Rewrote the 'Browser' section

This commit is contained in:
Alicia Sykes 2020-05-15 03:27:41 +01:00 committed by GitHub
parent 465548b2b1
commit 7ac47de5e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -19,7 +19,7 @@
[![-](https://i.ibb.co/0ZV22MT/1-passwords.png) Authentication](#authentication)<br> [![-](https://i.ibb.co/0ZV22MT/1-passwords.png) Authentication](#authentication)<br>
[![-](https://i.ibb.co/thf142G/2-2fa.png) 2 Factor Authentication](#2-factor-authentication)<br> [![-](https://i.ibb.co/thf142G/2-2fa.png) 2 Factor Authentication](#2-factor-authentication)<br>
[![-](https://i.ibb.co/N7D7g6D/3-web.png) Browsing the Web](#browser-and-search)<br> [![-](https://i.ibb.co/N7D7g6D/3-web.png) Browsing the Web](#web-browsing)<br>
[![-](https://i.ibb.co/7yQq5Sx/5-email.png) Email](#emails)<br> [![-](https://i.ibb.co/7yQq5Sx/5-email.png) Email](#emails)<br>
[![-](https://i.ibb.co/HT2DTcC/6-social.png) Social Media](#social-media)<br> [![-](https://i.ibb.co/HT2DTcC/6-social.png) Social Media](#social-media)<br>
[![-](https://i.ibb.co/NjHcZJc/4-vpn.png) Networking](#networking)<br> [![-](https://i.ibb.co/NjHcZJc/4-vpn.png) Networking](#networking)<br>
@ -60,31 +60,54 @@ Use long, strong and unique passwords, manage them in a secure password manager,
**Recommended Software**: [Password Managers](/5_Privacy_Respecting_Software.md#password-managers) | [2FA Authenticators](/5_Privacy_Respecting_Software.md#2-factor-authentication) **Recommended Software**: [Password Managers](/5_Privacy_Respecting_Software.md#password-managers) | [2FA Authenticators](/5_Privacy_Respecting_Software.md#2-factor-authentication)
## Browser and Search ## Web Browsing
Most modern web browsers support add-ons and extensions. These can access anything that you do online so avoid installing anything that may not be legitimate and check permissions first. Be aware that every website that you interact with, including search engines, will likely be keeping records of all your activity. Last year Kaspersky reported [over a million data exploits caused by malicious sites](https://securelist.com/it-threat-evolution-q1-2017-statistics/78475/). Most websites on the internet will use some form of tracking, often to gain insight into their users, their behaviour and preferences. This data can be incredibly detailed, often recording how long you spent looking at different sections of a page, where you went afterwards and what else you did in that browsing session. This data is extremely valuable to corporations, governments and intellectual property thieves
For more browser security pointers, check out: [Heres How To Get Solid Browser Security](https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/). There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users whenever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations.
This section outlines the steps you can take, to be better protected, minimise online tracking and improve online pricacy
**Security** | **Priority** | **Details and Hints** **Security** | **Priority** | **Details and Hints**
--- | --- | --- --- | --- | ---
**Deactivate ActiveX** | Recommended | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that is only supported by Microsoft Internet Explorer. It's enabled by default but is barely used for legitimate plugins these days. However, it gives plugins so much control that ActiveX malware is still around and as dangerous as ever. See [this article](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/) for more details. Better yet, use a modern browser instead of Internet Explorer. Note that Microsoft Edge doesn't support ActiveX. **Ensure Website is Legitimate** | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure. If you want to be really sure, a simple [WhoIs Lookup](https://whois.domaintools.com), should reveal their phone number which can be called for additional verification
**Disable Flash** | Recommended | Adobe Flash is infamous for its history of security vulnerabilities (a few of which you can [read about here](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security/)). See [this guide](https://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/), on how to disable Flash player, or [this guide for more details on how dangerous it can be](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html). Adobe will end support for Flash Player in December 2020. **Watch out for Browser Malware** | Basic | Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common sighs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal)
**Block Trackers** | Recommended | Consider installing a browser extension, such as [Privacy Badger](https://www.eff.org/privacybadger), to stop advertisers from tracking you in the background. **Use a Privacy-Respecting Browser** | Recommended | [Firefox](https://www.mozilla.org/en-US/firefox/new) and [Brave](https://brave.com) are secure, private-by-default browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, and if collected, this data is very valuable to corporations, governments and intellectual property thieves. So if possible, avoid Google Chrome, Microsoft IE and Apple Safari as (without correct configuration) all three of them, collect usage data, call home and allow for tracking. See more: [privacy browsers](/5_Privacy_Respecting_Software.md#browsers)
**Block scripts from bad origin** | Recommended | Use an extension such as [uBlock Origin](https://github.com/gorhill/uBlock), to block anything being loaded from an external or unverified origin. **Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will ensure your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Quant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Force HTTPS only traffic** | Recommended | Using an extension such as [HTTPS Everywhere](https://www.eff.org/https-everywhere), will force all sites to load securely. **Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
**Only use trusted browser add-ons and extensions** | Recommended | Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. **Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
**Always keep your browser up-to-date** | Recommended | Browser vulnerabilities are constantly being discovered and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. **Use HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
**Use a private search engine** | Optional | Google tracks, logs and stores everything you do, but also displays biased results. Take a look at [DuckDuckGo](https://duckduckgo.com) or [StartPage](https://www.startpage.com). Neither store cookies nor cache anything. [Read more](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) about Google Search Privacy. **Use DNS-over-HTTPS** | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is [CloudFlare's 1.1.1.1](https://1.1.1.1/help), or [compare providers](https://www.privacytools.io/providers/dns)- it is simple to [enable](https://www.maketecheasier.com/enable-dns-over-https-various-browsers) in-browser. Note that DoH comes with it's [own issues](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/), mostly preventing web filtering
**Consider a privacy browser** | Optional | Google openly collects usage data on Chrome usage, as does Apple and Microsoft. Switching to a privacy-focused browser will minimize background data collection, cross-origin cookies and third-party scrips. A popular option is [Brave Browser](https://brave.com/?ref=ali721), or [Firefox](https://www.mozilla.org/en-GB/firefox/new/) with a [few tweeks](https://restoreprivacy.com/firefox-privacy). Others include [Bromite](https://www.bromite.org/), [Epic Browser](https://www.epicbrowser.com/index.html) or [Comodo](https://www.comodo.com/home/browsers-toolbars/browser.php), [see more](/5_Privacy_Respecting_Software.md#browsers). The most secure option is [Tor Browser](https://www.torproject.org/). **Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
**Use DNS-over-HTTPS** | Optional | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. You can follow [this guide to enable in Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https), for see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help). **Use Incognito** | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use `Ctrl+Shift+N`/ `Cmd+Shift+N`). This will prevent browser history, cookies and some data being saved, but is not [fool-proof](https://www.howtogeek.com/117776/htg-explains-how-private-browsing-works-and-why-it-doesnt-offer-complete-privacy/)- you can still be tracked
**Disable WebRTC** | Optional | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/). **Understand Your Browser Fingerprint** | Recommended | Browser [Fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting) is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at [amiunique.org](https://amiunique.org/fp)- The aim is to be as un-unique as possible
**Don't Connect to Open WiFi networks** | Optional | Browsing the internet while using public or open WiFi may leave you vulnerable to man-in-the-middle attacks, malware distribution and snooping. Some hotspots may also be unencrypted, or even malicious. If you do need to briefly use a public WiFi network, ensure you disable file sharing, only visit HTTPS websites and use a VPN. Also remove the network from your saved WiFi list after. See the [networking](#networking) section for more details. **Manage Cookies** | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking)). To mitigate this you should [clear cookies](https://kb.iu.edu/d/ahic) often. [Self Destructing Cookies](https://add0n.com/self-destructing-cookies.html) is a browser addon (available on [Chromium-based browsers](https://chrome.google.com/webstore/detail/self-destructing-cookies/igdpjhaninpfanncfifdoogibpdidddf), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies-webex/) and [Opera](https://addons.opera.com/en/extensions/details/self-destructing-cookies/)), which will kill cookies when you close the browser
**Use Tor** | Advanced | [The Tor Project](https://www.torproject.org/) provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19)) but generally Tor is one of the most secure browser options for anonymity on the web. **Block Third-Party Cookies** | Recommended | [Third-party cookies](https://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies) placed on your device by a website other than the one youre visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. [This guide](https://www.digitalcitizen.life/how-disable-third-party-cookies-all-major-browsers) explains how you can disable 3rd-party cookies, and you can [check here](https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled) ensure this worked
**First Launch Security** | Advanced | After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in [this journal