Banking Online? Firefox With NoScript Is Your Best Bet

If you’re asking the question “How do I securely do my banking online?” you’re one of many. Banking is something we used to do upfront and in person (or so I’m told, before my time) but now that the web has allowed access to our accounts from any location we have to ask how to do something so sensitive in a secure manor. This article will be a short guide to secure online banking.

Normally I say that Chrome is a secure browser for the average user, but it’s a different kind of secure. its sandbox aims to do things more relevant to system infection but not web-based attacks. In terms of web security, preventing CSRF, XSS, and the like – the types of attacks most directly related to online banking – I think Firefox with NoScript takes the cake. NoScript is the only program that’s proven to prevent XSS in the most situations, it’s the only program with ClickJacking prevention that’s worth anything, protection against SVG keylogging, and so many other things, and for banking you want to isolate and restrict the website you’re interacting as much as possible.

There are a few other things you’ll want to do before setting up Firefox if you’re planning on banking online:

1) Make sure you are on a secure network. A secure network is one using WPA2 encryption with a strong 12 character password (or larger) that only you know (assuming wireless).

2) Make sure your system is completely up to date. Keeping intruders out starts with patching. The browser, operating system, and your plugins are key here.

3) If you’re using Linux Ubuntu enable AppArmor for Firefox (sudo aa-enforce /etc/apparmor.d/*firefox*) – other distros may use other LSM.

4) Windows users should follow my quick guide to securing Windows.

After that it’s a matter of installing two key extensions:

1) NoScript. In its default configuration it’s secure. [NoScript.com]

2) HTTPS-Everywhere. [HTTPS-Everywhere]

Only whitelist websites that you know you can trust or (for a higher level of security) keep a separate Firefox profile just for banking with its own whitelist of just banking websites.

Never do your online banking while also using another website in another tab/ window and if you use an antivirus, update it, and run a scan before you use the bank website.

If you follow these instructions you’re making an attackers job much more difficult.

SRWare Iron Browser – A Private Alternative To Chrome?

Iron Browser claims to eliminate “critical points that the privacy concern”, in other words it’s trying to solve Chrome privacy issues.

A noble endeavor. Or at least it would be if there were any credible aspect to the program. The labels “scamware” and “scareware” are fitting here.

Iron v Chrome

The SRWare Iron Browser website has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.” The Iron Vs Chrome page is riddled with misinformation and false implications – it’s incredibly blatant that the iron developer is using scare tactics here.

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

  • The installation ID only runs once and then it’s removed.
  • The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All the Iron browser has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron browser developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

  • Navigation errors are first checked locally.
  • Only a hash is sent to google.
  • All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium, the browser Iron is based on.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited the Iron browser in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since the Iron browser provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist in order to turn a profit. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?
<Iron> because a fork will bring a lot of publicity to my person and my homepage 
<Iron> that means: a lot of money too ;)
<Iron> i dont take money for my fork 
<Iron> but i have adsense on my page ;) 
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;)
<Iron> we are here in germany 
<Iron> the press will love my fork 
<Iron> i talked to much journalists already 
<DrPizza> Why are you forking? 
<DrPizza> to do what? 
<Iron> to remove all things in source talking to google ;) 
<jamessan> to get fame and fortune 
<Iron> nobody here trusts google 
<Iron> the german people say: google is very evil 
<jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added that could easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

The Iron browser is a scam and the developer is using you. It’s  snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending the Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts. PCLinuxOS has dropped the Iron browser from their repositories after reading this post.

For updates and other articles follow me on Twitter: @Insanitybit

Sources

https://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/intl/en/landing/chrome/google-chrome-privacy-whitepaper.pdf

http://neugierig.org/software/chromium/notes/2009/12/iron.html

http://echelog.com/logs/browse/chromium/1262127600 (IRC log)

mikewest.org/2011/09/chrome-privacy

mattcutts.com/blog/google-chrome-communication/

http://blog.chromium.org/2010/06/in-open-for-rlz.html

Chrome Security Tip

I’ve written a full guide for locking down Chrome but I’d like to point this piece out in particular.

We can set Chrome to block Javascript globally and then allow by top level domain (ie: .com, .org.) This means that we can block Javascript on many sites without it bothering us. By blocking Javascript on domains like .ru and .cn we actually block a fair amount of pages that could otherwise be used against us.

Image

Notice that I’ve done the same thing with plugins.

