The Internet is not automatically a secure or safe place to be.
Various governments are perusing a significant portion of Internet-based activities under the banner of protecting their citizens from terrorists or other adversaries. There are also APT (advanced persistent threat) groups actively seeking access to your communications, personal/private data, and online accounts.
We need to re-evaluate what it means to be secure in our online activities.
It is essential to be clear and distinct when discussing security. Security is not a singular concept, solution, or state.
It is a combination of numerous aspects, implementations, and perspectives. Security is usually a relative term with graded levels rather than an end state that an individual or organization can successfully achieve.
In other words, a system is not secure; it is always in a state of being secured. There are no systems that cannot be compromised. However, if one system's security is more daunting to overcome than another, attackers might focus on the easier to compromise system.
When facing the task of securing your online activities, we need to look at several specific aspects of security and apply technologies that might provide better protection.
Online security should address at least two commonly misunderstood issues:
Privacy is the protection of information about oneself against collection without knowledge or consent. Generally, privacy is the ability to provide confidentiality protection.
Anonymity is being able to communicate without revealing one’s identity. Another way of looking at these two terms is:
- With privacy, others cannot see what you are doing or communicating, but they can know who you are.
- With anonymity, others can see what you are doing or what you are communicating, but they don't know who you are.
These two concepts are often misunderstood. Usually, we want both privacy and anonymity. But, unfortunately, we typically have neither concerning our online activities unless we take deliberate actions to protect ourselves and secure our data.
When considering online security options, always have a goal or purpose for the security. Accidents, malicious code, malicious hackers, governments, and corporations can all be seen as threats to online security.
Only with a specific goal in mind can you choose the best responses. By knowing what you want to prevent, you can test whether or not that activity can still occur after implementing a security solution.
Here are 10 ways to improve your privacy while browsing the web:
1. Use a VPN
There is no entirely safe location on the Internet. Everything can be hacked by someone. But the worst place is your local connection.
The connection you use to reach the Internet is the most sensitive link in your connectivity chain. All of the data passing through your local Internet connection is definitively related to you, as being sent out by you or being requested for retrieval by you.
This initial link is also the location where DNS spoofing attacks, attacker-in-the-middle attacks, sniffing attacks, and hijacking attacks are most effective and targeted (at you!).
Not familiar with these terms? See our Cybersecurity Glossary of Terms.
You must make it a habit to protect yourself here. All of my other recommendations are helpful, but none of the other options will benefit much if you fail to protect your local link.
To protect your local link, you need to use a VPN.
A VPN (Virtual Private Network) is an encrypted network connection from your system to another system somewhere else over the Internet. This connection is used to pipe all of your Internet communications through an encrypted tunnel. A VPN provides local protection against attacks and attackers at or near your initial Internet link, including nosey neighbors, others in the coffee shop, rogue access points, and even unscrupulous ISP employees.
Using a VPN is not a complete solution, but it is the first step. When a VPN is in use, all of your traffic will leave and enter your system in a protected encrypted form.
2. Be Anonymous
A VPN (and most other encryption solutions) provide privacy, but they do not necessarily provide anonymity.
Either it is possible to trace traffic back through the VPN to identify your system, or the VPN provider maintains logs that contain your identity. To hide your identity when online, you must use an anonymization service.
One of my favorites is TOR (torproject.com).
The US Naval Research Laboratory originally developed TOR, but it is now managed by a non-profit. TOR is used to hide the IP address of your computer. TOR is free to use.
Note: Because TOR is used by attackers and is used by some to access criminal or illegal materials in the TOR cloud, it may be labeled as a hacking tool/service or a potentially unwanted program/application (PUP/PUA). However, TOR itself is just a tool and service and is not malicious code.
TOR is not a VPN, as it does not fully protect the contents of your communications. All data leaving a TOR exit node reverts to its original form (cleartext or encrypted) for its remaining transmission across the Internet to the destination.
TOR protects your IP identity by preventing the general Internet and most of the TOR cloud itself from learning your IP address. Instead, only the initial TOR system you connect to will know your IP address. As long as you do not identify yourself as you interact with sites or services (i.e., don't log in or use a browser with stored cookies), you can remain anonymous while using TOR.
TOR is not quite as simple to use as a VPN. With a VPN, all traffic in and out of your system goes through the VPN. With TOR, only those services and applications you configure to use the TOR proxy service will be routed through TOR. For example, if you configured Chrome to use TOR, then web activity through Chrome would be anonymous, while activities through Firefox would remain identifiable.
3. Pre-Encrypt Everything
Any data you move to an online location is at risk of being seen, copied, and changed. Sometimes this is precisely what you want, such as social network postings, discussion forums, image hosting sites, and so on. However, when you use online storage to host or backup personal, sensitive, or valuable files, you don't want others to have any access at all.