article](https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in [this article](https://brave.com/brave-tops-browser-first-run-network-traffic-results) Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively. **Block Ads** | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by [Raymond Hill](https://github.com/gorhill) and available for: [Chromium-based browsers](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/), [Microsoft Edge](https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak), [Safari](https://apps.apple.com/us/app/ublock/id1385985095?ls=1) and [Opera](https://addons.opera.com/en/extensions/details/ublock/). <br>When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads. Some ads are malicious; [Malvertising](https://www.malwarebytes.com/malvertising/) is when criminals purchase ad space, and disguise harmful, dangerous or fake websites as something legitimate. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
**Use different browsers, for different tasks** | Advanced | Compartmentalizing your activity can make it significantly harder for a malicious actor, company or government to get a clear picture of you through your browsing activity. This may include doing online shopping on 1 browser, using another browser, such as Tor for general browsing, and then a 3rd for, say social media. **Block Third-Party Trackers** | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. [Privacy Badger](https://privacybadger.org), [DuckDuckGo Privacy Essentials](https://help.duckduckgo.com/duckduckgo-help-pages/desktop/adding-duckduckgo-to-your-browser/), [uBlock Origin](https://github.com/gorhill/uBlock) and [uMatrix](https://github.com/gorhill/uMatrix) (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, [Pi-Hole](https://pi-hole.net) is a great, highly-customisable and effective solution that runs on a low-power system. Or [Diversion](https://diversion.ch) is a good option for Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as [TrackStop on PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist))
**Disable JavaScript** | Advanced | Many modern web apps are JavaScript based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface. Read more about the growing [risk of JavaScript malware](https://heimdalsecurity.com/blog/javascript-malware-explained/). **Beware of Redirects** | Recommended | While some redirects are harmless, others can send you to malicious sites. If you are unsure about a redirect URL, you can check where it forwards to with a tool like [RedirectDetective](https://redirectdetective.com). It is also recommended to disable redirects in your [browser settings](https://appuals.com/how-to-stop-automatic-redirects-on-google-firefox-and-edge/). [Unvalidated redirects](https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/) are still commonly used in phishing attacks, it can make a malicious link seem legitimate
**Route all desktop traffic via Tor** | Advanced | [Whonix](https://www.whonix.org/) allows for fail-safe, automatic, and desktop-wide use of the Tor network. It's based on Debian, and runs in a virtual machine. Straight-forward to install on Windows, OSX or Linux. **Do Not Sign Into Your Browser** | Recommended | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However signing in not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to [chrome://flags](chrome://flags/#account-consistency) and disabling the `account-consistency` flag. If you still need to sync bookmarks + browser data between devices, there are open source [alternatives](/5_Privacy_Respecting_Software.md#bonus-3---self-hosted-services), such as [xBrowserSync](https://www.xbrowsersync.org)
**Disallow Prediction Services** | Recommended | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
**Avoid G Translate for Webpages** | Recommended | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google [collects all data](https://www.linkedin.com/pulse/google-translate-privacy-confidentiality-concerns-alex-gheorghe/) (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
**Disable Web Notifications** | Recommended | Browser push notifications are a common method for criminals to encourage you to click their link. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Automatic Downloads** | Recommended | Security-focused browsers now have automatic downloads disabled by default. For older systems, drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by [disabling auto file downloads](https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-chrome-right-now/), and being cautious of websites which prompt you to download files unexpectedly
**Disallow Access to Sensors** | Recommended | Mobile websites can [tap into your device sensors](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the [sensor-js](https://sensor-js.xyz) study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus ([Android](https://play.google.com/store/apps/details?id=org.mozilla.focus) / [iOS](https://apps.apple.com/app/id1055677337)) or DuckDuckGo ([Android](https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android&hl=en_US) / [iOS](https://apps.apple.com/us/app/duckduckgo-privacy-browser/id663592361))
**Disallow Location** | Recommended | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings ([see how](https://support.ipvanish.com/hc/en-us/articles/360037874554-How-to-Disable-Location-Tracking-on-Browsers)). