Web Browsers - Defensive Computing

WEB BROWSERS

Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. The bottom half of this page has many articles that make the case against the Chrome browser. I would also avoid the Edge browser for two reasons. First, it is popular and thus a high value target. Second, I don't trust Microsoft.

WHICH BROWSER

On a desktop Operating System (Windows, macOS, Linux) I suggest using Firefox, the Brave browser or the Mullvad browser.

Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions. It also runs on Android and iOS.

The Mullvad browser is based on Firefox and the Tor browser (which is also based on Firefox). It was first released in April 2023 and I have been using it since the initial release. It seems to be locked down, security-wise, even more than Brave. For example, it gets an excellent rating at the Cover York Tracks tester from the EFF. It is locked down so tight that some websites do not work, or some functions on a website may not work. Still, it is my first choice. Mullvad is a very trustworthy software provider and, despite being a VPN company, the browser does not require the use of any VPN. On Windows, the software is portable and it self-updates automatically. It also runs on macOS and Linux. It has been actively maintained in the 6 months that I have been using it.

I would also consider the Vivaldi and DuckDuckGo browsers on the OSs where they are available.

USING A BROWSER

Do not logon to a website using your Google or Facebook identity. Your privacy is increased by creating a new account just for that one site.
Turn off Notifications: Websites normally have to ask to send you Notifications. The problem is that the notifications can be abused to trick people in assorted scams. This Nov. 2020 article from Malwarebytes, Turn off website Notifications explains how turn off Notifications in Chrome, Firefox, Safari, Opera and Edge. For Brave (v1.17.73) do: Settings -> Additional settings -> Privacy and security -> Site and Shields Settings -> Notifications.
Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook, which insures that all traces of your activity are erased when you exit Guest Mode. One step down, is private/incognito mode in your web browser. You are still tracked, but only until you close the browser. Another option is to manually delete cookies and other tracking data in your browser.
--In Chrome and Brave, enter chrome://settings/siteData in the address bar, then click the Remove All button.
--In Firefox, enter about:preferences#privacy and click on the Clear Data button. Firefox can also automatically delete cookies when the browser shuts down. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed".
Perhaps bookmark these URLs.
Background: What Does Private Browsing Mode Do? by Martin Shelton July 2018.
Incognito Mode (aka Private Browsing and Private Windows)
Incognito/Private browsing mode hides your activity from other people using the same device. When you shut down the browser, it deletes all traces of what you were doing. It does not prevent Google or its advertiser friends from logging and profiting off your search history. In fact, the protections from Google are so poor, that Google employees joke about how bad it is. From Even Google's Own Staff Thinks 'Incognito Mode' Isn’t All It’s Cracked Up to Be by Mack DeGeurin of Gizmodo (Oct 2022). Google is being by people who think the branding and messaging around Chrome's Incognito makes it appear much more privacy preserving than it actually is. See the Google documentation: How Chrome Incognito keeps your browsing private.
Advanced Spell Checking
--Background: This issue came to light in September 2022. Chrome and Edge both have two spell checking options. The normal type is on by default and it happens in the browser. All good. The advanced spell checking, which is OFF by default, sends the data to be checked to a Google or Microsoft server. The problem is that on many forms in websites, this can send passwords and other personal information to Google or Microsoft. As a rule, forms that accept passwords do not display the passwords as they are entered. But, some forms have a "show password" option that can also be a problem. Neither of these articles say anything about Firefox or other Chromium based browsers such as Brave. See Google, Microsoft can get your passwords via web browser's spellcheck by Ax Sharma and Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords by the otto-js Research Team.
--Chrome: The feature is called Enhanced Spellcheck. To find it in the Settings search for "Enhanced Spell Check". More here: Turn Chrome spell check on and off from Google.
--Edge: The feature is called Microsoft Editor or Microsoft Editor Spelling & Grammar Checker. It is an extension that needs to be manually installed. Maybe don't install it. You can see the installed extensions with: edge://extensions
--Brave: version 1.43.93 on Windows does not have an advanced spell check feature
--Firefox: version 104 on Windows does not have an advanced spell check feature
Global Privacy Control
Test your browser at globalprivacycontrol.org. The good result is "GPC signal detected". The bad result is: "GPC signal not detected". As of May 12, 2022 this was supported by default in the Brave and DuckDuckGo browsers. It was available, but not enabled by default in Firefox. It was not available in Chrome, Edge or Safari. Google, Microsoft and Apple want to spy on us. For a detailed verification, go to global-privacy-control.glitch.me where a blue thumbs up is a good test result. More....
The Privacy Guides website has suggestions for configuring Brave.
See the macOS topic for tips on using Safari on macOS.
See also the web browser fingerprinting topic
Test your web browser: This is only for techies. deviceinfo.me, SSL Client Test from Qualys SSL Labs and How's My SSL?

EXTENSIONS

Web browser extensions are a double-edged sword. If you let them, they can read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused too. The security around browser extensions is miserable, so I suggest a default posture of installing as few as possible. A very reasonable stance is to only install uBlock Origin and nothing else.

When installing extensions pay close attention to the permissions it requests. I have seen non-techies be tricked into installing malicious extensions.
When installing extensions pay close attention to who/what created the extension. There are very few trusted sources and no system for defining a trusted source. You are on your own, it is the Wild West.
From Brian Krebs: The Case for Limiting Your Browser Extensions (February 2020). Quoting: "it's not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals."
Also from Krebs (in the above article): never install an extension just because some Web site says you need it.
A Chromebook in Guest mode does not allow any extensions.
In June 2023, many malicious Chrome browser extensions were detected, and not by Google. See Google's Android and Chrome extensions are a very sad place. Here’s why by Dan Goodin for Ars Technica. Quoting: " ... researchers have reported that hundreds of Android apps and Chrome extensions with millions of installs from the company's official marketplaces have included functions for snooping on user files, manipulating the contents of clipboards, and injecting deliberately unknown code into webpages ... Google has removed many but not all of the malicious entries ... Other than issuing canned statements saying Google takes user security seriously, company representatives pretty much maintain radio silence in response to questions about malicious wares available in its marketplace ... Google generally doesn’t notify users once it discovers they have installed one of its malicious offerings." As I said above, it is the Wild West. You have been warned.
I blogged about potentially dangerous extensions here and here and here.
A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019.
Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode.
Best to avoid extensions from Avast and AVG as per this story: Senator Wyden Asks Avast Antivirus Why it Sells Users' Browsing Data. by Joseph Cox for Vice (December 2019). Mozilla removed Avast's and AVG's extensions for harvesting user data.
Install an ad blocker extension in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. The down sides are that some sites won't display without their ads, and that it prevents sites from earning needed revenue. But, the ad blocker can be disabled on sites you wish to support. No website can be trusted to only show non-malicious ads because the website itself does not choose the ads. Except Krebs on Security.
Maybe install a tracker blocker extension such as Privacy Badger from the EFF or Disconnect.
Periodically review the installed extensions and remove any you do not recognize or no longer use. To display the installed extensions, use these address bar URLs (perhaps bookmark them):
In chrome chrome://extensions
In Brave brave://extensions
In Firefox about:addons

ANDROID

May 2023: I have been very impressed with the DuckDuckGo Privacy browser. As a browser it does a great job of telling what trackers it has blocked on each web page. In addition, it can do tracker blocking system-wide. Like many such apps, it does this by installing a fake VPN. The downside is that the blocking feature can not be enabled while there is an active VPN connection. The tracker blocking feature is currently in BETA but it seemed to work very well when I tried it. It even tells you the type of data that each app was trying to collect. More: Your Android apps are tracking you. Here's how to stop them by Jack Wallen for ZDNet (May 10, 2023). Some apps will not function if you block their spying. This is discussed here: How to disable DuckDuckGo App Tracking Protection for a specific app on Android by Jack Wallen for ZDNet (May 19, 2023).

DESKTOP FIREFOX

Section Last updated: September 2022 with Firefox 104 on Windows.

The first thing I do with a newly installed copy of Firefox is to make the Menu Bar visible. One way is to right click on the tab/toolbar and turn on the check for Menu Bar in the window that pops up. Or, you can press the Alt key, then View, then Toolbars and finally, turn on the Menu Bar.

Review the Enhanced Tracking Protection (about:preferences#privacy) settings which offers defense against trackers and more. As of version 104, the choices are Standard, Strict and Custom. See the documentation on this.

Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web.

In the Forms and Autofill section (Settings -> Privacy & Security), I suggest disabling the auto-filling of addresses and credit cards.

In the Address Bar - Firefox Suggest section (Settings -> Privacy & Security), I would turn off "Suggestions from web", "Suggestions from sponsors" and "Improve the Firefox Suggest experience".

In the Firefox Data Collection and Use section (Settings -> Privacy & Security), I would turn off all four options: "Allow Firefox to send technical and interaction data to Mozilla", "Allow Firefox to make personalized extension recommendations", "Allow Firefox to install and run studies" and "Allow Firefox to send backlogged crash reports on your behalf".

