Avoiding the potholes on the electronic highway:
how to surf the web safely
By Patty Bradley-Diehl, Web Administrator
From a brown-bag talk given November 7, 2007
Contents
Which Web Browser Should I Use?
Answer: Mozilla Firefox. Because Microsoft Internet Explorer (IE) comes bundled with Microsoft Windows, most people use it. Because most people use it, IE is targeted most often by those with malicious intent. Additionally, IE has a history of being rife with security holes, although the newest version, IE 7, is more secure. Firefox is an open-source web browser, which gives it the advantage of having hundreds of security experts help in its development.
There are many other web browsers available such as Netscape and Opera. These are fine alternatives to IE. However, because Firefox is open-source, it is the best choice.
Be aware that many sites require you to use Internet Explorer.
Keeping Your Web Browsers Up To Date
No matter what web browsers you use, it is important to keep them up to date. As security flaws are discovered, the web browser companies release updates to fix them. Here at SPH our Computing Services department takes care of this for us. They push important updates out to all the SPH computers. Your home computer is a different story.
Keeping Internet Explorer up to date is fairly simple. Just enable automatic updates for Windows. These will include updates for Internet Explorer.
You have to check for updates manually with Firefox. Click the Help drop-down menu and choose Check for Updates
If there are updates available, you will be given the opportunity to download and install them:
When is it Safe to Enter Personal Information on a Web Form?
Answer: Only when you are on a secure, trusted site. A secure site is one that has the little padlock icon  in the bottom of the browser window and "https" instead of "http" at the beginning of the web site address (or URL). Secure sites encrypt the information you type into web forms before sending it over the internet, preventing those with malicious intent from intercepting your sensitive information along the way. Never type sensitive information such as account numbers and social security numbers into sites that are not secure.
It is a good idea to use at least two different passwords - one or more for sites that require sensitive information, and one for sites that don't. For example, I have one password that I use to log in to sites like my online banking site, my web mail and my credit card company sites. But I have a different password that I use for sites like social networking and bulletin boards. That way, if someone happens to capture my less-sensitive password, they cannot use it to log in to my more-sensitive sites.
A trusted site is just that - a site that you trust. We all trust many UM sites: web mail, the online directory, CTools, M-Pathways, etc. I trust my online banking site, my credit card company's sites, etc.
What about eCommerce sites or online shopping sites? I trust large, well-established ecommerce sites like Amazon, Apple, Dell, Sears, E-Bay, Expedia, etc. I would not type my credit card number into a site that I am unfamiliar with or that does not come recommended by a site I do trust.
But even if you follow all these guidelines, you have to accept some level of risk. We hear about companies loosing customer's sensitive information all the time. Often a company laptop containing customer names, addresses and even credit card numbers is stolen. No one can ever be immune to this.
Saving Passwords and Form Information
Saving Passwords
Most web browsers will offer to save login and password information so that you don't have to type them in again next time you visit a site. While this is convenient, it is a huge security risk. You should never save passwords on computers that other people have access to. This includes public computing stations such as:
- computers in classrooms
- computers in computing sites like those in the basement of SPH II
- computers in shared offices
- computers in rooms that are not locked
- laptop computers that are not password-protected. Even if no one uses your laptop except you, if it gets stolen, the thief will be able to log in to web sites as you.
It is only safe to store passwords on computers that no one else can access.
Managing Password Settings
Most browsers allow you to decide whether or not you want it to save passwords. Firefox also allows you to set a master password that you type in once per session. If you do want Firefox to save your passwords, you should set up a master password.
To change how your browser saves passwords, do the following:
Firefox
- Click the Tools drop-down menu and choose Options
- Click the Security icon at the top
- Click Show Passwords to see what passwords have already been saved. You can delete ones that you no longer need.
- If you don't want Firefox to remember your passwords, uncheck the box labeled Remember Passwords
- If you do want Firefox to remember your passwords, check the Remember Passwords box and then check the Use a master password box. You will be prompted to set your master password. Once you do this, you will be prompted to enter your password each time you open your browser.
