Join Scott Simpson for an in-depth discussion in this video Trust and browsing securely, part of Browsing the Web Securely.
- [Instructor] When you're browsing the web, there are three kinds of security issues you need to be aware of. These are the safety of your personal information, the security of your communication, and your trust of the network. The safety of your personal information includes strategies like making sure you're not sharing passwords or credentials with other people, and that you're not entering them on a fake or phishing site. It means keeping an eye on your cookies in the browser and keeping your system clear of malware and other software that tries to capture user names, passwords, credit card numbers, and so on.
Many modern browsers are quite good at warning you about some of these threats, but now and then something slips through the cracks. The second kind of security that you need to be aware of is HTTPS or a secure connection. Many large websites, and almost any site that takes payment information, uses the technology called HTTPS which encrypts or scrambles up the information sent between the site's servers and your computer. It does that so someone monitoring the network connection between you and them can't observe payment information, messages or whatever is being sent back and forth.
This is usually indicated with a lock or a green icon. Be sure to look for it. The last component of safe browsing is the network itself. Your connection to the internet doesn't just happen. Between you and the various networks that make up the internet are a series of other networks, and all of those have varying degrees of security. A corporate network, for example, is probably pretty secure and doesn't have malicious users on it trying to steal personal information, though they may keep logs or records of what websites are visited using their resources.
Your home connection likewise probably runs through an internet service provider. And while they may be trustworthy about your privacy, they control the network and could observe some aspects of your browsing if they wanted to. A less trusted network, like at an independent coffee shop, is more often a threat to your digital security. While most of then connect to an ISP similar to your connection at home, the WiFi portion may have been configured by someone who is either unskilled or actively malicious, and so unprotected communication on that network could be at risk.
There are different ways of directing your traffic out of a less secure network to another network, and we'll take a look at those later on. First, let's look at how these components interact with each other and how each method affects your security as you browse. When you visit a website, your browser sends a request out to a server running DNS, or Domain Name System, asking for the real address of a website. A DNS server is like an address book for the internet. Google.com, for example, isn't the real name of a web server. It's a human-friendly way of representing a service that you want to visit.
A DNS server takes this human-friendly name and looks up an IP address that corresponds with the site you want and sends that back to the browser. Then the browser contacts that IP address going forward for communicating with the site. Usually a DNS server is provided by your internet service provider. Or on a company or university network, there may be servers provided by the organization instead. If you're concerned about your network provider, keeping track of interfering with what addresses are looked up, you can use a third party DNS server.
Google offers some and other organizations like OpenDNS offer servers that are available to the public. If the site that you're visiting supports HTTPS, usually during the initial communication process with your browser, one end or the other will ask about it, and the communication will switch to a secure mode if it's available. Once you have a secure connection, the contents of your communication with the website are protected from people trying to see what they contain. Regardless of whether a site supports HTTPS and can encrypt the communications between you and it, and regardless of whether you're using a third party DNS server, the initial lookup of the address sent to a DNS server is not encrypted, so someone on the network could observe your request for the address of the site.
They wouldn't see anything sensitive beyond that, but they would know where you were going, sort of like if someone in a coffee shop overheard you ask the waiter for the address of a public library. They'd know where you were going, but they'd have no idea what book you intended to read. One product you may consider to help ensure that you use HTTPS whenever it's available is a browser extension called HTTPS Everywhere. This software will try to connect using HTTPS wherever it can, and you can configure it to block non-HTTPS connections as well.
To try to combat some forms of tracking, many browsers offer a private mode, or incognito mode, in which the browser temporarily forgets that it has these cookies. So if you browse to a site that you use frequently, it won't be able to use these cookies to identify you. Incognito mode can also prevent sites from reading cookies you may have from other sites. But private browsing or incognito mode doesn't do anything about the requests coming from your computer to DNS servers or requesting traffic across the network.
There are some products that you can use to try and prevent advertisers and trackers from storing cookies or loading code that tries to identify you. For Chrome and Firefox, there's uBlock Origin and Privacy Badger. Of course, whether or not you want to block ads is a decision you need to make for yourself. Some people are uncomfortable using ad blockers for various reasons including denying revenue to sites that they support. And some people are wary of ads because they can be a vector for malware and are often used to track people without their explicit consent. And finally, there's the question of whether you trust the network that you're using.
There's almost no such thing as direct connection to a popular website, due in part to how the internet works. And because most of us aren't lucky enough to have a direct connection to the backbone networks of the internet we have to settle for coffee shop WiFi or home internet connections. You can secure your home network as much as you like, but in public you're mostly at the mercy of whoever set up the network you're connecting to. While at your house, you can be pretty sure that someone in the next room isn't secretly redirecting your traffic to Facebook or your bank, but it's harder to guarantee that in a coffee shop or a library.
To help maintain our privacy on a public network, we can use a technology called VPN, which we'll look at in more depth later on, to securely channel your internet browsing activity through an untrusted network to somewhere else, ideally avoiding security problems on our local and intermediate networks. We'll also take a look at a technology called Tor which aims to hide where your request are coming from in order to help avoid tracking your identity and activity. It's easy to look at all of these tools and technologies and feel overwhelmed or to feel that someone who isn't a criminal or a political dissident or a hacker or a paranoid privacy nerd shouldn't need to bother with security.
And while some people need to take very careful steps to avoid serious consequences for their activity online, everyone should care for their online privacy and security. Whether you're a journalist making unpopular claims, a financial planner who needs to protect client information, or someone who doesn't like the idea that advertisers pay to track them across the web, your security solution should meet your needs. You need to consider what's called your threat model as you design your privacy solution. What information do you leave behind as you browse the web? How can that information be used? What are the consequences of other people getting access to that information? For most people, the biggest direct threats to their online security are credential theft, phishing, and malware.
Ensuring that you're using HTTPS covers most of the daily concerns for most people, especially on a corporate or home network. And being careful about the software you install and the sites where you give out information is a good foundation. But if you're using an untrusted network, such as public WiFI, it can be a good idea to add another layer of safety. In the next chapter, we'll take a look at using a VPN service to keep more of your activity away from observers on the network.
- Selecting a VPN provider
- Installing a VPN
- Setting up your own personal VPN
- Browsing the internet with Tor