website is sending you your checking account data, that information would be visible to everyone on the internet between your computer and the bank’s computer. The protocol used for the “clear” connection, called hypertext transmission protocol (HTTP) does not inherently protect the information that is being transmitted.
Obviously, having your personal information transmitted over the internet in the clear so everyone can read it is not preferred. So, the internet designers extended the HTTP protocol to include security and called it the hypertext transmission protocol secure (HTTPS). When you type or see https:// at the beginning of a website name, you know the web browser is establishing a secure connection to the computer at the other end, and then using that secure connection to transmit and receive your information in a secure fashion.
To use web protocols for safe web browsing, you should consider the following:
–Watch your browser bar. At the top of your web browser window, there is an address bar that shows exactly where on the internet you are, and contains the web protocol, the DNS name for the site, and the specific page within the site. When you are using a secure connection, the address starts with https:// and you may also see the bar show a “physical lock” icon to the left or the right of the address. Under some circumstances, the bar may turn green to indicate a secure connection, or red to indicate an insecure connection (this indication depends on the browser and website).
–Make sure your connection is secure. If you are doing anything secure or private—including entering credentials, accessing personal information, or doing e-commerce—make sure your connection is secure. Today, most sites doing anything personal or sensitive use security, and you should expect it.
–Do not enter passwords into insecure sites. You should never, never, never be asked to enter a password into a site that is not using https:// protection! The only exception to this rule is small websites for your neighborhood or friends (although even they should be able to secure their login pages). If you think the site is okay based on conversations with your neighbors or friends, use a unique password that you do not mind getting compromised, and do not share that password with other websites.
–Beware of certificate problems. Occasionally, you may encounter a secure website that has a problem with its certificate. Your browser may give an error message saying that the website’s security has a problem. This error can indicate a technical problem with a legitimate website, or it can indicate malfunctions associated with various types of cyberattacks. Avoid using sites when this problem occurs.
Avoiding Malicious Sites, Malvertising, and Pop-Ups
At the heart of web attacks are malicious websites and malvertising. Malicious websites are built and operated by attackers intending to attack computers that come to them. These sites may contain useful information, offer free software downloads, or be included in an e-mail campaign as a “recommended” destination for you to access. The key here is the sites are built and operated by the attackers. Some attackers operate campaigns that stand up and tear down dozens of websites a day, all fully automated. This automation allows attackers to stay ahead of authorities trying to shut their sites down.
Malvertising is somewhat more insidious than malicious websites because it involves creating malicious web advertisements and using the advertisements to attack viewers of legitimate sites. The problem here is when a web page includes advertisements, those advertisements are “mini web pages” embedded into a larger web page. They use the same technologies and capabilities to display the advertisement as a full web page, and so they can use the same techniques to attack the viewer as a malicious website. The most reputable advertisers–– like Google and Microsoft––go to great lengths to block such malvertising, but smaller advertisers are not so diligent and clever attackers may find workarounds to their protections.
In both cases, you may see malicious pop-up or pop-under windows. Pop-ups are when a website opens another web browser window over the top of the one you are currently looking at. Pop-unders are when a website opens another web browser window underneath the one currently open. In both cases, the new window has access to your computer to display material, play sounds, and possibly to access your peripherals like hard drives, cameras, and microphones. The most malicious pages create pop-ups that reappear every time you try to close them, forcing you to kill the program or reboot your computer to make the pop-ups go away. These windows often contain messages associated with some internet scam seeking to get your private information or payment.
Finally, attackers sometimes compromise legitimate websites and turn them to their use. There have been several cases of cyberattacks that compromised internet retailer sites and used the compromised sites to collect usernames, passwords, and credit card numbers. These attacks are usually conducted stealthily, so the site operators do not know they are compromised. As a user, you most likely only find out about the compromised retailer sites when the press reports the compromise, or if you see abuse of your accounts like invalid logons or fraudulent credit card charges.
To avoid malicious sites, malvertising, and pop-ups for safe web browsing, you should consider the following:
–Use web security. Many computer security antimalware packages also include web security features (these packages may also include family web filters such as parent controls). Enable these features to help you catch malicious sites and protect your computer from malicious attack or malvertising.