Image

Hackers will often attack a legitimate page (which might be whitelisted) and then open a separate frame to an exploit page, which could have a top level domain of .ru or .cn or whatever. This would instantly kill that exploit.
The nice thing about this little tip is that you’re unlikely to run into a TLD that’s legitimate but not whitelisted so you’ll rarely have to interact with the system, it works silently.

Fixing A Broken CA System – Perspectives And Convergence

ImageCertificate Authorities (CAs) hand out digital signatures that websites can use to do two things. They can provide encryption and verification – the connection between you and the server is encrypted and the Certificate Authority has verified that the website is ‘legitimate.’ Encrypting the connection attempts to stop Man In The Middle Attacks (MITM.)

Man In The Middle

A Man In The Middle attack is when an attack gets between you and the server and reads or interferes with the data. This means that the attacker can read passwords sent to a website, read an email, read anything. They can also redirect you to an exploit page or change the information in other ways.

If the information is encrypted, as it is with SSL, then MITM attacks are more difficult (more on cracking and bypassing SSL in another post.)

Why The CA System Is Broken

If the entire web were encrypted and verification were a perfect process and CAs couldn’t be hacked or tricked it would all work beautifully. Obviously all of this is impossible, so the system has to change.

Comodo and VeriSign make up the vast majority of certificates used for websites. Between the two of them they hold the majority of the CA market share but neither one has a pristine record for security. Comodo was hacked by someone who is most likely a novice hacker and VeriSign has accidentally issued certificates to malware in the past. They aren’t the only ones to have been hacked, DigiNotar brought a lot of press to the situation when they were hacked and for all we know this has happen without users finding out.

There’s also the problem of trust – we can’t really trust every single CA. Some CAs have handed out certs that allow MITM attacks for companies/ government to spy on users.

Servers can sign their own certs but then a user has no way of knowing if the cert is legitimate (hackers can provide one) and browsers will give tons of warnings about it.

The Solution

Convergence essentially works by checking the certificate against notaries. These various notaries all have information on the certificate and if the information doesn’t match you can assume that there’s something wrong. Instead of verification happening on the CA level it’s handled by many different independent notaries.

Users have full control over which notaries they use. Whereas on WordPress I’m forced to take Godaddy.com’s word on this website being legitimate with Convergence I could choose any notary I like.

CAs could act as notaries as well but the current system has the two segregated. This may not always be the case.

If you’re looking to install Convergence it’s Firefox only and Google (Microsoft, Apple) has not shown interest in supporting it.

The Definitive Guide For Securing Chrome

This is Part 2 in a series where I’ll be detailing various settings for specific programs and operating systems. For Part 1 (Firefox) click here. I won’t get to do the Ubuntu/ Windows guides today as both of those will probably take days on their own – don’t expect them before Monday.

Chrome

Google Chrome is based on the open source Chromium project. It differs in that it includes Adobe Flash Player, a PDF viewer, an auto-updater, as well as support for closed source codecs. Chrome makes use of a sandbox based on OS-provided MAC. On Linux it uses a SUID, PID, and Chroot sandbox with Mode 2 Seccomp filters and on Windows it uses various levels of Integrity Access Control.

Chrome is the browser that I consider to be most secure and in this guide I’ll be showing how to lock it down further.

I am choosing Chrome and not Chromium due to including Flash and handling updates automatically.

Privacy Settings

Chrome enables certain features that users may feel pose a privacy concern. You can enable and disable these features in the Chrome ->Settings -> Advanced Settings page.

Image

Those are my specific settings but you can enable/ disable as you please. See this link by Mattcuts to understand communications to Google Chrome.

To make Chrome more private click on the Content Settings.

Chrome allows for a fair level of control over what websites can and can not do. You can disable third party cookies from being set entirely and you can blacklist/ whitelist sites from setting cookies at all.

Image

Next you can type about:flags into the URL bar.

Go enable the feature labeled:

Disable sending hyperlink auditing pings.

Enabling this disables hyperlink audit pings, which can be used to track users.

LastPass

Chrome does not include a master password feature so you’ll have to use LastPass for something similar. I’ve posted a guide to setting up LastPass here.

Adblock Plus

As Chrome does not yet implement a Do Not Track feature if you’d like to use it you need to install Adblock Plus, which will block ads and tracking.

I also suggest you use this filter to block tracking.

UPDATE: Chrome now supports Do Not Track in the Privacy settings.

Security Settings

Credit to m00nbl00d here.

