gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Slightly shortens the new Browser section 

... and it's still way too long
pull/25/head
Alicia Sykes 2020-05-15 03:38:43 +01:00 committed by GitHub
parent 52090a730c
commit efa4527e4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -76,20 +76,20 @@ This section outlines the steps you can take, to be better protected, minimise o
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will ensure your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Quant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
**Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
**Use HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. [HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
**Use DNS-over-HTTPS** | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is [CloudFlare's 1.1.1.1](https://1.1.1.1/help), or [compare providers](https://www.privacytools.io/providers/dns)- it is simple to [enable](https://www.maketecheasier.com/enable-dns-over-https-various-browsers) in-browser. Note that DoH comes with it's [own issues](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/), mostly preventing web filtering
**Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
**Use Incognito** | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use `Ctrl+Shift+N`/ `Cmd+Shift+N`). This will prevent browser history, cookies and some data being saved, but is not [fool-proof](https://www.howtogeek.com/117776/htg-explains-how-private-browsing-works-and-why-it-doesnt-offer-complete-privacy/)- you can still be tracked
**Understand Your Browser Fingerprint** | Recommended | Browser [Fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting) is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at [amiunique.org](https://amiunique.org/fp)- The aim is to be as un-unique as possible
**Manage Cookies** | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking)). To mitigate this you should [clear cookies](https://kb.iu.edu/d/ahic) often. [Self Destructing Cookies](https://add0n.com/self-destructing-cookies.html) is a browser addon (available on [Chromium-based browsers](https://chrome.google.com/webstore/detail/self-destructing-cookies/igdpjhaninpfanncfifdoogibpdidddf), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies-webex/) and [Opera](https://addons.opera.com/en/extensions/details/self-destructing-cookies/)), which will kill cookies when you close the browser
**Manage Cookies** | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking)). <br>To mitigate this you should [clear cookies](https://kb.iu.edu/d/ahic) often. [Self Destructing Cookies](https://add0n.com/self-destructing-cookies.html) is a browser addon (available on [Chromium-based browsers](https://chrome.google.com/webstore/detail/self-destructing-cookies/igdpjhaninpfanncfifdoogibpdidddf), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies-webex/) and [Opera](https://addons.opera.com/en/extensions/details/self-destructing-cookies/)), which will kill cookies when you close the browser
**Block Third-Party Cookies** | Recommended | [Third-party cookies](https://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies) placed on your device by a website other than the one youre visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. [This guide](https://www.digitalcitizen.life/how-disable-third-party-cookies-all-major-browsers) explains how you can disable 3rd-party cookies, and you can [check here](https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled) ensure this worked
**Block Ads** | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by [Raymond Hill](https://github.com/gorhill) and available for: [Chromium-based browsers](https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/), [Microsoft Edge](https://microsoftedge.microsoft.com/addons/detail/odfafepnkmbhccpbejgmiehpchacaeak), [Safari](https://apps.apple.com/us/app/ublock/id1385985095?ls=1) and [Opera](https://addons.opera.com/en/extensions/details/ublock/). <br>When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads. Some ads are malicious; [Malvertising](https://www.malwarebytes.com/malvertising/) is when criminals purchase ad space, and disguise harmful, dangerous or fake websites as something legitimate. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
**Block Third-Party Trackers** | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. [Privacy Badger](https://privacybadger.org), [DuckDuckGo Privacy Essentials](https://help.duckduckgo.com/duckduckgo-help-pages/desktop/adding-duckduckgo-to-your-browser/), [uBlock Origin](https://github.com/gorhill/uBlock) and [uMatrix](https://github.com/gorhill/uMatrix) (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, [Pi-Hole](https://pi-hole.net) is a great, highly-customisable and effective solution that runs on a low-power system. Or [Diversion](https://diversion.ch) is a good option for Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as [TrackStop on PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist))
**Block Third-Party Trackers** | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. [Privacy Badger](https://privacybadger.org), [DuckDuckGo Privacy Essentials](https://help.duckduckgo.com/duckduckgo-help-pages/desktop/adding-duckduckgo-to-your-browser/), [uBlock Origin](https://github.com/gorhill/uBlock) and [uMatrix](https://github.com/gorhill/uMatrix) (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, with something like [Pi-Hole](https://pi-hole.net) (on your home server) or [Diversion](https://diversion.ch) (Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as [TrackStop on PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist))
**Beware of Redirects** | Optional | While some redirects are harmless, others can send you to malicious sites. If you are unsure about a redirect URL, you can check where it forwards to with a tool like [RedirectDetective](https://redirectdetective.com). It is also recommended to disable redirects in your [browser settings](https://appuals.com/how-to-stop-automatic-redirects-on-google-firefox-and-edge/). [Unvalidated redirects](https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/) are still commonly used in phishing attacks, it can make a malicious link seem legitimate
**Do Not Sign Into Your Browser** | Optional | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However signing in not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to [chrome://flags](chrome://flags/#account-consistency) and disabling the `account-consistency` flag. If you still need to sync bookmarks + browser data between devices, there are open source [alternatives](/5_Privacy_Respecting_Software.md#bonus-3---self-hosted-services), such as [xBrowserSync](https://www.xbrowsersync.org)
**Disallow Prediction Services** | Optional | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
**Avoid G Translate for Webpages** | Optional | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google [collects all data](https://www.linkedin.com/pulse/google-translate-privacy-confidentiality-concerns-alex-gheorghe/) (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
**Disable Web Notifications** | Optional | Browser push notifications are a common method for criminals to encourage you to click their link. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Web Notifications** | Optional | Browser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Automatic Downloads** | Optional | Security-focused browsers now have automatic downloads disabled by default. For older systems, drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by [disabling auto file downloads](https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-chrome-right-now/), and being cautious of websites which prompt you to download files unexpectedly
**Disallow Access to Sensors** | Optional | Mobile websites can [tap into your device sensors](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the [sensor-js](https://sensor-js.xyz) study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus ([Android](https://play.google.com/store/apps/details?id=org.mozilla.focus) / [iOS](https://apps.apple.com/app/id1055677337)) or DuckDuckGo ([Android](https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android&hl=en_US) / [iOS](https://apps.apple.com/us/app/duckduckgo-privacy-browser/id663592361))
**Disallow Location** | Optional | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings ([see how](https://support.ipvanish.com/hc/en-us/articles/360037874554-How-to-Disable-Location-Tracking-on-Browsers)). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)