Securing Your Web Browser  

Are you concerned about privacy on the Web? Recent findings surprised even 
some experts. It's amazing and maybe scary just how much information can be 
gathered from your computer while you are online. Perhaps you've seen the 
60 Minutes story about DoubleClick and how they may be tracking your web 
browsing habits through the use of cookies. Perhaps you've heard of the 
CERT (the Carnegie Mellon Software Research Institute) advisory on 
malicious HTML and Java Scripting. You may be worried or just mildly 
concerned. Either way, take a look at what you can do to protect your 
privacy and your computer while on the Web. 

In this article, we will take a look at some simple steps to follow that 
will help armor your OS. Then we will take a closer look at the three most 
popular Web browsers: Internet Explorer, Netscape, and Opera and the steps 
you can take to make them more secure. 

You must make a decision 

You've probably heard R.A. Heinlein's expression "There's no such thing as 
a free lunch." Keep this idea in mind as you read this article, because one 
of the things you will have to determine is just how important your 
security and privacy is and how to balance securing your browser vs. making 
some Web content unavailable, making some Web sites no longer functional, 
and possibly requiring input of information every time you visit a site. 
You should balance the risks against the ease of use you may be accustomed 
to. 

What this all boils down to is that you must decide what risks you are 
willing to take in order to view various Web content. Some sites such as 
Hotmail and sites hosted by Homesite will not function without Java Script 
turned on, but there are often other sites on the Web you can visit that 
offer the same services. For example there are many other free e-mail 
sites, and for each site that will not function correctly there are many 
more that will. The same can be said for almost any type of site on the 
Internet. You will have to determine just how important any given site is 
to you, and if a site no longer functions after making the changes, we will 
discuss your options. 

What is your browser telling people? 

One of the first things you need to determine is to see the type and extent 
of information your browser is giving out. There are several sites where 
you can test this. We will look at two of these. 

The first is http://privacy.net/analyze/ Here you will get a basic run down 
of your browser and your Internet connection. If you have Java and Java 
Script enabled, you will be amazed at what you will find. 

The next site is http://www.gemal.dk/browserspy/ and here you will simply 
be astounded at the data that your web browser is making available. You 
will need to have Java and Java Script enabled in order to run these tests. 
Once you are done, you will see why you have good reason to worry! 

Additional security tests and scans can be found here: 

http://www.pcflank.com/test.htm 
http://security2.norton.com/ssc/home.asp 
http://browsercheck.qualys.com/ 
https://grc.com/x/ne.dll?bh0bkyd2 
http://scan.sygatetech.com/prequickscan.html 

Be afraid, be very afraid -- or am I just paranoid? 

After visiting the sites mentioned above you have just seen how much 
information about you is available to anyone who wants to see it. But there 
are other reasons why you should take steps to secure your browser. There 
are a lot of terms out there: ActiveX, Java, Java Script, and Cookies. What 
do these things mean and why should you be wary of them? 

ActiveX is used via Windows mostly, if not exclusively, by Internet 
Explorer. It is Microsoft's answer to Java and Java Script and is a 
scripting language that allows content to be run on a users system. 

Java was created by Sun Microsystems and in simple terms it is a derivative 
of the C++ programming language that can run on many different operating 
systems. 

Java Script is a scripting language that is primarily used to allow content 
to run on a users system and was created by Netscape. 

What are Cookies? To put it simply cookies are text characters saved by a 
browser to your hard disk. They can be used to save information as you 
browse a web site or they can be used to track specific information on a 
user. 

Ok, that sounds good, but why should you, the Web user, be worried? Well to 
put it bluntly, ActiveX, Java Script, and Scripting Languages have numerous 
security holes, which can be used in a variety of attacks. Hostile Java 
Script can allow malicious persons to access files from a web users hard 
drive. PC Week Magazine reported that a hacker group was able to create a 
hostile ActiveX script that allowed access to financial software on a Web 
user's system. If you visited the Browser Spy site we discussed above, you 
have seen how much information Java and JavaScript makes available to 
anyone who wants to see it. Go to http://www.cert.org/advisories/CA-2000-
02.html and read up on just one of the problems associated with these 
Scripting Languages. Many Warez sites (illegal web sites distributing 
pirated software or cracks for trial versions) require Java Script and 
cookies to be turned on to get the software or crack to download ... now 
why do you suppose that is? Now what about ActiveX? Read what CNet and 
Intuit had to say at http://news.cnet.com/news/0-1005-200-316652.html?
related. 