We can set Chrome to block Javascript globally and then allow by top level domain (ie: .com, .org.) This means that we can block Javascript on many sites without it bothering us. By blocking Javascript on domains like .ru and .cn we actually block a fair amount of pages that could otherwise be used against us.

Image

Notice that I’ve done the same thing with plugins. Something I personally like to do is set Click To Play, and not whitelist any sites. This is a wonderful way to prevent attacks. My recommendation is Click To Play and no whitelist.

Image

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

HTTPSwitchBoard

HTTPSwitchBoard is another Chrome extension aimed at providing a more private and secure browser. The extension allows you to limit requests that the browser makes for a wide variety of content – you can allow a website to load its CSS/images and nothing else, or add in scripting, plugins, video tags, etc on a per-request basis.

It’s quite easy to use, maintains a great blacklist that makes whitelisting safe and easy, and is much faster than conventional content blockers.

https://github.com/gorhill/httpswitchboard

 

AppArmor (Linux Only)

Chrome does not have an AppArmor profile by default on any distro that I know of. You’ll have to make one, so have a look at this guide.

Chrome already makes use of a powerful sandbox on Linux but making use of AppArmor is a good idea. There isn’t a ton of up to date documentation on the Linux sandbox so while we can gather that it’s pretty strong we shouldn’t trust it and therefor AppArmor is a very good idea. What we do know is that the Chrome sandbox makes use of Chroot, a call that requires root privilege, so I’m not sure how they’re accomplishing this (I think they use a separate UID for this and then drop from root) but either way I don’t want anything that can Chroot and Chmod having access to more of my system than it needs.

Seccomp (Linux Only)

Chrome now uses Seccomp filters for plugins. Read about seccomp here.

PPAPI Flash Player

UPDATE: Chrome now uses the PPAPI Flash Player by default, which comes in a very powerful sandbox. Make sure you have your Flash using only PPAPI in chrome://plugins.

Remember

Chrome doesn’t update anything other than itself and Flash so make sure to keep your Java, Silverlight, or any other plugins up to date as well as the underlying operating system. And make sure to set your plugins to Click To Play.

And Of Course…

If I’ve missed anything let me know. I don’t think I’ve missed anything worth putting it. I’ve purposefully left ScriptNo (now SafeScript) out as I can’t attest to it actually working correctly 100% of the time and it doesn’t have many important features built into NoScript. I think that m00n’s Javascript trick works fine.

Browser Wars – Everyone Else Does It

Browser Wars – Security Style

Browser wars are monthly blogs (typically following the latest release of a browser) that basically pit the latest versions of todays browsers against each other. It’s kinda lame and I feel like a tool for doing it but I’m also really bored and I think browsers in the context of security are awesome.

So, let’s start.

What Makes A Program Secure?
In an ideal world we humans would be perfect and our code would be perfect and vulnerabilities wouldn’t exist. This is not an ideal world and we are not perfect nor is our code. Vulnerabilities do exist and for the foreseeable future this will not change. So what do we do to secure programs if they’ll always be full of holes? We accept that those holes are there and we make it as hard for hackers to make use of them as we can. There are various ways to accomplish this.

So What About Browsers?
Browsers aren’t typical programs. They’re fast paced, constantly changing, plugin-filled conduits to the wide open internet. By design they take in untrusted code. They’re just dangerous and that’s why they’re so great to look at for security.

Internet Explorer 9
Internet Explorer has laughable security, right? I mean, hey, IE6 on XP was terrible and nothing’s changed. Not exactly. Microsoft has learned from their (massive, gaping) mistakes and then some. IE9 is no IE6 by any stretch of the imagination. It’s got a multiprocess architecture that allows for tabs to be separated into low-rights processes, which means that an exploit in a tab is confined to that low-rights process.
On top of that IE9 has a new version of SmartScreen, a URL and File Blacklist based on “File Reputation” and heuristics. There hasn’t been a formal study other than the one by NSS Labs on this that I know of but NSS Labs gave a remarkable score of blocking 96+% socially engineered malware (compared to trivial scores hovering around 13% for other browsers.)
As I recall Adobe Flash also runs at low integrity when used with IE9.
The low rights sandbox and smart screen make IE9 a very secure browser.
IE is Windows only and closed source.

