Application security

Best practices for web browser security

Yassine Aboukir
November 23, 2017 by
Yassine Aboukir

Web browsers are a commonly used software application to access web resources and pages using the Internet. A browser can also be used to access information provided by web servers in private networks or files in file systems.

The most popular web browsers so far are Firefox, Google Chrome, Microsoft Edge (preceded by Internet Explorer) Safari, and Opera.

Given how sensitive the information manipulated by these various web browsers can be, they are primarily targeted by Cyber criminals to engage in a range of terror such as identity theft, malware spreading, intelligence gathering, etc.

This article will enumerate a few best practices and techniques to help computer users stay safe and securely browse the Internet.

 

Keep your browser software up-to-date

 

It is essential to be using the latest version of the web browser of your choice. In particular, Chrome and Firefox have a security feature known as the Auto Update. Check out the following link to see if your web browser is outdated or not:

https://updatemybrowser.org/

 

Manage and disable malicious plugins

 

A browser plugin is an extension that further probes into the functionality of a web browser. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Some web browsers can install unwanted and malicious extensions in your browser such as Adware. Most infections are caused by the downloading and installation of freeware.

Each web browser has a built-in functionality to view your installed plug-ins and choose which are enabled.

You can refer to the below links for instructions on how to view and disable unwanted extensions:

 

Connect to websites through HTTPS

 

You should always check the URL of a website to make sure that it has the "https://" or a padlock icon. This is your confirmation that the website you are using is protected by a reasonable layer of encryption.

 

How to clear your browser history

 

Cookies, are merely files that keep track of all the websites you have visited recently.

In fact, cookies are a prime victim for the cyberattacker. Those cookie files which contain passwords and confidential information/data are most at risk

Follow the instructions on the below links to clear your browsing activity as well as your cookie files:

 

Never store passwords in your browser

 

Nearly all modern web browsers and many websites, in general, offer the auto-complete functionality. Enabling this feature stores your passwords in one location on your computer, making them more accessible for a Cyber attacker to discover if your system gets compromised. If you have this feature enabled, disable it and clear your stored passwords.

 

Use strong passwords

 

It is imperative to use a different password for each of your financial accounts, like your email and online banking accounts. Re-using the same password is a huge risk to take. For example. If a cyber attacker figures out your password for one account, it is possible they could get access to your personal information.

It is important to use a combination of numbers, symbols and a mixture of both upper and lower-case letters in your password makes it harder for someone to guess it.

 

Block pop-ups and scripts 

 

Pop-ups are often forms of online advertising intended to attract web traffic or capture email addresses. Pop-ups open new web browser windows to display advertisements.

While many pop-ups and emails from reputable companies are safe, the adware programs that generate illegitimate malware pop-ups and malware spam can install spyware to hijack your browser and capture your personal information.

It is highly recommended that you disable popups either through your browsers configurations or by installing an efficient browser extension called AdBlock.

You can also install NoScript which « pre-emptively blocks malicious scripts and adware.

 

Use VPN or proxy servers

 

VPN or Virtual Private Network technology allows anyone to use a public network to connect to a private network securely. VPN encrypts all your Internet traffic. As a result, all of your information and data will be made that much more secure.

Proxy servers are another way to protect your mission-critical files online. Proxy settings can be found on your Internet browser. You can also use a combination of Internet-based proxies or the proxy servers, or even a combination of both.

 

Use browser security configurations

 

It is imperative to optimize your browser's settings to have a more secure experience on the web. Failure to correctly set up your browser's security features can put you at a higher risk for malware infections and malicious attacks.

You can follow the instructions here to configure your browser's security correctly.

Web browsers are also prone to security flaws such as:

  • Same-Origin Policy Bypass: This is a procedure in which a particular script loaded from one origin can interact with another origin.This is a security mechanism for isolating documents for potential malware. However, hackers have managed to bypass this protection many times and in several web browsers.
  • Address Bar Spoofing: This happens when a user's browser address bar is altered to display Web pages as dictated by the Cyber attacker.

Attackers can also target a web browser's extensions to exploit unpatched vulnerabilities.

 

Sources

 

https://betanews.com/2014/08/22/5-tips-to-make-your-browsing-safe-and-secure/

https://en.wikipedia.org/wiki/Web_browser

https://www.webopedia.com/TERM/B/browser.html

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

https://www.owasp.org/index.php/Clickjacking

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

https://nakedsecurity.sophos.com/2016/06/15/critical-flash-vulnerability-is-being-exploited-in-the-wild/

Yassine Aboukir
Yassine Aboukir

Yassine ABOUKIR (@yassineaboukir) is a security analyst at HackerOne by day, ethical hacker by night, actively participating in bug bounty programs. Acknowledged and rewarded by numerous companies including but not limited to Google, Facebook, Microsoft and Twitter etc. for his various responsible security disclosures. He is reachable at: hello@yassineaboukir.com & https://yassineaboukir.com/