What about cookies? They are safe, right? What harm could they cause? They 
are simply text files that cannot be used to track you, aren't they? There 
is more to cookies than most people realize. Read what USA Today has to say 
regarding cookies and DoubleClick: 
http://www.usatoday.com/life/cyber/tech/cth211.htm. Then take a look at 
what they have to say about cookies in general: 
http://www.usatoday.com/life/cyber/tech/cth203.htm. Now after reading that 
you may be a little worried ... just take a look at one more article, this 
one is from InternetNews.com: http://www.internetnews.com/bus-
news/article/0,1087,3_66711,00.html. 

Now that you have read these articles you are in a better position to make 
knowledgeable choices in what you want your web browser to do. You are 
better prepared to understand why we make the following suggestions. 

Windows and Linux 

These issues don't just affect one OS, these are things that everyone has 
to worry about. Let's look at making your OS a little more secure first. 

Running Windows? Well, much of the world is, and Windows out of the box 
needs to be secured before you start running on the Internet with it. What 
could be wrong with your Windows system's standard configuration? To begin 
with your NetBIOS is actually open for the world to see. That means that 
anyone who wants to can actually view login names, network names, workgroup 
names, and the actual name of the computer. This can be used as a starting 
point for hackers to try and gain control of your system. 

No matter if you are running Windows 9x or NT there are some simple steps 
you can do to make your system a little more secure. I wish I had come up 
with the following but I did not, thank goodness Steve Gibson did. Head 
over to http://grc.com/su-bondage.htm and follow his advice on how to make 
your Windows 9x or NT system shut some of the open holes it has running. 
The steps are well written and are easy to follow and do not affect your 
ability to surf the Net one bit. 

Linux users face similar problems. Many distributions, including Red Hat, 
leave a number of security holes open, such as open FTP and Finger ports. 
These are easy to shutdown. You will need to be running as root in order to 
make these changes. First check out your inetd daemon. You will find it 
here: etc/inetd.conf. With your favorite text editor, simply hash out (with 
#) all the services you don't want to leave running. I recommend hashing 
everything out except the auth daemon. Then you need to run this command 
from the command line to restart inetd: "kill-all HUP inetd". This will 
restart inetd with the modifications you have made. 

Now take one more step to make Linux a bit more secure. In etc/hosts.deny 
place this line at the bottom "ALL:ALL". This modification utilizes a 
concept know as TCP_Wrappers. It helps to prevent intrusions into your 
system by denying access via TCP/IP attacks. You have now made your Linux 
box more secure. 

To check both your Windows and Linux systems head over to Steve Gibson's 
Shield's Up site at http://GRC.com and make sure your NetBios isn't showing 
and that all your ports are now closed. 

Note that these tips are designed for normal home use. This information may 
not be applicable if you are running Web servers from your machine. 

One thing to remember is that by following these instructions for both 
Windows and Linux systems, you have made your system more secure. However, 
it is still not invulnerable to attacks. You will have closed some of the 
major holes, but to keep your system completely secure you will still need 
to run firewall software. Firewalls will be discussed in a future article, 
for the time being you will have made your system much more secure than 
most of the systems that are currently connected to the Internet. 

Web Browsers 

Now we will take a look at the big three Web browsers and what you can do 
with each of them to make your surfing experience a little less dangerous. 

Internet Explorer 

Microsoft's Internet Explorer is now the most used Web browser around. 
While it is a good Web browser, it has several holes that can be plugged to 
make it more secure. First off, make sure you have downloaded and installed 
all the security related updates available from the Windows Update site. 
Microsoft is constantly releasing updates for IE and it's in your best 
interest to make sure you have these installed. There is an alternate 
location, which allows you to download the update files for installation 
locally: http://www.microsoft.com/windows98/downloads/corporate.asp. This 
is important if you have a couple of Windows systems and don't want to run 
Windows Update on each one, or if you are like me and reinstall Windows on 
a regular basis and want to have the updates readily available. For NT 
users I recommend going to the Microsoft Downloads section and doing a 
search for "security_patch" as the keyword. 