–Know where you are on the internet. As you browse the web, know where you are on the internet. It is very easy to start clicking on links and realize you are on web pages you have never heard of and never been to before. Stick with legitimate websites you know and trust and be cautious of links that take you to pages on other websites.
–Watch out for typos and imposters. Attackers frequently buy up web domains that are just one typo away from legitimate domains—like “www.microsft.com” (instead of www.microsoft.com), and then use that site for malicious purposes. The imposter site may look exactly like the legitimate site, to try to trick you into entering your credentials.
–Do not search for free stuff. Searching the internet for free copies of software, movies, music, or e-books is a good way to stumble into the disreputable internet. Sites hosting this pirated and copyrighted content know they are committing a crime, which means they probably do not mind hacking their visitors, either. Just like visiting “the bad part of town,” the shadier your intentions are online, the more likely the websites you visit will be shady as well.
–Be cautious of ads for products and services you have never heard of. While lots of advertising serves useful purposes to educate potential customers, malicious ads are just “covers” for their true intentions. Malvertisers may advertise phony products they just made up to try to get you to click on their ad and go to their site.
–Do not call technical support. Malicious sites and pop-ups may tell you your computer has been infected or you have performed a crime, and you need to call immediately a technical support phone number. Do not make the technical support call! These numbers send you to call centers that specialize in compromising your computer and getting you to pay them fraudulent fees for help you do not actually need.
–Avoid pop-up purgatory. The worst pop-ups appear and then will not let you close them until you click a link within the page. Do not click! Instead, close the window from the operating system—in Windows, right-click in the taskbar and select close, or click “Ctrl, Alt, Delete” and use the Task Manager to close the window. If those approaches do not work, close out your other work and reboot your computer to make the pop-up window go away.
–Watch out for pop-unders. When a site creates a pop-under, you may see your screen flash before the window disappears. You may also see an additional window appear in your task bar or icon dock. When such activities occur, check them out and close them. Also, double-check where you are in your main window to make sure you have not stumbled onto a malicious site.
–Watch out for installers. The most dangerous sites try to install programs when you open the web page. They may masquerade this behavior, saying “we need to install a media player” or presenting other deceiving messages. Generally, no legitimate web page should need you to install additional software to view their page, unless the requirement is clearly marked and explained (such as for a special viewer or other unusual feature). If you see this behavior, stop what you are doing and double-check everything to be sure it is legitimate before you install.
–Watch out for system administration. Similarly, no website should require administrative privileges to show its content to you. If you are browsing the web and your operating system asks if you want to allow systems administration, click “no” and immediately close your browser! The site is most likely trying to hack your computer.
–Some attacks may be persistent. Some sites may succeed in installing software onto your computer or changing your home page, so their pop-ups continue even after you have closed all your browser windows and rebooted your computer. If this situation occurs, get professional help to remove the malware and clean up your system.
Using Web Browser Security and Plug-Ins
Your first line of defense when you stumble into the disreputable internet is your web browser. Web browsers may use “browser plug-ins” to enable additional functionality like the ability to click on a word and get its definition or to show a miniature version of a target web page when you hover over a link. There are a dizzying number of plug-ins available to enable all sorts of additional capabilities as you browse the web.
To use web browser security and plug-ins for safe web browsing, you should consider the following:
–Choose a good browser for you. All web browsers are not created equal and some browsers are more secure than others. For example, Internet Explorer on Windows may be needed for older websites with compatibility issues, but it has many known security vulnerabilities that do not make it suitable for general web browsing. On the other hand, Google’s Chrome browser works best with Google’s accounts and online tools. Microsoft’s “Edge” browser is built into Windows 10 and designed for speed and security, and Apple’s “Safari” browser is built into iOS and MacOS devices. There are also open source web browsers like Firefox and Chromium. Weigh the tradeoffs and pick the right browser for the application—you may find yourself using multiple browsers, each best suited for a different purpose.
–Make sure your browser is up-to-date. Browsers are updated regularly to add functionality, fix bugs, and address security issues. Make sure your browser is fully-patched before you go to a new website! Patches may be through your operating system, through the browser, or automatic in the background. For example, Windows 10 automatically checks for patches and automatically downloads and installs the patches to keep the Edge and Internet Explorer browsers up-to-date. Other browsers usually have automatic update features—make sure they are enabled. If your browser has been recently updated, you may need to restart it to start using the latest version.
