Before we go to practical recommendations on how to secure your browsing let us explain browsing process flow and define the potential risks.
Browsing process flow
When you enter website address (www.someweb.com for example) in the browser “Address” field and click “Go”, your browser performs the following steps:
- Browser will try to resolve the domain name into IP address. To do so, it will send the following request to Domain Name Server (DNS): “give me IP address for the host www.someweb.com ”. DNS will reply something like this: “IP address for the host www.someweb.com is 192.168.3.1”
- Browser will try to establish TCP connection to the www.someweb.com web server IP address 192.168.3.1.
- Server will accept connection, and store your IP address, i.e. the address from which the request was sent, in logs.
- After the connection has been established, browser will send the following query to the server: “GET /”. With this request browser will send some additional details, like his capabilities (browser software type and version, accepted file types, your preferred language, your operating system) and some additional info: referrer website address (in case you have followed this link from some website) and cookies (if any). It has to be noted that all this information will be stored in server logs as well.
- Server will reply with some header data (which can contain cookies) and page text in HTML format and close the TCP connection.
- Browser will format the HTML and show it to you in the window.
Let us sum this up. Making a click in your browser window you have advised the server owner the following details: your IP address, browser software type and version, file types your browser will accept, your preferred language, your operating system, what site or web page you have visited before. Additionally, you have passed cookies intended for this site and accepted cookies from this site. Later in this article we will explain how safe or unsafe was to pass all this data.
Some potential risks associated with browsing
1. IP address anonymity
Web browsing, as any other Internet activity, will give away your IP address to the web site owner. Giving the IP address is the same as to give your home address, and if privacy is important for you, you should avoid passing the IP to webmasters. There are various techniques to hide IP address: web redirectors, proxy, socks, VPN tunneling. Unfortunately, not all of them are safe and reliable. The most common and most dangerous way to hide your IP is using free proxy service. To learn more about IP address anonymity and about how important it is to hide IP address please read our “Internet Privacy”. In the “Data interception” article we have compared the IP anonymity and data protection technologies used.
2. Data interception.
As we explained in “Data interception” chapter, when accessing non-encrypted pages all the data your browser and web server exchange (i.e. website visited, data passed to that site) can be easily intercepted. In some cases even SSL encrypted connection can be intercepted and monitored. We can refer to the well known “man-in-the-middle” attack against some poor SSL implementations (see article http://www.pcworld.com/news/article/0,aid,103892,00.asp). You can avoid data interception only by using third party services. There are two methods to encrypt your traffic: using proxy through the SSH, or using VPN tunneling service. You may read more on pros and cons of using the above methods in our “Data interception” page.
To configure your browser security settings, start Internet Explorer, choose “Internet Options…” from “Tools” menu and select “Security” tab. Here you will be able to assign websites to zones and tweak security settings for these zones.
For example, you use yahoo.com for mailing, trade on eBay.com and shop on amazon.com. You can add yahoo.com, ebay.com and amazon.com to the “Trusted sites”, and set “High” security level for any other sites, e.g. for the “Internet” zone. Default security settings for the zones are reasonable, but if you need more control click on “Custom level” button to configure security level details for the chosen zone.
Click “OK” to exit “Internet Options” menu.
Now a few words about cookies. Cookies are the special strings sent by server to your browser and stored locally at your hard drive. Usually cookies are “addressed” to some website, e.g. cookie “www.someweb.com: HelloWorld” will instruct your browser to pass to the server the string “HelloWorld” when you visit www.someweb.com web site. Also, cookies have “time to live”, i.e. time they are stored in your system. Basically, there are two kinds of cookies:
- Session cookies. Session cookies are addressed for one site only, with limited “time to live” value. They are used to keep the web session data, in web shops for example, and it is safe to use them. In many cases, you will not be able to use a web shop or a banking site if you have cookies disabled.
- “First party” and “Third party” cookies. They are designed to keep data for the time longer then one web session. In most cases they can be disabled without loosing the web site functionality. “Third party” cookies are inserted by one web site to be passed to some another, and are the most privacy dangerous.
There is a simple method to deal with cookies. Internet Explorer and many other browsers like Mozilla or Opera can be configured to block cookies. Here we will explain how to configure Internet Explorer to block undesired cookies.
To configure cookies behavior, start Internet Explorer, choose “Internet Options…” from “Tools” menu and select “Privacy” tab. Using the slider you will be able to set cookies privacy options for websites in “Internet” zone. You may set “Block All Cookies” to block all cookies from all web sites. Please note, cookies from web sites in “Trusted sites” zone will be accepted.
To delete all the stored cookies select “General” tab and click “Delete Cookies…” button. New window will appear. Click “OK” to delete cookie files.
Click “OK” to save the changes. Click “OK” to exit “Internet Options” menu.
5. Other data passed by your browser
When passing the request for a web page, your browser will give some details on your operating system and browser capabilities to the web server. For example: “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”. Is this dangerous? We believe it is not. There are millions of Internet users who are using Windows XP operating system and almost all of them are using Internet Explorer for browsing. But this data can be used by malicious script code you have downloaded with a web page. To protect your computer, simply disable dangerous features for the not trusted web sites as described above. Among the operating system details, your language preferences are passed to the web server. If you are using German language as your operating system language, web server will be able to determine this. It is quite simple to change your language settings.
To change the language setting, start the Internet Explorer, choose “Internet Options…” from “Tools” menu, select “General” tab and click “Languages…” button. New window will appear. If you would like your browser to pass only “English” language preference, highlight all the “Language” values except “English” and press “Delete” button. Click “OK” to save the changes. Click “OK” to exit “Internet Options” menu. From now, the browser will pass only “English” as preferred language.
6. Temporary Internet Files
Browsers are storing the web pages you have viewed on computer hard drive in cache files. Anybody having physical access to your computer can examine your browser cache, browser history to find out what sites were accessed, what pages were viewed and when. Examining cookie files allow finding the data passed to the websites in many cases. Unfortunately it is not always possible to disable storing cookies and temporary Internet files. Even using special cleaning applications is not 100% safe: cleaning applications will not be able to delete the files during the system crush. The most effective method to protect temporary files is to encrypt data on your hard drive. On our “Computer Security” page in “Hard drive data protection” section we have described the most convenient methods to hide cached files from prying eyes.
If your security requirements are not too high, and you consider not to use hard drive encryption, all cached web pages and stored cookies can be easily deleted by yourself using built in Internet Explorer tools.
To delete all the stored cookies start Internet Explorer, choose “Internet Options…” from “Tools” menu, select “General” tab and click “Delete Cookies…” button. New window will appear. Click “OK” to delete cookie files.
To delete all the temporary (cached) files, click on “Delete Files…” button. New window will appear. Check the “Delete all offline content” check box and click “OK” button to delete cached files.
To delete browser history, click on “Clear History” button. New window will appear. Click “Yes” button to confirm. Click “OK” to exit “Internet Options” menu.
A few words about various services promising to “block all the dangerous content”. Most of the above services are using proxies, which allow filtering out dangerous content like Java, ActiveX, cookies. The problem is that code and cookies are filtered out for all the sites and customers cannot control this proxy behavior. If you filter out cookies and Java you will not be able to browse most of the web sites. Some web redirectors allow controlling cookies per site, but redirector service has other limitations that can make browsing process inconvenient (you may read more on web redirectors on our “Internet Security Solutions” page). In our opinion it is more convenient to control all the browsing aspects by using browser built in security options. This will allow making your browsing safe without loosing usability.