Internet Explorer does not allow you to set a master password, but it does allow you to choose to not save passwords:
Internet Explorer
- Click the Tools drop-down menu and choose Internet Options
- Click the Content tab
- Click the Settings button under AutoComplete
- Uncheck the box that says User names and passwords on forms
Saving form information
Most web browsers will also offer to save frequently-requested form data such as your name, address, etc. The same rules apply to this as do for saving passwords: It is only safe to store form information on computers that no one else can access. Otherwise, not only could someone who happens to use your computer shop as you, they could obtain your name, address, etc.
Managing Form Settings
To change how your browser saves form information, do the following:
Firefox
- Click the Tools drop-down menu and select Options.
- Click on the Privacy tab
- If you do not wish form information to be saved at all, uncheck the Remember what I enter in forms and the search bar box.
Internet Explorer
- Click the Tools drop-down menu and choose Internet Options
- Click the Content tab
- Click the Settings button under AutoComplete
- uncheck the box that says Forms
Cookies
A cookie small file that websites store on your computer's hard drive. They consist of name-value pairs, such as "last login=May 31, 2006 at 3:00 PM EST." Web sites create this data and send it to your computer's hard drive, where it is stored and later retrieved. When you agree to allow a web site to save your user login and password so that you can log in automatically next time you visit, your login and password information is saved on your computer's hard drive in a cookie. Most cookies are sent and stored on your computer without your knowledge or consent. Websites can only retrieve cookies that they set.
Cookies in themselves are not bad. They make web surfing more convenient for you and allow web site owners to gather information that they can use to better market their products. It is up to you to decide whether the convenience is worth the risk.
Turning Off Cookies:
If you decide that you do not want cookies stored on your hard drive, you can turn them off.
Firefox
- Click the Tools drop-down menu and select Options.
- Click on the Privacy tab
- To turn off cookies completely, uncheck the box labeled Accept cookies from sites
- To turn off some cookies but not all, click the Exceptions button and enter the URL's of the sites that you trust so that they will be able to set cookies.
- To see all the cookies stored on your computer, click the Show Cookies button. You can delete cookies from sites you don't recognize.
Internet Explorer
- Click the Tools drop-down menu and select Internet Options
- Click the Privacy tab and then the Advanced button.
- Check the box labeled Override automatic cookie handling
- Choose to accept, block or prompt when cookies are set from both first-party sites and third-party sites.
JavaScript
JavaScript is a web scripting technology used heavily on the web. While it is possible to use JavaScript maliciously, the vast majority of web sites you visit use it to make their sites more interactive. Most - but not all - cookies are set using JavaScript. While turning off JavaScript makes your web browsing more secure, it may make it less enjoyable. It is estimated that 6% of web users turn off Javascript for security reasons. If you want to do the same, follow these steps:
Firefox
- Click the Tools drop-down menu and select Options.
- Click on the Content tab
- Uncheck the box labeled Enable JavaScript
It is not possible to disable JavaScript in Internet Explorer.
Enable scripting on the fly
A better method is to pick and choose which sites you want to allow scripting from. If you use Firefox, you can install an extension called NoScript that will allow you to turn scripting on and off at will.
Once NoScript is installed, whenever you encounter a site that uses scripting, an Options button will be displayed in the bottom-right hand corner of your browser window. Click that button to bring up the following options:
- Allow whatever web site you are on to use scripting
- Allow whatever web site you are on to use scripting temporarily (for the current session only)
- Allow any third-party scripting, if any exists
- Allow scripts globally (which defeats the entire purpose of using NoScript).
I use an extension for Internet Explorer called the Web Accessibility Toolbar. Most of it's functions have to do with developing accessible web sites; however, it does allow you to block scripting on the fly.
You will be amazed at how many web sites use scripting once you install this extension. I estimate that 95% of the sites I visit do.
Blocking Pop-Ups
Pop-ups are small windows that pop open with or without you requesting them. Often they are advertisements, and the majority of the time they are very annoying. Most modern web browsers come configured to block pop-ups by default, but you can change these settings.
Firefox
- Click the Tools drop-down menu and select Options.
- Click on the Content tab
- Make sure the box labeled Block pop-up windows is checked.
- If desired, you can click the Allowed Sites button and enter in the web sites that you want pop-ups enabled for.
Internet Explorer allows you to turn their pop-up blocker on and off right from the toolbar:
Occasionally, you will run into a situation where you need a pop-up window to pop-up. For example, if you use web-mail you need a new window to pop-up to compose a new message. Some such windows will be blocked, others won't. When Firefox prevent a window from popping up, a message is displayed at the top of the browser:
You can click the Options button to enable to window to pop-up.
