Simple Browser Security

[Entrustable]

^{Hi there. Long time viewer of Hak5. (Tried successfully hacking the ZipIt Z2 to run AirCrack)}

I've recently invested in a Lenovo Thinkpad W510 [intel Quad-core i7 720QM, 4GB RAM, Win7] for my small business. I'm mainly going to be doing online surfing, video conferencing, and word processing. Though my main focus for this post is the online surfing and perhaps the conferencing too.

I'm not computer literate. I've dabble lightly in networking, (aka I'm the one who fixes the 'internet' at home) so I know the surface of the malicious threats that can befall someone surfing the net. But my question is this: What sort of extensions for Chrome and perhaps simple programs on Win7 exist out there that can offer me a smidgen of an illusion of a more secure laptop and online experience, from online and wifi threats?

You know, so I don't have to reformat every few months, give up sensitive client info, or sacrifice sanity while using my browser. It doesn't need to be a free option, I don't mind paying a developer for a program or system of security worth my time and effort.

[cooper]

I personally recommend just running an ad blocker and not wantonly clicking on any link just because the page you're on says you should. Hover over a link and check if it looks sane to you. If it's tingling your spidey-sense in anyway, don't click.

There also exists plugins that make your browser first try to access websites using HTTPS and only when that fails fall back to HTTP, making wifi attacks (MITM) less viable against you - they might see what you send to a website but since it's encrypted they only get that much gibberish.

Forum user Digip by default browses with Javascript turned off which closes a rather large attack surface on your browser at the cost of usability. Some websites simply require JS to run properly. He did say something about being able to allow JS on a specific, whitelisted set of websites but this might be browser-specific.

[Guest]

Look into Sandboxie for Windows or FireJail for Linux.

[Entrustable]

I personally recommend just running an ad blocker and not wantonly clicking on any link just because the page you're on says you should. Hover over a link and check if it looks sane to you. If it's tingling your spidey-sense in anyway, don't click.

There also exists plugins that make your browser first try to access websites using HTTPS and only when that fails fall back to HTTP, making wifi attacks (MITM) less viable against you - they might see what you send to a website but since it's encrypted they only get that much gibberish.

Forum user Digip by default browses with Javascript turned off which closes a rather large attack surface on your browser at the cost of usability. Some websites simply require JS to run properly. He did say something about being able to allow JS on a specific, whitelisted set of websites but this might be browser-specific.

Thank you for your input.

Look into Sandboxie for Windows or FireJail for Linux.

I'll do Sandboxie and I'm also going to run Lastpass for added security.

Thanks, you two. ;)

[magik]

Another good site for keeping things browser related up to date and patched is the Qualys Browser check. They also have an enterprise edition which allows you to monitor multiple browsers. Completely free too.

https://browsercheck.qualys.com/?euid=&ls=1

[digip]

Question. Is your concern for wireless safety due in part to using open wifi on the road and other people's networks you don't trust? If your concern is only the browser side being safeguarded from spying eyes, use a VPN service, or SSH Tunnel to get you out to the internet when on someone else's network. As for the OS, once on a network you don't own, all bets are off in most cases since you're at the mercy of the network you are on, and whether or not local users can attack your machine, so its a two fold hardening you should be looking at, from the OS being on a hostile network, to also your connection traffic going over potentially harmful networks you're not going to have control of.

Steps I would start with, hard coding OpenDNS as yoru DNS provider, Using a VPN(probably best connection solution since will force all Apps and traffic through your tunnel if connected AFTER the VPN is started) or SSH Tunnel/Socks service for your browser(but won't help non-socks aware programs you want to proxy, such as windows/linux updates which can be redirected by malicious intent), obviously keeping your firewall up and all programs up to date.

As Cooper mentioned, I turn off all plugins and JS in my browser, and enable them on a per site basis, which honestly is a PITA, but when nothing but the browser can execute a GET request, you're chances of being attacked are much slimmer from browser based attacks since you'll only be able to execute HTML and data: based info(you cna be attacked via the "data:" protocol on a number of browsers). Does nothing to protect on the local network, but should stop 90% of anything you might get hit with. You can also use add-ons such as an ad-blocker, but they aren't 100% safe (nor is anything). Same with "noscript" but if using FireFox try https://addons.mozilla.org/en-us/firefox/addon/noscript/ as well. I use Opera, and make exceptions on a per site basis(being able to right click and change on the fly, or under settings per site that I want to open (depending on which version I'm using at any given time) - but this will fail when sites use CDN's such as akamai which will need to be enabled for all external scripts and CSS called, or third party media providers).

Sandboxie is a wonderful tool as well for browsers, since it's kind of like a small VM for browsing which brings me to my next option, just a dedicated VM used only for surfing while on hostile wireless which you can snapshot, and reset after every use. In this instance, your HOST OS is still a target, which then a LiveDISC of any distro would also suffice and in my opinion a better surfing only solution so long as it can't write to the HDD, and I know a lot of people who just carry their laptop with a few live distros and NO HDD, while using USB media for storage when needed, mount, save, unmount, and continue. This I would say is for the uber tinfoil hat person, which I consider myself borderline on the fence, only I wear rubber soul shoes and try to avoid making an antenna for lightning out of my head if at all possible.

Edited March 15, 2015 by digip