Web Browsers - Defensive Computing

WEB BROWSERS

Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. The bottom half of this page has many articles that make the case against the Chrome browser. I would also avoid the Edge browser for two reasons. First, it is popular and thus a high value target. Second, I don't trust Microsoft.

On a desktop Operating System (Windows, macOS, Linux) I suggest using either Firefox or the Brave browser. Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions and also runs on Android and iOS. I would also consider the Vivaldi and DuckDuckGo browsers on the OSs where they are available.

Web browser extensions are a double-edged sword. If you let them, they can read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused too. When installing extensions pay close attention to the permissions it requests. I have seen non-techies be tricked into installing malicious extensions. It is a good idea to periodically review the extensions installed in your browser and remove any you really don't need. To display the installed extensions, use these address bar URLs (perhaps bookmark them): In chrome chrome://extensions, in Brave brave://extensions, in Firefox about:addons. I blogged about potentially dangerous extensions here and here and here. A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019. Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode which does not allow extensions. Best to avoid extensions from Avast and AVG. Brian Krebs covered this in Feb 2020: The Case for Limiting Your Browser Extensions.
Install an ad blocker extension in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. The down sides are that some sites won't display without their ads and that it prevents sites from earning needed revenue. But, the ad blocker can be disabled on sites you wish to support. No website can be trusted to only show non-malicious ads because the website itself does not choose the ads. Except Krebs on Security.
Install a tracker blocker extension such as Privacy Badger from the EFF or Disconnect.
Do not logon to a website using your Google or Facebook identity. Your privacy is increased by creating a new account just for that one site.
Turn off Notifications: Websites normally have to ask to send you Notifications. The problem is that the notifications can be abused to trick people in assorted scams. This Nov. 2020 article from Malwarebytes, Turn off website Notifications explains how turn off Notifications in Chrome, Firefox, Safari, Opera and Edge. For Brave (v1.17.73) do: Settings -> Additional settings -> Privacy and security -> Site and Shields Settings -> Notifications.
Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook, which insures that all traces of your activity are erased when you exit Guest Mode. One step down, is private/incognito mode in your web browser. You are still tracked, but only until you close the browser. Another option is to manually delete cookies and other tracking data in your browser.
--In Chrome and Brave, enter chrome://settings/siteData in the address bar, then click the Remove All button.
--In Firefox, enter about:preferences#privacy and click on the Clear Data button. Firefox can also automatically delete cookies when the browser shuts down. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed".
Perhaps bookmark these URLs.
Background: What Does Private Browsing Mode Do? by Martin Shelton July 2018.
Incognito Mode (aka Private Browsing and Private Windows)
Incognito/Private browsing mode hides your activity from other people using the same device. When you shut down the browser, it deletes all traces of what you were doing. It does not prevent Google or its advertiser friends from logging and profiting off your search history. In fact, the protections from Google are so poor, that Google employees joke about how bad it is. From Even Google's Own Staff Thinks 'Incognito Mode' Isn’t All It’s Cracked Up to Be by Mack DeGeurin of Gizmodo (Oct 2022). Google is being by people who think the branding and messaging around Chrome's Incognito makes it appear much more privacy preserving than it actually is. See the Google documentation: How Chrome Incognito keeps your browsing private.
Advanced Spell Checking
--Background: This issue came to light in September 2022. Chrome and Edge both have two spell checking options. The normal type is on by default and it happens in the browser. All good. The advanced spell checking, which is OFF by default, sends the data to be checked to a Google or Microsoft server. The problem is that on many forms in websites, this can send passwords and other personal information to Google or Microsoft. As a rule, forms that accept passwords do not display the passwords as they are entered. But, some forms have a "show password" option that can also be a problem. Neither of these articles say anything about Firefox or other Chromium based browsers such as Brave. See Google, Microsoft can get your passwords via web browser's spellcheck by Ax Sharma and Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords by the otto-js Research Team.
--Chrome: The feature is called Enhanced Spellcheck. To find it in the Settings search for "Enhanced Spell Check". More here: Turn Chrome spell check on and off from Google.
--Edge: The feature is called Microsoft Editor or Microsoft Editor Spelling & Grammar Checker. It is an extension that needs to be manually installed. Maybe don't install it. You can see the installed extensions with: edge://extensions
--Brave: version 1.43.93 on Windows does not have an advanced spell check feature
--Firefox: version 104 on Windows does not have an advanced spell check feature
Global Privacy Control
Test your browser at globalprivacycontrol.org. The good result is "GPC signal detected". The bad result is: "GPC signal not detected". As of May 12, 2022 this was supported by default in the Brave and DuckDuckGo browsers. It was available, but not enabled by default in Firefox. It was not available in Chrome, Edge or Safari. Google, Microsoft and Apple want to spy on us. For a detailed verification, go to global-privacy-control.glitch.me where a blue thumbs up is a good test result. More....
The Privacy Guides website has suggestions for configuring Brave.
See the macOS topic for tips on using Safari on macOS.
See also the web browser fingerprinting topic
Test your web browser: This is only for techies. deviceinfo.me, SSL Client Test from Qualys SSL Labs and How's My SSL?

ANDROID

May 2023: I have been very impressed with the DuckDuckGo Privacy browser. As a browser it does a great job of telling what trackers it has blocked on each web page. In addition, it can do tracker blocking system-wide. Like many such apps, it does this by installing a fake VPN. The downside is that the blocking feature can not be enabled while there is an active VPN connection. The tracker blocking feature is currently in BETA but it seemed to work very well when I tried it. It even tells you the type of data that each app was trying to collect. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).

DESKTOP FIREFOX

Section Last updated: September 2022 with Firefox 104 on Windows.

The first thing I do with a newly installed copy of Firefox is to make the Menu Bar visible. One way is to right click on the tab/toolbar and turn on the check for Menu Bar in the window that pops up. Or, you can press the Alt key, then View, then Toolbars and finally, turn on the Menu Bar.

Review the Enhanced Tracking Protection (about:preferences#privacy) settings which offers defense against trackers and more. As of version 104, the choices are Standard, Strict and Custom. See the documentation on this.

Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.

In the Forms and Autofill section (Settings -> Privacy & Security), I suggest disabling the auto-filling of addresses and credit cards.

In the Address Bar - Firefox Suggest section (Settings -> Privacy & Security), I would turn off "Suggestions from web", "Suggestions from sponsors" and "Improve the Firefox Suggest experience".

In the Firefox Data Collection and Use section (Settings -> Privacy & Security), I would turn off all four options: "Allow Firefox to send technical and interaction data to Mozilla", "Allow Firefox to make personalized extension recommendations", "Allow Firefox to install and run studies" and "Allow Firefox to send backlogged crash reports on your behalf".

In the Files and Applications section (Settings -> General) I suggest turning on "Always ask you where to save files"

Secure encrypted DNS is configured at Settings -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS. The options are Cloudflare, NextDNS and Custom. My first choice would be NextDNS for its ad/tracker blocking, but Cloudflare is fine too. By default, Cloudflare does not block ads/trackers. If you have a NextDNS account, then use the Custom option. To use one of the Cloudflare blocking options also requires choosing Custom here.

The Disable HTML5 Autoplay extension by Afnan Khan can stop many self-starting videos.

You can customize the look of the toolbar by right clicking anywhere on it and then selecting "Customize toolbar".

Take a look at about:telemetry which "shows the information about performance, hardware, usage and customizations collected by Telemetry. This information is submitted to Mozilla to help improve Mozilla Firefox". It can be intimidating, but look to see that "upload is disabled".

Another useful "about:" URL is about:performance which invokes the Firefox Task Manager. Somewhat akin to the Windows Task Manager, this shows CPU and storage usage for each tab. It can also be invoked with: Hamburger menu -> More Tools -> Task Manager. Read about it here: Task Manager - see what tabs or extensions are slowing down Firefox.

Root Certificate Authorities: These are companies that vouch for the identity of websites. The browser lock icon exists because some company, called a Certificate Authority, issued a file (called a certificate) that says the website is legit. The problem with this scheme is that there are bad Certificate Authorities (CAs). This can result your browser displaying (for ex) citi.com with a lock icon and, still, you are not at the real Citibank website. There are different lists of trusted Certificate Authorities. Firefox has its own list, many other browsers rely on the list created by the operating system. When you hear about a bad Certificate Authority, Firefox users can delete the company from the trusted list. This November 2022 article in the Washington Post, Mysterious company with government ties plays key internet role, basically says the TrustCor should not be trusted. When I checked Firefox 106 on Windows, there were three entries in the trusted list for TrustCor. To remove them: Settings -> Privacy and Security -> View Certificates button -> Authorities tab -> Pick an entry -> Delete or Distrust button. See a screen shot. In my experience, the button only does Delete, there was no option to Distrust. While you are at it, consider deleting the Chinese Certificate Authorities.

From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.

Privacy Guides has a Recommended Configuration for Firefox.

ARTICLES SUGGESTING NOT TO USE CHROME

Opinion: it is time to switch from Chrome to another browser by Martin Brinkmann for GHacks (Sept 2022). His reasons: Chrome is a powerful data gathering tool, Chrome's dominance gives Google a lot of weight when it comes to establishing new web standards, the move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome.

8 reasons to quit Chrome and switch to Firefox by Alaina Yee for PCWorld (May 2022)

It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021).

Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021)

Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021).

Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021).

Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?

A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date.

We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway.

Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode.

Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.

Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.

Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020)

From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.

Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).

uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020).

These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old.

Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.

Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu (Oct 2019). Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry.

It's Time to Switch to a Privacy Browser by David Nield in Wired (June 2019). Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.

Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post (June 2019) has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate link

There is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.

It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired (July 2019). Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers.

In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019)

Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.

I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)

How I'm locking down my cyber-life by Larry Sanger Jan. 2019

Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward.

Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it."

Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.