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)
**Disallow Camera/ Microphone access** | Recommended | Check browser settings to ensure that no websites are granted access to [webcam](https://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/) or microphone. It may also be beneficial to use [physical protection](/6_Privacy_and-Security_Gadgets.md) such as a webcam cover and microphone blocker
**Disable Browser Password Saves** | Recommended | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as [Offline NT Password and Registry Editor](https://www.lifewire.com/offline-nt-password-and-registry-editor-review-2626147). Instead use a password manager
**Disable Browser Autofill** | Recommended | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
**Deactivate ActiveX** | Recommended | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it ([see how](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/))
**Deactivate Flash** | Recommended | Adobe Flash is infamous for its history of security vulnerabilities (with over [1000 issues](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)!). See [how to disable Flash](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html) and [Flash alternatives](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security). Adobe will end support for Flash Player in December 2020
**Disable WebRTC** | Recommended | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/)
**Spoof HTML5 Canvas Sig** | Recommended | [Canvas Fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) allows websites to identify and track users very accurately though exploiting the rendering capabilities of the [Canvas Element](https://en.wikipedia.org/wiki/Canvas_element). You can use the [Canvas-Fingerprint-Blocker](https://add0n.com/canvas-fingerprint-blocker.html) extension to spoof your fingerprint or use [Tor](https://www.torproject.org) - Check if you are susceptible [here](https://webbrowsertools.com/canvas-fingerprint/)
**Disregard DNT** | Recommended | [Do Not Track](https://www.eff.org/issues/do-not-track) is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track
**Prevent HSTS Tracking** | Recommended | HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However [privacy concerns](https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway) have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting `chrome://net-internals/#hsts` in Chromium-based browsers, or following [this guide for Firefox](https://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/), and [this guide](https://appuals.com/how-to-clear-or-disable-hsts-for-chrome-firefox-and-internet-explorer/) for other browsers
**Prevent Automatic Browser Connections** | Recommended | Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: [Firefox](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections), [Chrome](https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/), [Brave](https://support.brave.com/hc/en-us/articles/360017905872-How-do-I-enable-or-disable-automatic-crash-reporting-)
**Strip Tracking Params from URLs** | Advanced | Websites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can [sanitize manually](https://12bytes.org/articles/tech/firefox/firefox-search-engine-cautions-and-recommendations#Sanitizing_manually), or use an extensions like [ClearUrls](https://github.com/KevinRoebert/ClearUrls) (for [Chrome](https://chrome.google.com/webstore/detail/clearurls/lckanjgmijmafbedllaakclkaicjfmnk) / [Firefox](https://addons.mozilla.org/en-US/firefox/addon/clearurls/)) or [SearchLinkFix](https://github.com/palant/searchlinkfix) (for [Chrome](https://chrome.google.com/webstore/detail/google-search-link-fix/cekfddagaicikmgoheekchngpadahmlf) / [Firefox](https://addons.mozilla.org/el/firefox/addon/google-search-link-fix/)) to strip tracking data from URLs automatically in the background
**First Launch Security** | Advanced | After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in [this journal article](https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in [this article](https://brave.com/brave-tops-browser-first-run-network-traffic-results) Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively
**Use The Tor Browser** | Advanced | [The Tor Project](https://www.torproject.org) provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19)) but generally Tor is one of the more secure browser options for anonymity on the web
**Disable JavaScript** | Advanced | Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface, mitigate a lot of client-side tracking and [JavaScript malware](https://heimdalsecurity.com/blog/javascript-malware-explained/)
**Recommended Software** **Recommended Software**
- [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers) - [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
@ -92,6 +115,7 @@ For more browser security pointers, check out: [Heres How To Get Solid Browse
- [Browser Extensions for Security](/5_Privacy_Respecting_Software.md#browser-extensions) - [Browser Extensions for Security](/5_Privacy_Respecting_Software.md#browser-extensions)
## Emails ## Emails
Nearly 50 years since the first email was sent, theyre still very much a big part of our day-to-day life, and will probably continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk. Nearly 50 years since the first email was sent, theyre still very much a big part of our day-to-day life, and will probably continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.