For all users of Microsoft products, I recommend heading over to this site: 
http://www.microsoft.com/technet/security/notify.asp and signing up for the 
e-mail notification program. Microsoft will then e-mail you every time an 
update is available. In addition, it might be a good idea to bookmark this 
site: http://www.microsoft.com/technet/security/current.asp, the TechNet 
listing of all the Microsoft Security Bulletins. 

Now let's look at Internet Explorer. We will focus on IE 5 but you can do 
many of the things we discuss with version 4 as well. Everything will be 
done using the Internet Options menu. This can be accessed via 
Tools/Internet Options. Let's start with the Advanced tab. 

Under the Browsing section, I recommend you uncheck the Enable page hit 
counting, and uncheck Install On Demand. However, if you decide you want to 
use the Windows Update site to automatically install your updates, you will 
need to recheck this option before you head over to the Windows Update 
site. One of the reasons you want to do this is that unchecking Install on 
Demand helps you prevent unwanted programs being installed on your system. 
Unchecking the Enable page hit counting prevents servers from determining 
what pages you are viewing even if you are viewing the pages from cache or 
through a proxy. 

Now let's head over to the Security tab. Make sure the following items are 
Checked: 

Check for publishers certificate revocation 
Check for server certificate revocation 
Do not save encrypted pages to disk 
Empty Temporary Internet Files folder when browser is closed 
Use Fortezza 
Use PCT 1.0 
Use SSL 2.0 
Use SSL 3.0 
Use TSL 1.0 
Warn about invalid site certificates 
Warn if changing between secure and not secure mode 
Warn if forms submittal is being redirected. 

Having these checked helps to ensure that when you are viewing secured 
sites, you are indeed secure. In addition, you probably want to be aware if 
a site or server has had their security certificate revoked. 

Make sure all the other options are Unchecked. 

Let's go back to Internet Options and go to the Security tab. A great 
feature of IE is the ability to place different sites into different zones. 

First let's head over to the Restricted Sites zone. Click on Custom Level 
and disable every option that is listed. This is especially important if 
you use Outlook or Outlook Express as your e-mail client, as we will 
discuss later on. Once you are done, head over to the Internet Zone. 

The Internet Zone is where most, if not all of your web browsing will be 
taking place. This is where you will have to begin making some decisions on 
just how important your safety and privacy is. Once again, click on Custom 
level and look over the options you have. We will examine ActiveX first. 

For good or bad, ActiveX is a big part of Internet Explorer, but thankfully 
IE lets you decide what you want to do with it. This is what I recommend 
doing with ActiveX: In Download Signed ActiveX controls choose disable or 
prompt; under Download unsigned ActiveX controls, choose disable; under 
Initialize and script ActiveX controls not marked as safe, choose disable; 
under Run ActiveX controls and plug-ins, choose disable or prompt; and 
finally under Script Active X controls marked safe for scripting, choose 
disable or prompt. 

Now we will deal with cookies. Here I recommend disabling cookies stored on 
your computer. As for Allow per session cookies (not stored), choose 
Enabled or Disabled. Disabled will make you safer, but enabling per session 
cookies will make it easier to use some sites, and when you exit IE these 
cookies are automatically removed. You may wonder why I don't recommend the 
prompt option. Well, I have been to many sites that keep trying to place 
cookies, and these countless messages get very annoying. 

Next we need to consider downloads. You probably want to download stuff 
from the Net so you can keep the File Downloads enabled - just be careful 
what you download. For Font downloads I recommend the Prompt setting. 

Under Microsoft VM, choose Disable Java. 

Under Miscellaneous, I recommend disabling everything except the following: 
under Drag and drop or copy and paste files, I recommend setting it for 
Prompt; under Software channel permissions, select High; and under Submit 
nonencrypted form data choose Enabled or Prompt. 

Finally, under Scripting, disable everything. 

