Cat pictures: the real reason we invented the internet. Did you know that about 1% of the internet is cats? Well, okay, maybe not. That calculation is a really liberal estimate. Still, cats make up a disproportionate amount of web traffic, and merely looking at cute cat pictures on the internet couldn’t possibly hurt anybody, right?
No, no, I’m not asking a trick question; looking at cute cat pictures on the internet won’t hurt anybody. Having said that, using a web browser to do online shopping and to look at cute cat pictures can indeed hurt your bank account.
Web browsers are incredibly complex and versatile programs. Today, you can get away with using a computer and using no other software program than a web browser. You can do banking, shopping, watching videos, office work, and even play games all on a web browser. But, as always, complexity and versatility introduce vulnerability.
Let’s say you, like most people, use Google Chrome as your only web browser. You use Google Chrome for doing your work on Google Docs, your online banking with PayPal, buying stuff from eBay to be delivered to your home, and sharing cute cat pictures and cat videos with your friends on Facebook in your free time. All pretty harmless stuff, nothing that should hurt anybody.
One day, a friend of yours tells you about this website completely dedicated to cute cat pics called cats.com. (As of the publishing of this article, there is no actual website on cats.com.) You navigate to cats.com and see that it is indeed a real cat picture website. You browse the pics of little kitties for a while and then leave to go buy your own cat a $5 cat toy on eBay that you saw another cat playing with in one of the pictures. You find the little $5 toy on eBay, put it in the cart, and go to checkout. You’re always logged in to your PayPal account, but strangely, this time, PayPal is asking you to log back in. You do so thinking your session just timed out after so many months. You pay the $5 for the toy, and see that you’ve still got $5,000 left in your PayPal account – exactly what it should be.
The next day, you decide to order some cat food, but then you find that the $5,000 that was left in your PayPal account from yesterday is all gone.
ʕ·ᴥ·ʔ: Ouch! Did the owners of cats.com steal it?
Maybe, maybe not. It’s entirely possible that the owners of cats.com are hackers posing as a cat website, but it’s also entirely possible that cats.com is a legitimate cat website whose owners just left a vulnerability that hackers were able to exploit.
Securing a website is hard work (take it from me: securing this simple one is hard enough). Facebook, for example, employs over 20,000 security staff, with each one making over $100,000 a year, totaling over $2 billion just on security staff alone. A small website like my hypothetical cats.com doesn’t need bad owners for bad things to happen to people visiting it. Navigating the internet is risky business; that’s just a fact.
But, with a few changes to your browsing habits and setup, you can protect yourself. And that’s what we’re here to talk about today: browser security.
All your cookies in one browser
The attack I described above on cats.com was not total fiction. The attack itself was a real possibility due to a real cross-site scripting (XSS) vulnerability in PayPal that was discovered in November 2019. It required the victim to be logged in to PayPal in the same browser session that was used to access a malicious or vulnerable site. So, a few simple solutions to prevent this kind of attack would be to use private windows, delete all cookies, or use a completely different web browser. The problem with all these solutions is that they require you to remember to use them, consciously, every single time.
A better solution that I myself use on a daily basis is using Mozilla Firefox as my web browser of choice with the Firefox Multi-Account Containers extension. This extension is exclusive to Firefox and Firefox-based browsers on desktop (sorry, Chrome, Chromium-based, and mobile users). With this extension, I create a “container” for each website I log in to, and use only that website inside that container, and never log in to that website from outside that container. This keeps my browser cookies sandboxed from each other, not allowing one website to access another website’s cookies, like cats.com accessing paypal.com’s cookies. This also has the added benefit of being great for online privacy.
The containers can be set to automatically be used whenever you navigate to a specific website, so that you don’t have to remember and manually use them every single time you go to, for example, paypal.com.
My recommended policy is: as long as you log in to a website – any website – make sure it automatically opens a container that is used only for that website and no other websites.
Much more than just an ad blocker
If you surf the web, you’ve probably been swept up in a deluge of ads several times. Ads aren’t just annoying, they’re also bad for your privacy. But, more important than that, they’re bad for your security.
Online ads are syndicated through a few big advertising networks owned by Google, Facebook, Twitter, Microsoft, you know the big names. But unlike on Facebook and Twitter where you decide who your friends are and whose tweets you see, or Google and Bing where you decide what search terms you use and what links you click on, the advertising networks that belong to them decide what ads you see; you don’t get to decide. The problem with this is that criminals and hackers can use these advertising networks to put out their own ads, ads that can be pretty harmful.
This is what’s called malvertising (malicious advertising). Sometimes the ads are run-of-the-mill scams, like a gadget that doesn’t work or a good deal on an expensive item that will never be delivered to you. Other times, they’re more technical, like an ad that leads to a phishing page or an ad that downloads malware to your computer.
You might think, “Well, the big tech companies that own these advertising networks must be trying to prevent bad guys from using their ad networks, right,” but they also have a conflict of interest here because the bad guys are actually paying customers, paying the big tech companies for putting their malicious ads out there for the public to see and click on.
And whether they’re fighting this problem or not, it isn’t getting any better over time. In 2014, it was estimated that 1% of all online ads were malicious ads. In 2019, 5 years later, it was still estimated to be around 1%. So you might have the same chance of seeing a random cat picture or video on the internet as you do with seeing a malicious ad.