In the Files and Applications section (Settings -> General) I suggest turning on "Always ask you where to save files"

Secure encrypted DNS is configured at Settings -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS. The options are Cloudflare, NextDNS and Custom. My first choice would be NextDNS for its ad/tracker blocking, but Cloudflare is fine too. By default, Cloudflare does not block ads/trackers. If you have a NextDNS account, then use the Custom option. To use one of the Cloudflare blocking options also requires choosing Custom here.

The Disable HTML5 Autoplay extension by Afnan Khan can stop many self-starting videos.

You can customize the look of the toolbar by right clicking anywhere on it and then selecting "Customize toolbar".

Take a look at about:telemetry which "shows the information about performance, hardware, usage and customizations collected by Telemetry. This information is submitted to Mozilla to help improve Mozilla Firefox". It can be intimidating, but look to see that "upload is disabled".

Another useful "about:" URL is about:performance which invokes the Firefox Task Manager. Somewhat akin to the Windows Task Manager, this shows CPU and storage usage for each tab. It can also be invoked with: Hamburger menu -> More Tools -> Task Manager. Read about it here: Task Manager - see what tabs or extensions are slowing down Firefox.

Root Certificate Authorities: These are companies that vouch for the identity of websites. The browser lock icon exists because some company, called a Certificate Authority, issued a file (called a certificate) that says the website is legit. The problem with this scheme is that there are bad Certificate Authorities (CAs). This can result your browser displaying (for ex) citi.com with a lock icon and, still, you are not at the real Citibank website. There are different lists of trusted Certificate Authorities. Firefox has its own list, many other browsers rely on the list created by the operating system. When you hear about a bad Certificate Authority, Firefox users can delete the company from the trusted list. This November 2022 article in the Washington Post, Mysterious company with government ties plays key internet role, basically says the TrustCor should not be trusted. When I checked Firefox 106 on Windows, there were three entries in the trusted list for TrustCor. To remove them: Settings -> Privacy and Security -> View Certificates button -> Authorities tab -> Pick an entry -> Delete or Distrust button. See a screen shot. In my experience, the button only does Delete, there was no option to Distrust. While you are at it, consider deleting the Chinese Certificate Authorities.

From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks.

Privacy Guides has a Recommended Configuration for Firefox.

ARTICLES SUGGESTING NOT TO USE CHROME

Opinion: it is time to switch from Chrome to another browser by Martin Brinkmann for GHacks (Sept 2022). His reasons: Chrome is a powerful data gathering tool, Chrome's dominance gives Google a lot of weight when it comes to establishing new web standards, the move to Manifest V3 makes it more difficult to run content blockers and privacy extensions in Chrome.

8 reasons to quit Chrome and switch to Firefox by Alaina Yee for PCWorld (May 2022)

It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021).

Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021)

Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021).

Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021).

Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?

A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date.

We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway.

Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode.

Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.

Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.

Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020)

From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.

Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).

uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020).

These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old.

Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.

Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu (Oct 2019). Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry.

It's Time to Switch to a Privacy Browser by David Nield in Wired (June 2019). Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more.

Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post (June 2019) has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate link

There is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.

It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired (July 2019). Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers.

In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019)

Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.

I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)

How I'm locking down my cyber-life by Larry Sanger Jan. 2019

Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward.

Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it."

Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling.

This Page Last Updated November 7, 2023	Site Page Views TOTAL 737,596	Site Page Views TODAY 190	Previous Website View 28.9 minutes ago	Website by Michael Horowitz @defensivecomput	top
Website Average Daily Page Views: November 2023: 687 See the website change log 2023: Jan 724 \| Feb 853 \| March 782 \| April 694 \| May 618 \| June 617 \| July 497 \| Aug 558 \| Sept 837 \| Oct 757 2022: Jan 368 \| Feb 315 \| March 320 \| April 328 \| May 367 \| June 379 \| July 685 \| Aug 1,568 \| Sept 671 \| Oct 664 \| Nov 901 \| Dec 1,222 2021: Jan 337 \| Feb 377 \| March 332 \| April 246 \| May 282 \| June 227 \| July 214 \| Aug 275 \| Sept 290 \| Oct 315 \| Nov 411 \| Dec 293 2020: Jan 212 \| Feb 377 \| March 303 \| April 296 \| May 317 \| June 267 \| July 258 \| Aug 282 \| Sept 279 \| Oct 333 \| Nov 318 \| Dec 332 2019: . . . . . . . . . . . . . . . . . . . . . . . . . Aug 176 \| Sept 178 \| Oct 194 \| Nov 180 \| Dec 200