Ok, what does all this mean? Well know you have taken some major steps to 
ensure your Web browsing is safe. However, you have also disabled some 
major browser settings and sites such as Windows Update and Hotmail will no 
longer function as well as many e-commerce sites. What should you do now? 
Well, you have to weigh the value of the sites versus your safety and 
privacy. If you decide that there is a site you want to use but these 
setting won't allow it, IE offers you the ability to make it a trusted 
site, so lets head over to the Trusted Site area. 

Use the Trusted Sites section for sites that you have decided are safe and 
trustworthy and require some of the functions we have disabled. Make sure 
you choose wisely when adding a site to this list. Go ahead and click on 
Custom Level, and let's take a look at the options available. Sites in this 
section are automatically under low security settings - I recommend you 
beef that up to medium at least, then examine the settings on an individual 
basis and decide if you like the default medium settings. However, make 
sure you set the "ActiveX settings for Downloading unsigned ActiveX 
controls" and "Initialize and Script ActiveX controls not marked as safe" 
to disabled. When you add sites to your Trusted section you may need to 
make sure the box next to Require server verification (https:) for all 
sites in this zone is unchecked, otherwise you will only be able to add 
secured sites to your Trusted Sites section. 

Ok, now you have made Internet Explorer more secure. Earlier we talked 
about making sure everything was disabled under the Restricted Sites 
section and we said that this was especially important to users of Outlook 
and Outlook Express. Recently there have been issues with HTML e-mail 
including embedded cookies that allow you to be tracked. What you want to 
do now if you have Outlook is as follows: go to Tools/Options/Security and 
in the Secure Content section make sure you select Restricted Sites. With 
Outlook Express follow these steps: go to Tools/Options/Security and in the 
Security Zones section choose Restricted sites zone. 

Finally, we will discuss getting rid of your cookies. If you have followed 
the recommendations made previously, you should not be getting many cookies 
added to your system. But if you have decided to still allow cookies, or 
have decided to follow the above advice and want to rid yourself of the 
cookies you already have, it's a fairly simple process. Windows contains a 
Cookies folder, but for some reason when you delete the cookies from it 
they stay in your Temporary Internet Files folder. However, when you delete 
the cookies from your Temporary Internet folder they are also deleted from 
the Cookie folder. So how do we rid ourselves of these cookies? It's fairly 
easy to do. Choose Tools/Internet Options. Under the Temporary Internet 
files sections, choose Delete Files and then OK. This will clear your 
browser cache. Now click Settings/View Files. Here you will see all the 
cookies on your system. You can examine them and keep those you want and 
delete the rest, or delete all of them. 

Netscape 

Netscape used to be THE browser, but has recently fallen on hard times. 
However it is still one of the more popular browsers around, and for the 
Linux crowd it's pretty much the only viable browser available. 

Since Netscape is not made by Microsoft it does not have any thing to do 
with ActiveX and that is one less worry, but it still has some issues that 
can be dealt with fairly easily. Let's take a look at the options Netscape 
offers. Click Edit/Preferences and you will see a large number of 
categories. First lets take a look at the Advanced section. 

Under Advanced there are a few things we want to do. First we want to 
uncheck the boxes next to Enable Java and Enable JavaScript. You will also 
see a box next to Send e-mail address as anonymous FTP password. Make sure 
that this is unchecked! This is important to make sure your e-mail address 
is not being sent out to anyone who wants it. OK, lets take a look at the 
cookie section. Netscape does not give you as many options as IE did. 
First, if you decide you want to use cookies, then choose Accept only 
cookies that get sent back to the originating server, or choose disable 
cookies. Once again, I do not recommend the Warn me before accepting a 
cookie - it gets annoying very quickly, however, it's up to you. 

As discussed earlier, the same problems apply to Java, JavaScript and 
cookies in Netscape as in IE. 

Under the Advanced section there are several options. Under the Cache 
section you can see information on your browser cache. Unfortunately, 
Netscape does not offer you the ability to automatically clear the cache, 
however you can clear both the disk and memory cache here manually. The 
next section to check out is the Smart Update section. Under this section 
you will want to uncheck the Enable Smart Update and check the Require 
Manual confirmation of each install. If you decide to use the Netscape 
Smart Update to update your version of Netscape you will need to check that 
box; when the update is complete, go back and uncheck it again. 