Mozilla Firefox 4.0+
The Firefox browser, which is developed by Mozilla, is a free and open source browser that’s been very successful. In terms of customizing UI and features Firefox is top notch and it blows Chrome and IE9 out of the water in that respect. In terms of security it is… lacking.
Firefox does implement modern techniques like ASLR, DEP, and SEHOP and it even forces ASLR on toolbar binaries.
It also makes use of the Safe Browsing API 1.0, which (last I checked) blocks something like 15-20% of malware downloads.
Firefox does not implement any “extraordinary” security measures. There is no sandbox, there is no special file reputation whatever or special memory hardening technique. There’s just nothing that really stands out about Firefox.
Firefox users are able to make use of the NoScript extension, which is potentially a really great tool, but it’s not exactly accessible for the average user and I’m partial to security features that don’t bug me.
Linux users can make use of a “whole-browser” sandbox via Apparmor/LSM. A profile is provided by default on Ubuntu but it may take some tweaking, I highly recommend you check out AppArmor for your browser – check out my guide here.

All in all, I want to love Firefox, but I can’t really give it a ton of credit here.

Google Chrome X.XXX.XX.XXXX+ (or whatever)
Google Chrome is the (relatively) new player in the browser market. At only 3 and change years old it’s had a pretty impressive start, now holding market share close to Firefox. Chrome is based on Chromium, which is an entirely open source project – the difference being that Chrome packages Flash, a PDF viewer, and an update manager (on Linux it also packages support for closed codecs.)
It uses the Safe Browsing API 2.0, which includes a file reputation module. I think NSS  Labs puts it up around 40% block rate. Again, there hasn’t been what I would consider a formal study on this.
Chrome’s main feature is a sophisticated sandbox based on the Windows integrity access control and job tokens. It is similar in architecture to IE9’s sandbox but the restrictions are much tighter, with the renderer having no file access and most of the browser running at absolute lowest rights possible  on Windows.
Chrome also sandboxes the GPU process and all extensions. Each has its own separate process.
Chrome sandboxes the Flash plugin (responsible for a large number of infections) and will soon include a much more powerful sandbox for Flash via the PPAPI(nterface, which is in beta 20.)
On Linux Chrome makes use of a namespace and chroot sandbox as well as the seccomp mode 2 filters. This allows for a strong sandbox, it’s very tight. Apparmor profiles exist for it, which are useful as they’ll even restrict the zygote process. The weakness is that the zygote process must be setUID, which is why an apparmor profile is suggested.
Chrome also limits inter process communication between it and the Java plugin, which can potentially prevent Java exploitation though it’s uncommon.

Opera 11.x
Opera is the lonely browser. On a good day it gets 4% of the market. It’s got something of a cult following and boasts pretty nice performance and a ton of features built in. As with Firefox it’s pretty lacking when it comes to security.
Opera is closed source and there isn’t a ton of documentation for security. There does not seem to be anything special about it.
No sandbox (there might be one on Linux actually but I’m not sure), not too great at filtering malware (I think NSS labs had it at 0-5%, again there needs to be more formal studies here.)
Closed source doesn’t inspire confidence either frankly.

I can’t really suggest Opera if you’re looking for security.

Conclusion:
I guess I should order them or rank them or something – answer that “Which browser is most secure?” question. I won’t try to apply anything numeric to this, that would be dumb, the system is basically an amalgamation of the above and my own personal beliefs on security.

Greatest to least: Chrome, IE9, Firefox, Opera.

I think it’s pretty close between Chrome and IE9. Firefox with NoScript and Apparmor is a pretty secure browser but for a defense in depth approach I’ve got to go with Chrome. It’s dependent on what you’re trying to secure against – when it comes to system compromise you’ll want Chrome but if it’s about preventing XSS/Clickjacking Firefox with NoScript is the way to go.

There you have it. My opinion.

I left a lot out. JIT Hardening isn’t something worth measuring as the javascript VMs all work pretty differently and they just don’t apply. I didn’t both going into ASLR or other mitigation techniques, all of the browsers have these by default at this point and the differences are subtly and in the implementation. I didn’t go into privacy, incognito/ private browsing modes, not much into extensions (this could be its own post), and some other stuff to. So consider this a very simple rundown on security. Even if I were to include everything the results would be the same, you’d just be better informed.

I’m also not going into IE10, which will include some fairly significant security improvements.

Choose the browser that is right for you. Maybe that’s the one that you think is most secure, maybe it’s the one with the UI you like best, or really any other reason. It’s your choice and it’s entirely up to you.
Sources:
http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured
https://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q3_2011_browsersem%20GLOBAL-FINAL.pdf [PDF]
http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do

LastPass – Secure Password Storage And Syncing

If you’re using a modern browser you very likely have some kind of sync option so that when you log in you’ll have all of your passwords, no matter what computer you access. This is great but the security issues that go along with syncing your passwords, the keys that unlock every important piece of data, should be apparent. Thankfully Chrome and Firefox handle password syncing very securely but if you’re looking for an alternative method  and the highest level of security possible you might want to check out LastPass.

