Updates levels for new browser section

This commit is contained in:
Alicia Sykes 2020-05-15 03:29:36 +01:00 committed by GitHub
parent 7ac47de5e1
commit 52090a730c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -85,24 +85,24 @@ This section outlines the steps you can take, to be better protected, minimise o
**Block Third-Party Cookies** | Recommended | [Third-party cookies](https://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies) placed on your device by a website other than the one youre visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. [This guide](https://www.digitalcitizen.life/how-disable-third-party-cookies-all-major-browsers) explains how you can disable 3rd-party cookies, and you can [check here](https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled) ensure this worked
**Block Ads** | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by [Raymond Hill](https://github.com/gorhill) and available for: [Chromium-based browsers](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/), [Microsoft Edge](https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak), [Safari](https://apps.apple.com/us/app/ublock/id1385985095?ls=1) and [Opera](https://addons.opera.com/en/extensions/details/ublock/). <br>When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads. Some ads are malicious; [Malvertising](https://www.malwarebytes.com/malvertising/) is when criminals purchase ad space, and disguise harmful, dangerous or fake websites as something legitimate. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
**Block Third-Party Trackers** | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. [Privacy Badger](https://privacybadger.org), [DuckDuckGo Privacy Essentials](https://help.duckduckgo.com/duckduckgo-help-pages/desktop/adding-duckduckgo-to-your-browser/), [uBlock Origin](https://github.com/gorhill/uBlock) and [uMatrix](https://github.com/gorhill/uMatrix) (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, [Pi-Hole](https://pi-hole.net) is a great, highly-customisable and effective solution that runs on a low-power system. Or [Diversion](https://diversion.ch) is a good option for Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as [TrackStop on PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist))
**Beware of Redirects** | Recommended | While some redirects are harmless, others can send you to malicious sites. If you are unsure about a redirect URL, you can check where it forwards to with a tool like [RedirectDetective](https://redirectdetective.com). It is also recommended to disable redirects in your [browser settings](https://appuals.com/how-to-stop-automatic-redirects-on-google-firefox-and-edge/). [Unvalidated redirects](https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/) are still commonly used in phishing attacks, it can make a malicious link seem legitimate
**Do Not Sign Into Your Browser** | Recommended | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However signing in not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to [chrome://flags](chrome://flags/#account-consistency) and disabling the `account-consistency` flag. If you still need to sync bookmarks + browser data between devices, there are open source [alternatives](/5_Privacy_Respecting_Software.md#bonus-3---self-hosted-services), such as [xBrowserSync](https://www.xbrowsersync.org)
**Disallow Prediction Services** | Recommended | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
**Avoid G Translate for Webpages** | Recommended | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google [collects all data](https://www.linkedin.com/pulse/google-translate-privacy-confidentiality-concerns-alex-gheorghe/) (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
**Disable Web Notifications** | Recommended | Browser push notifications are a common method for criminals to encourage you to click their link. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Automatic Downloads** | Recommended | Security-focused browsers now have automatic downloads disabled by default. For older systems, drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by [disabling auto file downloads](https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-chrome-right-now/), and being cautious of websites which prompt you to download files unexpectedly
**Disallow Access to Sensors** | Recommended | Mobile websites can [tap into your device sensors](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the [sensor-js](https://sensor-js.xyz) study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus ([Android](https://play.google.com/store/apps/details?id=org.mozilla.focus) / [iOS](https://apps.apple.com/app/id1055677337)) or DuckDuckGo ([Android](https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android&hl=en_US) / [iOS](https://apps.apple.com/us/app/duckduckgo-privacy-browser/id663592361))
**Disallow Location** | Recommended | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings ([see how](https://support.ipvanish.com/hc/en-us/articles/360037874554-How-to-Disable-Location-Tracking-on-Browsers)). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)
**Disallow Camera/ Microphone access** | Recommended | Check browser settings to ensure that no websites are granted access to [webcam](https://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/) or microphone. It may also be beneficial to use [physical protection](/6_Privacy_and-Security_Gadgets.md) such as a webcam cover and microphone blocker
**Disable Browser Password Saves** | Recommended | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as [Offline NT Password and Registry Editor](https://www.lifewire.com/offline-nt-password-and-registry-editor-review-2626147). Instead use a password manager
**Disable Browser Autofill** | Recommended | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
**Deactivate ActiveX** | Recommended | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it ([see how](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/))
**Deactivate Flash** | Recommended | Adobe Flash is infamous for its history of security vulnerabilities (with over [1000 issues](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)!). See [how to disable Flash](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html) and [Flash alternatives](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security). Adobe will end support for Flash Player in December 2020
**Disable WebRTC** | Recommended | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/)
**Spoof HTML5 Canvas Sig** | Recommended | [Canvas Fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) allows websites to identify and track users very accurately though exploiting the rendering capabilities of the [Canvas Element](https://en.wikipedia.org/wiki/Canvas_element). You can use the [Canvas-Fingerprint-Blocker](https://add0n.com/canvas-fingerprint-blocker.html) extension to spoof your fingerprint or use [Tor](https://www.torproject.org) - Check if you are susceptible [here](https://webbrowsertools.com/canvas-fingerprint/)
**Disregard DNT** | Recommended | [Do Not Track](https://www.eff.org/issues/do-not-track) is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track
**Prevent HSTS Tracking** | Recommended | HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However [privacy concerns](https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway) have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting `chrome://net-internals/#hsts` in Chromium-based browsers, or following [this guide for Firefox](https://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/), and [this