Head over to the Navigator category and under the Smart Browsing section 
disable "What's Related." Apparently the "What's Related" feature can allow 
users browsing habits to be tracked and it may be possible to tie specific 
users to the sites they visit. Exit out of the Preferences area. 

Next, you will want to click on Communicator/Tools/Security Info. 

Under the Navigator section you will see several options. I recommend 
making sure the following are checked under "Show a Warning Before:" 
entering an encrypted site, leaving an encrypted site, and viewing a page 
with an encrypted/unencrypted mix. The final option of sending unencrypted 
information to a site is a personal choice. Next take a look at Certificate 
to identify you to a web site and make sure "Ask Every Time" is selected. 
Finally make sure that both SSL 2 and 3 are checked. 

Users of Netscape should bookmark the following page and visit it on a 
regular basis: http://home.netscape.com/security/notes/index.html. You can 
use this site to keep up to date on possible security risks and other 
issues. 

Now let's take a look at how Netscape stores your cookies. You will find 
your cookies at C:\Program Files\Netscape\Users\your user name, in a file 
called cookies.txt. You can view and edit this file with you favorite text 
editor and remove any cookies you wish, or delete all of them. For Linux 
users you will find your cookies in your home directory under /.netscape. A 
nice way to get rid of cookies in Linux is to link them to dev/null. You 
can do this by simply typing the following in the shell of your choice: "ln 
-s /dev/null ~/.netscape/cookies." 

Ok, if you've followed our advice you have made your browsing with Netscape 
much more secure. 

Opera 

Opera is the least well known of the major browsers, at least here in the 
United States. In Europe, Opera is well known and is one of the most 
popular browsers available. Overall the popularity of Opera is increasing 
and a version is soon to be released for Linux. 

In some ways, Opera is not as insecure as Netscape or Internet Explorer, 
but it still has some openings that we will take care of. Opera does not 
come with Java, and that by itself takes care of some of the major issues. 
Like Netscape, it does not have the worries of ActiveX. 

Let's take a look at what we need to do with Opera. Go to Preferences and 
select Advanced. Here, under the Logging section are options for cookies 
and referrers. We want to make sure that the box next to Enable referrer is 
unchecked, and I recommend unchecking the box next to Enable Cookies. 

Now we want to go to the Multimedia section. Here we want to make sure the 
box next to Enable Scripting Languages is unchecked. Scripting Languages is 
what Opera calls JavaScript, and we want to make sure its disabled. Again, 
the same caveat applies to Opera as it did to IE and Netscape's 
vulnerabilities with JavaScript. 

Next, go to the Cache section and place a check next to the box that says 
Empty on exit, so that browser cache will be cleared when we exit Opera. 

Now, lets go to the Security section. Make sure that there are check marks 
next to Enable SSL v2, SSL v3, and TLS 1.0. Next, in the section "Show an 
Alert Before:", you will need to decide if you want an alert before 
Submitting a Form Insecurely. That is pretty much a personal decision. 

If you are still using cookies or want to get rid of cookies you had 
previously, you can edit the cookies.dat file in the Opera directory. The 
easiest way to do this is to download a free utility called Opera File 
Explorer from the designer's site: http://www.westelcom.com/users/jsegur/ 
which will allow you to edit the cookies.dat file easily and quickly. 

With these few steps, you have now made Opera a more secure way to browse 
the Web. 

Conclusion 

One thing that will affect any web browser you choose is the encryption 
level. All three browsers are available with 128-bit encryption, and you 
should make sure that your browser has this option if available to you. 
Recently, the US Government has allowed export of the 128-bit versions of 
Internet Explorer and Netscape to most countries. In addition, since Opera 
was not made in the US, it is able to offer 128-bit encryption to the 
world.

Hopefully, you have followed most or at least some of the advice offered in 
this article, and in doing so you have made your Web browser more secure 
and have made your stay on the Internet more secure and private. It is 
unfortunate that we are forced into choosing between increasing our safety, 
or reducing the accessibility of some Internet content, but that is the way 
it is. Will this ever change? Probably not anytime soon, as it seems that 
the bad guys are always one step ahead, and security holes mostly seem to 
be discovered and patched only after somebody exploited it. In the 
meantime, use common sense and caution. 


http://www.PCNineOneOne.com