Your Browser's Cache
Unfortunately, the default settings on most web browsers prevent you from viewing the most recent versions of the web pages you browse, because older versions are stored in your browser's cache or memory. You can do what is referred to as a "hard refresh" to make sure you are seeing the most current version of a page. In Internet Explorer, hold down the Ctrl key while clicking the refresh button in your browser. In Firefox/Netscape, hold down the Shift key while clicking the refresh button in your browser.
You can permanently change the settings for your browser's cache:
Firefox
- Click the Tools drop-down menu and choose Options.
- Click on Advanced and choose the Network tab.
- Where it says "Use up to __ KB of disk space for the cache." Change that number to 0.
- Also be sure to click the Clear Now button before clicking OK.
Internet Explorer
- Click the Tools drop-down menu and choose Internet Options.
- Click the General tab.
- Click on the Settings button under Browsing History.
- Under Check for newer versions of store pages, select the first option, Every visit to the page.
- Change the amount of disk space to use to 8 MB. Click OK twice.
Avoiding "Phishing" Scams
The definition of phishing, according to wikipedia:
"In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication."
In other words, phishing sites are created by bad people who want to capture your sensitive information like logins, passwords, credit card numbers and social security numbers.
One of the most common phishing methods is e-mail. How many here have received messages from Paypal saying that there is a problem with your Paypal account when you don't even have a Paypal account? This is phishing. The people who sent the e-mail are trying to get you to log into their fake Paypal site so that they can capture your account information and use it (or sell it).
What can you do to prevent being tricked? Never click a link to a web site from an e-mail message.
OK, that may seem a tad severe. We all get many e-mails each day containing links that we believe are safe and we happily click them. We can't stop doing that!
So how do we tell which links in e-mail are phishing scams? Your e-mail program can help you do this. I use a program called Thunderbird for my umich e-mail, and Gmail web site for my personal e-mail. Both, as well as many other e-mail clients including UM web mail, will tell you when they think a link is a scam:
You can also use plain common sense. Compare the address of the web site being linked to in an e-mail message to a known web site address. My bank web site is at http://www.umcu.org/. If I get an e-mail from my bank with a link, but that link does not contain http://www.umcu.org/, I would suspect it was a scam.
Another way to prevent you from falling for phishing scams is to follow one simple rule: Never click on links in e-mail messages sent to you by sites that require you to log in or to type information into a web form.
Remember, the goal is not to type your personal information (including your login and password) into a fake web site. If you don't type it in, the fake site cannot capture it. So if you need to log in to a site, don't get to that site by clicking a link in an e-mail message.
Scenario: I get an e-mail message from my mortgage company telling me that my monthly payment is late. It contains a link to my mortgage company's web site. Instead of clicking that link, I open my web browser and manually type in my mortgage company's web site address, or use a bookmark I have already saved. I make sure that the site is secure, then log in and check my account status.
Non-E-mail Phishing Scams
Clicking links in e-mail messages are not the only way get to a fake site. You can find links to fake sites all over the internet. How can you tell? Again, your first line of defense is to compare the address in the link to a known web site address. If they don't match, it could be a scam.
Enabling Phishing Filters
Both Firefox and Internet Explorer now come with phishing filters. Turning these on will help your browser warn you about possible phishing scams.
Firefox
- Click the Tools drop-down menu and select Options.
- Click on the Security tab
- Check the box that says Tell me if the site I'm visiting is a suspected forgery
- I check the box labeled Check using a downloaded list of suspected sites. This list is automatically downloaded and regularly updated within Firefox 2 when the Phishing Protection feature is enabled.
When you come across a site that is on the list, you will see the following:
Internet Explorer has a drop-down menu item for it's phishing filter:
Make sure yours is turned on.
Summary
- Use Firefox
- Keep your browsers up to date
- Only type sensitive information into forms on secure, trusted sites
- Don't save passwords or form info on computers that other people have access to
- Control cookies
- Control JavaScript
- Block pop-up windows
- Change your cache settings
- Don't click suspicious links (especially in e-mail)
- Use built-in phishing filters in your browser
|
Site Menu
denotes that authentication is required.
back to top