How to browse the web safely in 2010 and hopefully a few more years yet

Browsing is now so commonplace that it represents an 'always open' door to intruders and in many cases, simply VISITING a 'bad' SITE can CAUSE an INFECTION! That is why so many spam e-mails simply have a tempting link inside them!

To reduce these threats there are many, many opinions and options but one approach which will defeat many of the attacks can be used with any of the protective technologies and make the consequences significantly lower...

Using two browsers may sound tricky and complex but the underlying value of not sharing ANY information between your most important group of sites and any other that you might happen to visit is so worthwhile it not simply justifies the effort - it helps surfers to make conscious decisions about many other aspects of security which will also be of benefit to them.

Many technical people will be saying 'this is old news' because they switched to using Firefox (or Opera or etc...) several years ago. The difference about this approach is that you actually use Microsoft's Internet Explorer (MS IE) for YOUR MOST VALUABLE SITES which will be controversial given the bad press that MS IE has had over the past decade.

In the bottom right of an IE7 window the above shows the default Zone of 'Internet' while visiting an 'unknown', unclassified site This designation and associated privileges are importantly under YOUR control, the image below shows a site that HAS BEEN Trusted.

The 'trick' is to exploit the one crucially beneficial feature of MS IE that has never been adequately promoted - the ability to designate web sites to ZONES that have very, very different security characteristics.

Most importantly it is possible to set the default security for any NEW web site to be very restrictive and therefore ONLY your trusted sites can have the use of the rich plethora of facilities within MS IE.

Needless to say - Microsoft has never dared to change most of those defaults because it 'breaks' web sites - i.e. they don't work or display properly if they are deprived of these privileges

The image to the right is usually anchored to the right of that above

The above shows the 'https' with a green background while visiting a site which has what is called 'Extended Validation' which is better regulated than ordinary security certificates

By doing this it turns MS IE from a potential death-threat into a safe environment BUT ONLY to interact with those sites that you trust both their integrity and their competence. Obviously that means that you categorically would not add any 'social networking' site or any similar type of site to those that you trust in MS IE.

At the very, very least you would only allow sites that can demonstrate their authenticity and commitment to integrity by having a 'green certificate' (see images to right) telling you that your interactions with their site are secure.

The use of an alternative browser for all other web browsing is now mainstream - the EU recently forced MS to prompt users to make such a choice. Firefox is now a de-facto second browser that all web developers have to support on any new web development but Google's Chrome and a browser called Opera are credible alternatives, see browser share for their demographics.

How easy is it to use and maintain this dual-browser approach

As you would expect - this appraoch has been evaluated and used 'in anger' by our staff and a small number of our customers for more than a year with plenty of feedback in the early days of usage.

The most important aspects of this to implement are:

1. Set-up of the zones - this can be as simple as one change to a setting in 'Internet Options' in your Control Panel - make the Security Setting of the 'Internet Zone' to be 'High' - the same as 'Restricted Sites' if you want to check what you are doing matches MS options
2. The other is making it easy to Add a site to an IE Zone because although there is likely to be less than a dozen sites that are in any way 'trusted' adding them isn't as easy as it should be

Additional benefits of the dual-browser approach

All browsers have an option (somewhere under Tools) to check that 'they' are the facility you wish to use when browsing the web. By choosing the NON-MSIE browser to be the (default) one it then means that if you click on a link in an e-mail or almost anywhere other than within MSIE you will find that your alternative (e.g. Firefox, Chrome or Opera) is used to launch the site.

This in itself is an improvement to your security in that those links can often be 'forged' to make them appear benign whereas the actually can lead to very dangerous sites which can infect your PC as soon as you arrive at them.

Further reading and thoughts for the advanced user

What about sites that ask for credit card or other payment details

Many sites ask for these details and it would be WRONG to trust them in the context of the above proposal because 80% of them are likely to be untrustworthy from a technical perspective and even if that was 20% - all it takes is ONE bad apple. Retailers tend to have very 'Lean and Mean' I.T. departments whereas banks can't afford to take that risk.

Just in case the reader didn't notice the problem - from memory it was 10 million customer account details stolen from TK-Max that set the record a year or two ago.

The solution to the online payment issue is to limit your losses and have them 'insured' at the same time - have a separate credit card which is only used on-line and have the credit limit set to the lowest amount that makes it viable for you. Make sure that the card you choose for the purpose has a good 'promise' on refunding any debits that arise from on-line fraud.

Making use of the Status Bar in IE to show the Zone

When the status bar is enabled (under View) the images above (on the left) showing the Zone are visible. One key benefit of naming the domains that you trust is that it is a relatively exact match and if someone has tried to trick you with a mispelt word then the web site will show up as 'Internet' - i.e. Unknown! Obviously if this happens then GO NO FURTHER as it is probably a 'bad' site attempting to get you to compromise your PC.

Use of the trusted Zone and/or the LAN (Local Area Network) Zone

To keep the above simple the author has not highlighted the fact that there are TWO zones which can be used to give privilege to designated sites. This is because the case is becoming more and more compelling to use dual browsers as a barrier to all sorts of attacks, even if only crudely exploiting cross-site scripting (Google "XSS exploit") which might simply steal your login details for other sites - see below.

This means that use of the intermediate (LAN) zone for 'semi-serious' web sites should not be tolerated because they could compromise one of those that you REALLY want to remain secure such as on-line banking, investments etc..

Launching browsers with limited user privilege to avoid infections

When our company is asked to secure a Windows XP PC then there are two approaches to be taken - the ultimate is to provide the user with a 'limited user' account which they use for day to day work, obviously including browsing. This is how Microsoft intended XP to be used - but in the early days - too many hardware and software vendors did not make the changes needed for this to be viable - Wireless 'dongles' were a classic example. After almost a decade Windows XP can usually be made to work adequately for most day to day work even as a LIMITED USER - this is the most secure approach.

When the user wishes to retain greater control over the system and doesn't want want to log in and out to switch accounts to do so then we have a small extension to Windows XP which launches a variety of programs with reduced privilege - MS IE, Firefox, Outlook Express, Messenger, Thunderbird, NetMeeting and several more. This is intended to stop basic web-based intrusions from making changes to your Windows XP system. As a simple example if you accidentally launched a program from your web browser that was trying to install software or makes changes to the registry itself then it would normally be blocked. This latter approach is not as robust as the 'pure' Microsoft Windows XP approach but has certainly stopped many such cases even if most of them WERE legitimate it has stopped several that were not.

With Windows Vista - User Access Control (UAC) allowed the switch between 'Limited User' and 'Administrator' via a pop-up which should not be onerous and therefore should be adhered-to and thought given whenever the pop-up arises.

Microsoft are keen to point out that Windows 7 is even more secure and much less onerous - we may need to wait until 2011 before we can judge how that has turned into reality or not... Windows XP Remote Assistance now provides in-work training and assistance, as and when needed to more than a dozen customers

What's Hot

Site Offers: