harden your browser
Web browsers may be our window into the world, but windows work both ways. Discover how you can install some virtual one-way glass.
Your web browser is likely responsible for a great deal of the Internet traffic reaching your machine. It’s also among the popular routes by which malware attempts to attack your machine. In an age of cross-platform Javascript, (and new-fangled compiled web languages like Nacl, asm.js and Webassembly) no longer can we rest on the “Linux doesn’t get malware” laurels of old.
Attackers would delight at being able to exploit whatever the majority of people are using, but unfortunately most web browsing today (unless you qualify with the word ‘desktop’) doesn’t take place on Windows – it does so on Android, a Google-ey layer of Java sitting on top of a Linux kernel. So it’s not too farfetched to imagine a vulnerability common to both Android and Gnu/linux. Keeping an Android phone up to date is all-to-often at the mercy of the manufacturer and network providers, but keeping your Linux machine updated is trivially easy. Mint practically does it for you. Be that as it may, a fully patched system can still fall foul to unwitting user behaviour, and this is most commonly clicking unsavoury links or, worse, installing malicious browser extensions.
Browser add-ons can be incredibly useful. We wholeheartedly recommend installing the Free Software Foundation’s Httpseverywhere, some kind of password manager, and if you want to make the web a lessobnoxious place an adblocker is a must. ublock Origin is our favourite (but do turn it off for sites that use nonintrusive adverts if you regularly visit and want to support those sites). If you use Gnome you’ll probably want to install the Shell Extensions, er, extension too. We could mention many more helpful add-ons, but the crux of this section is to be wary. Modern browsers require extensions to ask the user for the permissions they require, but all too often users don’t pay attention and grant these blindly. For example, many Chrome extensions have the “Read and change all your data on the websites you visit” permission set. Extensions can do a lot of useful stuff with this – filter out occurrences of ‘reverted back’ or other crimes against English, display a notification when a new story is posted, block adverts, all sorts. But it can also be used for bad. Password fields are pretty well protected, but that doesn’t stop a rogue extension harvesting personal data from any webpage you’re viewing, or changing links to redirect you to phishing sites.
nurse, the screens!
So let’s do a quick browser extension health check. In Firefox go to about:addons or in Chromium (or Chrome) go to chrome://extensions and see what’s installed. If anything looks suspect, remove it or disable it pending further investigation. Add-ons for downloading video and audio from streaming sites are particularly popular (and generally frowned upon by those sites), but they often come with unwanted ‘features’ so pay attention to these. Browser developers invest a lot of time and effort into policing the add-on stores, but Bad Things™ will always slip through the cracks. This even happens in the hallow’d walled garden that is the Apple store. In Chrome (et al) you can see the permissions granted to an extension from the Details button. In Firefox the permissions are only displayed when an add-on is installed, so you’ll need to remove and re-add any you’re unsure about. Even without any special permissions, browser extensions can still be annoying.
We’ve covered the importance of HTTPS encryption and the importance of that little green padlock in the address bar countless times. Essentially, information exchanged over an HTTPS connection – between your browser and a webserver – is encrypted so that anyone in the middle snooping traffic (say, a rogue operative at your ISP or a government spy) would see only gibberish. The whole request is encrypted, so everything after the domain name is obfuscated.
Newer encryption schemes (namely Perfect Forward Secrecy) use an ephemeral key for each session, so that even if the server’s private key (which is usually generated once, when the web server is started), traffic captures from other sessions can’t be compromised. There isn’t any reason for a public website not to use HTTPS nowadays, but it isn’t a silver bullet. Apart from the fact that the web server knows what you’re browsing (and if that server belongs to Google or Facebook or any of that ilk then you can guarantee a record of that is being stored and cross-referenced against all the information they hold about you and
people like you), it’s also possible to mess with the certificate store and DNS settings on a compromised machine to direct traffic to an apocryphal, passwordcollecting site. And let’s not forget the old trick of setting up a domain that abuses characters that look similar to others, such as faceb00k.com, or the newer trick of using internationalised domain names which use, for example Cyrilllic characters to achieve the same thing.
For an in-depth guide to Firefox hardening (and fastering), you could do a lot worse than checking out the guide at http://bit.ly/lxf247-firefox-privacy.
how do you solve a problem like dns?
Before we even a visit a webpage (HTTPS or no) we need to do a DNS lookup to convert the domain name to an IP address. Your ISP will push its DNS settings to your OS when you connect, so they know which sites you’re visiting, and since DNS requests are generally unencrypted so too does anyone listening on the wire. This also paves the way for DNS hijacking and other unpleasant activities.
If you use a commercial VPN (which theoretically improve security, but again is no silver bullet) then these will often use their own DNS servers. This at least means DNS requests are encrypted, but still visible to your VPN provider (which incidentally can also see any of your unencrypted traffic as well as the sites that you’re visiting). Essentially, using a VPN just translates the problem of having to trust your ISP to one of having to trust your VPN provider.
But back to DNS. In the UK major ISPS block certain sites at the DNS level, making it totally impossible for customers of those ISPS to visit those sites. Ah, forgive our cutting sarcasm, it’s just that one of the things about DNS is you can tell your computer which DNS server to use. Google offer DNS services (8.8.4.4 and 8.8.8.8), which are popular because running your own DNS is hard and ISPS’ DNS servers often break. But if you’re concerned about privacy you should really use Cloudflare’s offering at 1.1.1.1. Read more about the wherefore and the why at www.cloudflare.com/ learning/dns/what-is-1.1.1.1. Setting it up temporarily is easy, just run
sudo nano /etc/resolv.conf and comment out any lines beginning with
nameserver by preceding them with a # . Then add the following line:
nameserver 1.1.1.1
The changes will take place immediately, but web browsers cache DNS settings so you’ll want to close and re-open yours in order to ensure that the changes are picked up. To make the changes permanent, more work is required. In a home setting, your machine will typically request a local IP address (one of the form 192.168.* or 10.*) and at the same time get DNS settings and update the resolv.conf file accordingly. On most distributions (including Mint) this is done through Networkmanager via an appeal to the resolvconf utility.
We can inform Networkmanager which DNS server to use by clicking the network icon in the system tray and then selecting Network settings. Choose the wired network and then click the cog button. Select IPV4 from the panel on the left, then deselect the Automatic switch in the DNS section, and enter 1.1.1.1 in the box that’s displayed below.
You can also, as a belt and braces measure, add Cloudflare’s other server: 1.0.0.1. You can configure Cloudflare’s DNS for IPV6 in a similar way, except here the addresses are a little harder to remember: 2606:4700:4700::1111 and 2606:4700:4700::1001. Close the settings dialog, then disconnect and
take care With extensions “Password fields are pretty well protected, but that doesn’t stop a rogue extension harvesting personal data from any webpage you’re viewing.”
reconnect the Wired network. The summary should update showing the new DNS settings. See https:// dnsprivacy.org/wiki/ for a more complete overview of the problems of, and partial solutions to, DNS concerns.