–Watch your home page. Another common attack vector is your home page. Sneaky attackers may change your home page to a counterfeit page that looks just like a legitimate home page like msn.com, yahoo.com, or google.com, but the counterfeit page is malicious. Make sure the home page looks right, that it uses web security (https), and that the address is correct (look for typos). If your home page is changed without your knowledge, it may be a sign your computer has been compromised.
–Pay attention to plug-ins. Plug-ins may also be called extensions or browsing helpers. Regardless, these tools can add significant functionality to your browser but are also a potential attack vector. Only install plug-ins you know, trust, and need, preferably obtained directly from the vendor. Occasionally check your plug-ins to make sure they are what you expect them to be. Remove plug-ins that are not expected or no longer needed, following the web browser documentation.
–Make sure you are protected. If your computer security software includes web filtering or website security, make sure the browser you are using is supported by that software (not all browsers may be). Most likely, the browser security is implemented using a plug-in from the computer security manufacturer. Make sure it is installed and enabled.
Protecting Your Browsing History
Remember that your browser knows where you have been! Web browsers maintain files and databases where they remember every page you visit and when you visited them. While this browsing history can be useful when you want to go back to a page you visited days or weeks ago, it also means your computer has a record of everywhere you have been and everything you have done. This history may be concerning, from a privacy perspective.
To protect your web browsing history for safe web browsing, you should consider the following:
–Check your browsing history. Occasionally, you should go into your browser and check your browsing history. If you see signs of visits to sites you have never heard of, or sites that may be malicious, then your browser or computer may have been compromised. Of course, another possibility is that another person has been using your computer.
–Clear your browsing history and cache. When your privacy is a concern, go into your browser and clear your browsing history. You should also clear your browser’s cache. The cache is a storage area on your computer where the browser keeps temporary copies of websites and page data, so sites can download faster the next time you visit them. Instructions on how to clear the browser’s history and cache are easily found online.
–Watch out for kiosks. Kiosk computers may keep the browsing history of every person who has used the kiosk, and you may or may not be able to clear the history when you are at the computer. If you can, clear your browser history and restart the computer after you use it, or at least logout of the kiosk service.
–Remember bookmarks. In addition to your browsing history, you can bookmark websites that you like for easy return. If you are concerned about your privacy, check your bookmarks and bookmarks that are sensitive or inappropriate.
–Your history in the cloud. Finally, remember many things you do online, particularly web searches, are stored in the cloud and may be directly associated with your online identity. For maximum privacy, go online and clear your history there, as well. Instructions for doing this are available from your search provider or cloud service.
Downloading Software Safely
While setting up your computer, you may find yourself going to websites to download and install software. Such software can include office productivity, utilities, and games. Software may come from manufacturer sites like microsoft.com or apple.com, software stores like amazon.com, or “freeware” software repositories like cnet.com. When you download and install software, you open the possibility of completely compromising your computer. Software installation frequently requires bypassing many of the computer’s security mechanisms like administrator permissions and web firewalls. It involves bringing new code in from the internet and making that code able to run on your computer, pretty much at any time.
To download software safely from the web, you should consider the following:
–Get software from legitimate sources. Make sure the software you are downloading is from a legitimate source. For example, if you are downloading a software driver, make sure you are getting it from the manufacturer’s website. Avoid driver “compatibility” sites that purport to scan your computer and find “missing” drivers, as these are often malicious. If you are downloading a game, make sure you are getting it from the game maker’s website, not a copycat or imitation site. Where possible, get your software from “app stores” like the Microsoft or Apple stores, or your Linux distributor’s online repository.
–Watch out for “repackaged” software. Attackers may download or pirate software, attach malware to it, and then repost it to software repositories. The resulting software will install properly and run properly, but unbeknownst to you the attached malware compromised your computer while it was installing. This situation is especially common with pirated versions of commercial software that should have been purchased in the first place.
–Use antimalware scanning. Make sure your antimalware software is installed and running when you download and install software from the internet. Some antimalware packages will scan installation files for malware before you install them, either automatically, or by right-clicking on the install file. Use these features if you have them available.