ʕ·ᴥ·ʔ: Wait, what?! But I see random cat pictures and videos all the time!
Exactly. 1% might seem like a small number, but it ain’t something to scoff at if you spend any significant amount of time on the internet.
So how do you protect yourself against these? Well, a regular ad blocker is certainly a very good (and free) investment that will block most ads you’ll find online. And if you’re the lazy type, you can stop right there.
However, some ads, especially in the more obscure corners of the internet, won’t be caught by a regular ad blocker, either because the ad networks they’re from are not on the ad blocker’s filter lists or because the ads themselves are dynamically generated through JavaScript. The worse thing is: these obscure ad networks and dynamically generated ads are probably much more likely to be malicious ads because they’re not syndicated by the big tech companies.
Obscure ad networks will eventually be added by the people who manage the ad filter lists, but we have to deal with the JavaScript ads ourselves. If you wanna’ go further and block those JavaScript ads, I recommend installing uBlock Origin as your ad blocker and setting it to disable all JavaScript by default, and enabling JavaScript only on websites you trust. This way, you can decide what websites are allowed to run JavaScript, and all other websites can’t. It’s quite a bit of work, at least in the beginning, if you use many different JavaScript-dependent websites. But this setup has the added benefits of preventing some XSS attacks, preventing some phishing attacks, and protecting your privacy by disabling data collection scripts. The work is worth it if you ask me.
An HTTPS enforcer
I’ve talked about HTTPS before, and why you should always use HTTPS whenever possible, but web browsers don’t enforce HTTPS by default. Some websites, like google.com, automatically redirect you to their HTTPS sites when you visit their HTTP versions or when you don’t specify whether to use HTTP or HTTPS. Other websites, however, don’t, even when they have HTTPS versions that work just fine.
Take, for example, wafflescat.com, the official website of Waffles the Cat. (ʕっ•ᴥ•ʔっ: He’s so CUUUTE! ❤️) They have HTTPS enabled on their site, you can access it, and it all works just fine. But if you go to wafflescat.com or http://wafflescat.com, you’ll be using HTTP, opening yourself up to man-in-the-middle attacks.
(Note: I’ve informed the owners of wafflescat.com that they might want to enforce HTTPS on their site since they already have HTTPS anyway, so this might no longer be the case by the time you’re reading this.)
Sometimes you can’t use HTTPS because some websites don’t support it, but you want to be using it whenever possible, like it is with wafflescat.com. To do that, you can install the browser extension HTTPS Everywhere. It’ll automatically upgrade your HTTP connections to HTTPS whenever possible. You can also set it to block non-HTTPS connections by default unless you manually allow it.
This is the third browser extension I’m recommending, but it really should be the first one you install. It’s simple, easy to use, and works right out of the box.
Being picky to be defensive
So far, I’ve recommended three browser extensions to install on your web browser. If you, like most people, have never installed a browser extension before and now have had your eyes opened to the wonderful things browser extensions can do for you, you might start going through Firefox’s or Chrome’s browser stores looking for what other neat things you can install on your web browser. You can even install themes.
ʕ·ᴥ·ʔ: I like cool themes!
Yeah, I do too, but, uh, don’t install them.
ʕ •̀ᴥ•́ ʔ: But why not?!
Well, okay, fine, maybe install them, but avoid installing them, and be very picky about what you install.
ʕ·ᴥ·ʔ: Okay, but why?
Browser extensions can make you more secure online, but they can also make you less secure, and even infect you with malware. Sometimes it’s just an honest mistake that introduces a vulnerability into your browser. Other times, it’s more nefarious than that.
Anybody can make their own browser extension and upload it to Firefox’s and Chrome’s browser stores, so anybody can make and upload a malicious browser extension as well. And though browser stores do have security measures in place to catch and prevent these kinds of extensions from making it onto their stores, they can’t catch everything. Some malicious extensions will fall through the cracks. Others might not be malicious at all but become so at some point, because that was the developer’s plan all along or because the developer sold the extension to someone else who decided to do just that.
Whatever the case, when you install a piece of software (any piece of software, including an app or even an operating system), you’re trusting the people who are providing it to you to have no ill intentions, and you’re trusting the software itself to not harm you in any way. The more software you install (and the more strangers people you trust), the less secure you are.
So, avoid installing browser extensions willy-nilly. Be discerning. That’s a good policy to have even beyond just browser extensions and software. Don’t live in a shell, though; be adventurous; but be discerning.
Speaking of discernment, besides the awesome Firefox Multi-Account Containers extension, here’s another reason to switch to Firefox or a Firefox-based web browser: Mozilla will do the discerning for you! The Firefox browser store has “Verified”, “Recommended”, and “Made by Firefox” badges, which indicate that an extension has been manually vetted by Mozilla themselves. This way, you don’t need to trust the extension developer with providing a good extension; you can trust Mozilla to be making sure that it’s a good extension, since you’re already trusting them with providing a good web browser anyway.
…
ʕ·ᴥ·ʔ: Google, you dropped the ball.
Like being able to protect yourself online? Of course you do. Still not a trick question, but a rhetorical one. Consider subscribing to my mailing list or my RSS feed. For the mailing list, submit your email address down below. For the RSS feed, there’s a link to it in the menu. The only notifications you’ll get from me will be new articles.