If your computer is infected, malware can spread to your website through text editors and FTP clients. Weak passwords are also vulnerable to brute force attacks, and using unsecured networks to access the internet can leave you exposed to hackers.
As a website owner, you have to consider the broader impacts of your overall security posture. Practicing security in every aspect of digital communication will ultimately protect you, your website and visitors.
This post is the first in a series of personal security guides that can be used to strengthen your online defenses.
The First Line of Defense – Browsers
The web browser is the most common source of infection for digital devices and computers. Although malicious email attachments and links are still a problem, most viruses, ransomware and unwanted programs spread by visiting hacked or malicious websites.
Making sure your browser is properly configured and locked down is important. This will apply regardless of the operating system that you use.
1. Choosing a Browser
Not all browsers are created equal. Most browsers offer built-in security options that can greatly improve security, but many browsers are built to satisfy a requirement or collect personal information.
For example, Microsoft and Apple needed to create browsers (IE/Edge and Safari) so that users of their devices could access the internet. Nowadays, many people use these browsers only as long as it takes to download to Google Chrome or Firefox as an alternative.
Google Chrome is the most popular browser today. It is great as far as security, but privacy is a different matter. Google tracks your browsing behavior and user data to build your unique marketing profile. This improves Google’s AdSense network, allowing advertisers to target you with ads that you’ll more than likely be interested in.
I use Mozilla Firefox because they are open source, offer more security extensions, and have fewer privacy issues than other browsers.
I have also tried various privacy-and-security-focused browsers based on Chromium in the past. The problem is that any time there is an update, these spinoff browsers can take weeks to patch. This means your browser has security vulnerabilities and you are at the mercy of the developer to release an update.
2. Browsing Settings and Preferences
For this section, I will be focusing on tweaking the Firefox Preferences panel for added security and privacy, but many of these steps can be replicated in other browsers and the significance of each option is explained.
First, go to Firefox > About Firefox and make sure you see Firefox is up to date so you know you are using the current version. Like with your website, it is important to keep all software updated to ensure you have the latest security patches.
If you look under Firefox > Preferences > Advanced > Update you should select the checkbox to Automatically install updates (recommended: improved security) and check the box to keep Search Engines updated as well.
Some websites ask you to identify yourself with a personal certificate. To ensure this information isn’t given out automatically, look under Advanced > Certificates and change the setting called When a server requests your personal certificate to the Ask me every time option.
In order to ensure that the SSL certificates are valid on websites that you visit, you should also check the box for Query OCSP responder servers to confirm the current validity of certificates.
iii. Data Protection
Still working within the Advanced Preferences, under Network > Data Choices, I have all boxes unchecked. This ensures that Mozilla doesn’t collect any information about my browsing habits.
iv. Redirect Protection
By default, most redirects will open automatically in a new tab or window. This includes pop-ups and potentially malicious content. Under the General tab of your Firefox preferences, check the option to Warn you when websites try to redirect or reload the page. This ensures that unwanted redirects will not open and execute malicious content unless you click a button and allow the page to load.
3. Security Settings and Preferences
Under the Firefox Preferences > Security, I have the first four boxes selected. These all act as defenses against phishing, drive-by downloads, and unwanted software.
Next, click the Exceptions button next to Warn you when sites try to install add-ons and remove all sites you have listed there (including the Mozilla Firefox sites). This way you have to always give permission before any add-ons are used in your browser.
Under Logins make sure you have both unchecked and click the Saved Logins button to remove anything you have there.
Keeping passwords stored in your browser is NEVER a good idea. Many browsers store them in plain text, allowing malware infections to scrape them and compromise your accounts. Use a password manager instead! I will cover that in my next post about account security.
The screenshot below is how I have the Privacy section configured. This includes using Tracking Protection, and custom settings for handling browser history. By ensuring that cookies are not accepted and removed when the browser is closed, any active login sessions are removed which helps prevent session hijacking.
Under Content Preferences, I have the box for Block pop-up windows checked and once again, made sure to clear anything listed under the Exceptions button.
For Search Preferences, I have removed all search engines and added StartPage as the default and only search engine. Some security-minded people also like DuckDuckGo because it also handles user privacy much better than other search engines.
In the final set of General Preferences, check the box to Always check if Firefox is your default browser – and personally I like when Firefox starts I have Show a blank page selected. We have seen cases where website infections that can modify your browser history. This setting ensures that you always open to a fresh set of pages.
4. Add-Ons and Extensions
Under the Firefox Tools > Addons > Services, I don’t have anything installed.
Under Addons > Plugins, I only have the Cisco Video Codec installed but have it set to Never Activate. Many users have Shockwave Flash and other plugins in this section. I recommend removing them or disabling them – especially Flash as it has a history of major security issues. At the very least you should set them to Ask to Activate so you are notified before activating the plugin.
Here is the list of add-ons I am currently using for additional security:
Following, is a quick breakdown of what each of them does to help me keep my browsing sessions as secure as possible.
HTTPS Everywhere is a great add-on that forces HTTPS on as many sites as possible. This ensures the data in transit is being encrypted and protecting me from hackers trying to infiltrate anything I am sending or receiving.
The Self-Destructing Cookies add-on will remove cookies after ten seconds once I close a tab.
If you are just starting out with add-ons, I recommend that you tweak the options for Ublock Origin, NoScript, and Self-Destructing Cookies as you need to for your configuration and to be as secure as possible. These add-ons, in particular, change the way you browse and can take some getting used to.
You can find similar add-ons for other browsers, and Firefox offers many more you can choose from. Just like plugins for your website, you should consider security when choosing browser extensions. Only install them from trusted sources, and limit them to the ones you need.
Your Personal Security
These are all recommendations based on my personal browsing habits. As someone on the front lines dealing with potentially hacked websites, I have to take as many precautions as possible to keep my environment clean.
Like anything in security, you have to balance your tolerance for risk versus convenience. Most security enhancements require a change to your normal habits, and some involve a learning curve. Any knowledge gained in the pursuit of better security for you, your website and your visitors is a worthy cause.
What do you do to protect your browser and environment? Let us know by tweeting us @SucuriSecurity – and if you are like me and avoid social media accounts, you can email us at email@example.com.