What Is LastPass?

LastPass is a browser extension that will handle all password autofill, autogeneration, and synchronization for the browser. It encrypts the data locally, then transmits it through asymmetric encryption, and then encrypts it again server side. Your master password is never transmitted and it handles it in a cryptographically secure way (PBKF2 stretching with SHA256 and 500+ rounds along with AES.)

See this post on how to create a strong password before reading further.

How Do I Set LastPass Up?

Installation is easy.

https://lastpass.com/misc_download.php

That page will show you the extension you can download.

Once it installs you should be greeted by a page that asks for an email (provide one you actually check) and a master password. See this post on password generation.

It will also ask for a password reminder. I highly suggest you don’t bother with this. Enter in gibberish if you’d like. It’s much more important to actually create a memorable password than give a reminder that will provide valuable information to an attacker. If you feel it’s necessary make it as vague as possible.

After that’s done it’s a matter of:

1) Entering in usernames/ passwords (you can automate this on Windows with the binary extension.)

2) Deleting the passwords from your browser and disabling password sync.

Once you’ve done this I suggest you go to your LastPass ‘Vault’ where you can change a few settings.

Image

You’ll see “Increase Iterations” and I suggest you change it to 1000. Any higher and some mobile devices/ very old systems won’t handle it. I’ve found I can go as high as 25000 before my single core CR48 slows down when I enter the MP. If you don’t use a mobile phone or anything weaker than a 1.6ghz ATOM you might want to try higher than 1,000 rounds.

What increasing the iterations does is slow down bruteforcing. It’s one of the best features of LastPass as you can even increase to as high as 100,000 rounds.

I don’t really mess with the other settings, they’re fine by default. Feel free to check them out though and tweak to your liking. If you think I’ve left out a key feature just leave a comment and I’ll edit it in.

And that’s all there is to it. LastPass will now save, autofill, and synch your passwords. It’ll even make suggestions for new passwords.

Get Free LastPass Premium (for both of us!) for one moth with this link: https://lastpass.com/f?420446 

Three Simple Steps To Stay Private Online

Privacy is definitely a big issue lately. People are starting to realize how much information they really put out there, and it can be scary. The thing is, most people also don’t really care enough to do anything about it and trying to attain significant levels of privacy is just a huge pain (TOR, VPN, whatever.) That’s why I’ll just list three incredibly quick and painless ways to help stay a bit more private online.

Block Third Party Cookies

Third party cookies are used to track a user across multiple sites. They really don’t serve too much of a purpose except for tracking.

Chrome:

Wrench -> Settings -> Show Advanced Settings -> Content Settings -> Block Third Party Cookie and Site Data

Firefox:

Edit -> Preferences -> Privacy -> Set “Firefox Will” to “Custom Settings” and uncheck “Accept Third Party Cookies”

Install Adblock Plus With Privacy Filter:

Adblock Plus is available for Chrome and Firefox. It includes Do Not Track and can make use of privacy specific filters.

Get Adblock Plus for: Firefox | Chrome

Then go to: http://adversity.uk.to/ and install the “Antisocial” list.

Use Private Browsing/ Incognito Mode

This may seem obvious to some but many people aren’t aware that there are “private browsing” modes provided by their browsers.

These private sessions won’t store any information on your computer about what sites you’re visiting and is useful for ensuring that your session stays private to anyone else who has access to the computer.

Chrome: Control + Shift + N

Firefox:  Control + Shift + P

These are just three very simple steps to help you maintain privacy while you browse. They aren’t “perfect” and there are still issues to be worried about but for the average user I think the above information will suffice.

So Why Aren’t Third Party Cookies and Ads Blocked By Default?

I think people need to understand that by blocking ads and tracking you are fighting the one thing that keeps the internet alive. Websites are run by ads. The world, really, is run by ads but that’s a bit out of scope.

The point is that if you’re on a website you like go ahead and whitelist it with Adblock Plus. Maybe you’ll see an ad you like and they’ll get a bit of cash so that they can continue to providing you with that site.

Sources:

https://www.cdt.org/privacy/20090804_browser_rpt_update.pdf

adblockplus.org