Updated HTTPS-Everywhere Notes

As mentioned in issue #191 the extensions/addons are now deprecated. Included link to the announcement article and explained that it also contains guides on how to enable it for Firefox, Chrome, Edge and Safari.
This commit is contained in:
Zachary Raber 2022-06-19 22:25:05 -04:00 committed by GitHub
parent 545e9cd619
commit 6a67b28999
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -83,7 +83,7 @@ This section outlines the steps you can take, to be better protected from threat
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Qwant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
**Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/). This is similar to [Smart HTTPS](https://mybrowseraddon.com/smart-https.html). Note that this functionality is now built-in to most modern browsers (re: [#126](https://github.com/Lissy93/personal-security-checklist/issues/126))
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the [EFF](https://www.eff.org/)) used to be a brower extension/addon that automatically enabled HTTPS on websites, but as of 2022 is now deprecated. In their [accouncement article](https://www.eff.org/) the EFF explain that most browsers now integrate such protections. Additionally, it provides instructions for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections.
**Use DNS-over-HTTPS** | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is [Cloudflare's 1.1.1.1](https://1.1.1.1/help), or [compare providers](https://www.privacytools.io/providers/dns)- it is simple to [enable](https://www.maketecheasier.com/enable-dns-over-https-various-browsers) in-browser. Note that DoH comes with it's [own issues](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/), mostly preventing web filtering
**Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. As mentioned in [#127](https://github.com/Lissy93/personal-security-checklist/issues/127), it's possible to use compartmentalize websites without containers, as done in [@arkenfox's user.js](https://github.com/arkenfox/user.js). Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
**Use Incognito** | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use `Ctrl+Shift+N`/ `Cmd+Shift+N`). This will prevent browser history, cookies and some data being saved, but is not [fool-proof](https://www.howtogeek.com/117776/htg-explains-how-private-browsing-works-and-why-it-doesnt-offer-complete-privacy/)- you can still be tracked