Secure Browser Tutorial | 3 Steps To Make Chrome and Firefox SecureCategory: addons
A 6 Minute Read
17 Jan 2014
These days, there are a lot of add-ons you can install to make your browsing experience private and secure. I’ve written quite a bit on these as well, and a previous iteration of this guide had an entire grab bag of add-ons with a memory footprint the size of Shaq’s feet.
While these provide a fairly, ahem, sophisticated level of privacy, I am becoming increaisngly aware that the more tools you give someone, the less likely they are to use any of them. For this reason, I’ve written this updated, stripped down guide that offers a reasonably private experience on both Chrome and Firefox, without bogging down your browser with sixty-seven add-ons.
In selecting these add-ons, I have three goals in mind:
- To secure data in transit,
- To secure data about me,
- To secure the browser itself.
In other words, I want to make sure that any data that I’m sending online can’t be read by a random joe on the public WiFi network I’m using (nevermind the government). I also want to make sure that anyone who tries to generate tracking data about me, such as online advertisers, has a damn hard time doing so, while also ensuring that any data I willingly submit (i.e. passwords) are reasonably protected. Finally, I want to make sure that nobody can exploit my web browser to steal my data or otherwise harm me. Therefore, I have come up with three easy to use add-ons that won’t make you rip your hair out.
The first add-on is uBlock Origin, a fairly slim adblocker. I’ve written about this previously in more detail, but will summarize it here as well. First of all, why an adblocker? Simple: online advertisements not only track what sites you go to, how long you visit them, which ads you click, etc, they also are a very large source of malware. Therefore, blocking ads helps us attack two birds with one stone: we reduce the amount of data being generated about ourselves, and we secure our computers at the same time.
Logically the next question is why uBlock Origin? Among a field crowded with a diverse range of adblockers, uBlock Origin stands out as one of the best available for a number of reasons. First, its memory footprint is not just nill, its negative. This is because of the fact that the memory that is saved by not having to display advertisements is larger than the memory required to run the application. On Chromium, this provides a memory reduction, which is especially impressive when compared to the memory increase that AdBlock Plus induces. On Firefox, both uBlock Origin and AdBlock Plus save memory, but uBlock still saves more than double the memory that AdBlock Plus saves. Best of all, you’re hardly ever have to touch uBlock Origin, and you might just forget that you even have it installed after a while.
The second area where uBlock Origin shines is in its extensive selection of blocklists. There are dozens of blocklists that amount to hundreds of thousands of blocking filters, at least when used together. Moreover, there are additional regional blocklists for countries like China, Korea, Russia, or Poland, among many others. When this array of included blocklists is taken together with the ability to add your own custom rules, uBlock Origin easily has the most comprehensive adblocking solution around.
One of the biggest problems today when it comes to online security is that users aren’t using secure passwords. While a website ideally should never have its users’ passwords leaked, hacks and attacks happen. It is important to understand, however, that when a website has its password database stolen, the hackers never see the passwords directly. This is because passwords are (read: should be) put through what is known as a ‘hashing’ algorithm (read more on hashing here), where the password is converted from its regular plain-text form, such as ‘examplepassword12’, into a hash, such as ‘d4aad1e2e66e6fb’.
The way websites work is that when you log in to the site, it hashes the password you just typed and compares the result with the hash of the password you signed up with. If the two don’t match, it means you (or someone else) has submitted the wrong password. The reason they do this is that if their password database is stolen, then hackers can’t directly see the passwords, only the hashes (which by themselves are useless).
Unfortunately, hackers can turn a hash back into a password by individually trying millions of different combinations of letters and numbers, until they get a hash that matches the one they stole. Obviously, randomly trying combinations of letters until it finally gets ‘examplepassword12’ would take an incredibly long time, so instead what is often done is hackers use ‘dictionaries’ (massive collections of commonly used passwords). This means that if your password is even somewhat common, then it is incredibly likely that the hacker will be able to find out what your password is, as they often try the most common passwords first.
So where does Lastpass come into this equation? Well, if you have a strong and unique password, it makes it significantly more difficult for a hacker to crack it. For example, ‘password123’ is probably very early in their dictionary, but a randomly generated password, such as ‘13rne2nglqgq3i4ghlirg’, probably isn’t in their dictionary at all.
Lastpass is a password manager that allows you to generate long random passwords that are nearly impossible to crack. So instead of manually trying to put in a password that you have to remember, it generates one for you and then stores it. The next time you go to log into a given site, LastPass will automatically enter your username and password, allowing you to have long, unique, random, passwords for each website you visit. Of course, you will still have to remember one password (that is, the password to Lastpass itself), and be sure to make this password very strong as it guards all your other passwords as well!
Another upside to Lastpass other than the security aspect is simply that you won’t need to ever type in a username and password manually again. Just remember, never forget your LastPass password, otherwise you’ll lock yourself out of everything else.
HTTPS Everywhere is a simple add-on that will always redirect you to a site that is encrypted with HTTPS whenever the add-on knows that one is available (this works based on a long list of sites). I explain it in more detail here, but essentially HTTPS is a way for your computer to talk to a website without anybody in the middle being able to listen in or forge the site, and therefore protects data in transit.
For example, if you’re in a coffee shop using public wifi over a regular HTTP (not HTTPS) connection, then anyone else on the wifi network can see everything you do. In fact, even at home your internet service provider can monitor your activity, as well as the service provider of the website that you’re visiting. But to really bring this point home, it is through unencrypted HTTP connections that the NSA has done a large portion of its spying.
What’s more is that not only does HTTPS stop people from peering in on everything you do, it also helps to prevent website forgery. For example, if you visit a banking website over regular HTTP then it is possible for a man-in-the-middle to forge that banking website and learn all of your financial information. HTTPS prevents this by ensuring that the website you visit is actually the website you want to visit. So is HTTPS Everywhere worth using? Definitely.
While using these three add-ons will really crank up your level of online privacy and security, two factor authentication is still something I would highly recommend adding to any online service that offers it. If you’re interested, check out my primer on two factor authentication to learn more.