Is my browser making an effort to keep my system safe and my online behavior private? This is usually not the first question we ask ourselves when we choose our default browser. But maybe it should be.
These days, threats to your privacy and security come at your from all angles, but browser-based attacks such as malvertising, drive-by downloads, adware, tracking, and rogue apps make going online and conducting a search a little more dangerous. Therefore, it’s important take note of what browsers are doing to shore up their defenses—and what you can do to optimize them.
When it comes to online privacy, it looks as if the silent majority of Internet users have shifted from the “I have nothing to hide” frame of mind to the “they already know everything anyway” group. And based on recent events, many social media users might right. Effectively, both groups feel as though it is not worth the trouble to jump through hoops to keep their data private. So should this even be a consideration?
While privacy is ultimately a personal choice, we believe it is still a right. So we’ll continue to offer our advise for those who are interested.
But let’s look at the security aspect first. This is something we can all agree on.
Browser security measures
There have been a few initiatives taken recently by the major browsers to enhance their safety.
- Google has decided that Chrome extensions submitted to the Web Store will not be allowed if they contained “obfuscated” code. According to Google, developers should not have to hide their code. It makes it hard to decide whether they should allow the extension, and most obfuscated extensions turned out to be malicious.
- Google is in the process of putting an end to “inline installation” of extensions. This means websites can no longer directly install Chrome extensions using the Chrome API, but have to send you to the Web Store. While this process will only be finished by the end of the year, distributors have already adapted their methods to deliver their extensions.
- Mozilla (Firefox), Google (Chrome), Apple (Safari), and Microsoft (Edge and Internet Explorer) have announced to drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols in early 2020. This will force websites to start using the newer and more secure protocols.
- WebRTC leaks and vulnerabilities were solved. Real-time communication features could expose your true IP address via STUN requests with Firefox, Chrome, Opera and Brave browsers, even when you were using a VPN.
In earlier stages of privacy and security audits, all the major browsers had already added options and features like URL filtering, download protection, “do not track” capabilities, and measures against browlocks. They are not all using the same methods, and some are more effective than others, but the efforts were made nonetheless.
Despite all the attempts to apply some pest-control on adware, malicious cryptominers, and other assorted browser hijackers, there will always be those that manage to slither through and infect users. And that doesn’t even take into account the multitude of potentially unwanted programs (PUPs) that most parties don’t even seem to care about at all. However, readers of this blog will undoubtedly know the way to our Malwarebytes products page, where they can download a cure for an infected browser.
The upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.
You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. You have options here, since you can install a VPN to anonymize all your Internet traffic, or you can install a VPN extension that will do so for your browser only. Since a VPN slows down the Internet connection, the choice will be based on which other Internet connections you use and your personal preference.
You could even decide to use one browser with a VPN extension and another without one. Personally, I use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.
Besides using a VPN, you can also look at some alternative browsers that are already optimized for privacy and security:
- The TOR software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.
- Freenet is a peer-to-peer platform for censorship-resistant communication and publishing that is available for Windows, macOs, and Linux.
- Waterfox is a secure and private browser based on Firefox, that allows you to use Firefox extensions. It is available for Windows, macOS, Linux, and Android.
- Pale Moon is another Mozilla fork, but it doesn’t work with all Firefox extensions. It is available for Windows and Linux.
- Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.
We have talked about (not so) private search extensions before, but I want to mention a search engine that does deliver on the promised private searches, and that was brought up in the comments to that blogpost (thanks Patrick). It is called DuckDuckGo, and you can perform searches directly from their site or you can install their app or extension.
Test to see whether your browser is safe against fingerprinting
Browser fingerprinting is a method used by commercial websites to uniquely identify visitors based on the way you have configured your browser and some other metrics that they can fetch from your browser, such as timezone.
If you feel you have already done your best to make your browser untrackable, pay this site a visit: https://panopticlick.eff.org/. It provides visitors with an option to do a test and analyze how well their browser and add-ons protect them against online tracking techniques. The site will also be able to see if your system is uniquely configured and therefor identifiable, even if you are using privacy-protective software.
Don’t get hung up on the test result alone though, because the number of results you are compared with plays a big role in the outcome. For example, coming from a small country or language area may give you away when no one else from that area has taken the test. This doesn’t automatically mean advertisers will be able to track you as well. Do pay attention to the specified fingerprinting results. You can access those by clicking on the fingerprinting link in the Test column.
As we have explained in the blogpost Everybody and their mother is blocking ads, so why aren’t you?, blocking advertisements provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information.
Cookies are another topic that we have discussed earlier. Most cookies are not worth worrying about, but it is a good idea to be aware of them. How could you not be aware with every site asking your permission, right? In the blogpost Cookies: Should I worry about them?, we have explained how you can check and control the cookies that you want to allow.
Level of concern
So, while many major browsers are doing their best to keep you secure and private, it depends on your own level of concern how far you want to take this journey. There are specialized browsers, extensions, search engines, and other tools to help you achieve any level of privacy. Most people will be satisfied by customizing their mainstream browser to fit their needs, while others wouldn’t think of going online unless they are using Tor behind a VPN. To each their own. As long as you are aware of the risks. And we hope this post will help you to achieve the level you are after.
Stay safe, everyone!