guide](https://appuals.com/how-to-clear-or-disable-hsts-for-chrome-firefox-and-internet-explorer/) for other browsers
**Prevent Automatic Browser Connections** | Recommended | Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: [Firefox](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections), [Chrome](https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/), [Brave](https://support.brave.com/hc/en-us/articles/360017905872-How-do-I-enable-or-disable-automatic-crash-reporting-)
**Beware of Redirects** | Optional | While some redirects are harmless, others can send you to malicious sites. If you are unsure about a redirect URL, you can check where it forwards to with a tool like [RedirectDetective](https://redirectdetective.com). It is also recommended to disable redirects in your [browser settings](https://appuals.com/how-to-stop-automatic-redirects-on-google-firefox-and-edge/). [Unvalidated redirects](https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/) are still commonly used in phishing attacks, it can make a malicious link seem legitimate
**Do Not Sign Into Your Browser** | Optional | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However signing in not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to [chrome://flags](chrome://flags/#account-consistency) and disabling the `account-consistency` flag. If you still need to sync bookmarks + browser data between devices, there are open source [alternatives](/5_Privacy_Respecting_Software.md#bonus-3---self-hosted-services), such as [xBrowserSync](https://www.xbrowsersync.org)
**Disallow Prediction Services** | Optional | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
**Avoid G Translate for Webpages** | Optional | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google [collects all data](https://www.linkedin.com/pulse/google-translate-privacy-confidentiality-concerns-alex-gheorghe/) (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
**Disable Web Notifications** | Optional | Browser push notifications are a common method for criminals to encourage you to click their link. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Automatic Downloads** | Optional | Security-focused browsers now have automatic downloads disabled by default. For older systems, drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by [disabling auto file downloads](https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-chrome-right-now/), and being cautious of websites which prompt you to download files unexpectedly
**Disallow Access to Sensors** | Optional | Mobile websites can [tap into your device sensors](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the [sensor-js](https://sensor-js.xyz) study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus ([Android](https://play.google.com/store/apps/details?id=org.mozilla.focus) / [iOS](https://apps.apple.com/app/id1055677337)) or DuckDuckGo ([Android](https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android&hl=en_US) / [iOS](https://apps.apple.com/us/app/duckduckgo-privacy-browser/id663592361))
**Disallow Location** | Optional | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings ([see how](https://support.ipvanish.com/hc/en-us/articles/360037874554-How-to-Disable-Location-Tracking-on-Browsers)). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)
**Disallow Camera/ Microphone access** | Optional | Check browser settings to ensure that no websites are granted access to [webcam](https://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/) or microphone. It may also be beneficial to use [physical protection](/6_Privacy_and-Security_Gadgets.md) such as a webcam cover and microphone blocker
**Disable Browser Password Saves** | Optional | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as [Offline NT Password and Registry Editor](https://www.lifewire.com/offline-nt-password-and-registry-editor-review-2626147). Instead use a password manager
**Disable Browser Autofill** | Optional | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
**Deactivate ActiveX** | Optional | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it ([see how](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/))
**Deactivate Flash** | Optional | Adobe Flash is infamous for its history of security vulnerabilities (with over [1000 issues](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)!). See [how to disable Flash](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html) and [Flash alternatives](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security). Adobe will end support for Flash Player in December 2020
**Disable WebRTC** | Optional | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/)
**Spoof HTML5 Canvas Sig** | Optional | [Canvas Fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) allows websites to identify and track users very accurately though exploiting the rendering capabilities of the [Canvas Element](https://en.wikipedia.org/wiki/Canvas_element). You can use the [Canvas-Fingerprint-Blocker](https://add0n.com/canvas-fingerprint-blocker.html) extension to spoof your fingerprint or use [Tor](https://www.torproject.org) - Check if you are susceptible [here](https://webbrowsertools.com/canvas-fingerprint/)
**Disregard DNT** | Optional | [Do Not Track](https://www.eff.org/issues/do-not-track) is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track
**Prevent HSTS Tracking** | Optional | HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However [privacy concerns](https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway) have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting `chrome://net-internals/#hsts` in Chromium-based browsers, or following [this guide for Firefox](https://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/), and [this guide](https://appuals.com/how-to-clear-or-disable-hsts-for-chrome-firefox-and-internet-explorer/) for other browsers
**Prevent Automatic Browser Connections** | Optional | Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: [Firefox](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections), [Chrome](https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/), [Brave](https://support.brave.com/hc/en-us/articles/360017905872-How-do-I-enable-or-disable-automatic-crash-reporting-)
**Strip Tracking Params from URLs** | Advanced | Websites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can [sanitize manually](https://12bytes.org/articles/tech/firefox/firefox-search-engine-cautions-and-recommendations#Sanitizing_manually), or use an extensions like [ClearUrls](https://github.com/KevinRoebert/ClearUrls) (for [Chrome](https://chrome.google.com/webstore/detail/clearurls/lckanjgmijmafbedllaakclkaicjfmnk) / [Firefox](https://addons.mozilla.org/en-US/firefox/addon/clearurls/)) or [SearchLinkFix](https://github.com/palant/searchlinkfix) (for [Chrome](https://chrome.google.com/webstore/detail/google-search-link-fix/cekfddagaicikmgoheekchngpadahmlf) / [Firefox](https://addons.mozilla.org/el/firefox/addon/google-search-link-fix/)) to strip tracking data from URLs automatically in the background
**First Launch Security** | Advanced | After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in [this journal article](https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in [this article](https://brave.com/brave-tops-browser-first-run-network-traffic-results) Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively
**Use The Tor Browser** | Advanced | [The Tor Project](https://www.torproject.org) provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19)) but generally Tor is one of the more secure browser options for anonymity on the web