To add to the problem, many cloud service providers are offering gigabytes of free storage to sign up with them. So naturally, it is tempting to grab all the free space offered, but you need to resist uploading everything to these cloud providers. At least resist until you encrypted your data locally.
Steve Gibson from Gibson Research Corporation, via his Security Now podcast, often uses the term PIE (Pre Internet Encryption).
PIE is not just a term, it is a rule to follow:
Always pre-encrypt your data before putting it on the Internet.
Anything placed on the Internet in non-encrypted form is without protection and out of your control. Only with your own encryption can you establish protection and retain control over your data files.
One option to consider is AES Crypt (www.aescrypt.com). This tool can be used to quickly encrypt any local file with a command line or GUI operation. First, you select a password, which is converted (via a key stretching process) into a 256 bit AES encryption key for locking down your file.
Once encrypted, the file (with a new .aes extension) can be safely put anywhere with no risk of compromise. When you need to regain access, download the file, then provide your password to the tool to decrypt back into the original form.
Other encryption tools to consider include:
4. Limit Social Networking
If being tracked by the bad guys or by browser cookies seems creepy, you also need to realize that social networking platforms are tracking you.
Social networks offer a wide range of services, but their primary business model is collecting demographic data about users to sell to advertisers.
Generally, if you get something for free online, then the product being sold is you. However, with the rise of social engineering attacks, adversaries are now harvesting data about you, your relationships, and your interests from social networking sites and services to craft more effective strategies and campaigns to separate you from your money, steal your identity, take over your account, or worse.
To minimize this activity and protect yourself in the process, you need to limit and adjust your social network activities.
Here are some good practices to adopt:
- Don't fill out your profile with identity information. Leave it generic or non-specific.
- Don't spend significant effort to like or share content on social media. The less you “like,” the less information is out there.
- Minimize your use of applications or add-ons within the service.
- Don't fill out surveys.
- Don’t participate in question games and gimmicks, such as those claiming, “Find out what type of character you are by answering these 20 questions.”
- Assess your profile settings regularly and minimize information disclosure approvals.
- Don't link your social networking profile to other sites or services, such as through federated authentication (i.e., using your Google, Facebook, or Twitter account to access other sites and services).
5. Secure Passwords
Too many online sites and services still "protect" your account with just a simple password. However, when more secure options are not available, you must take advantage of the offered password options.
Here are some critical steps to take:
- Use a secured, encrypted password manager. I use LastPass, but Bitwarden and 1Password are other good options.
- Secure your password manager with a 20+ character password constructed from five words you can remember, misspell at least one of them, then intersperse a symbol or two. NEVER use this password for any other purpose.
- Use the longest password allowed by the site.
- Use a random password generated by your password manager.
- Always use uppercase, lowercase, and numbers in your password. Use symbols when supported.
- Never use the same password twice.
Use long, complex, and random passwords everywhere. Since you will be using a password manager, you won’t need to memorize numerous long and complex passwords. Instead, you only need to memorize your primary password for the password manager.
A password manager is an essential tool to maximizing the little protection that passwords provide your online accounts. However, whenever a site or service offers multi-factor or multi-step options for authentication, use them. They may be a hassle and inconvenience at first, but they will become second nature to you eventually.
Read Next: 10 Steps to Better, Stronger Passwords
6. Security Question Roulette
Many sites now require that you define the answers to several security questions. These are questions you must re-answer when you attempt to recover your password, when you make sensitive changes to your account.
While some might advocate defining false answers to these questions, that would require that you keep track of all those answers. Then you must keep track of false answers. But it’s hard enough to keep track of the right answers!
I recommend instead that you take one of two more realistic approaches:
- You could answer the opposite of the question posed. For example, if asked what your favorite food is, rather than answering ice cream, answer the opposite question of your least favorite food, such as fried chicken feet.
- You could answer the question truthfully then add personal padding material. Pick a phrase or statement, such as or "I Like Pickled Herring," and add that to the end of each correct answer. If asked what is your favorite color, rather than just listing "teal," set your answer using your padding material, such as "teal I Like Pickled Herring."
Using either of these methods will not make these questions significantly more challenging for you to remember the "correct" answer. But it will make it nearly impossible for someone to guess or discover your answers.
7. HTTPS Everywhere, All The Time
Using a VPN is your best practice for staying encrypted locally, but whenever possible, having your connection encrypted to your destination is even better.
A growing number of websites now support secure HTTPS connections. HTTPS was initially the HTTP web protocol encrypted by SSL (Secure Sockets Layer), but SSL was replaced by TLS (Transport Layer Security) many years ago. We retained the HTTPS URL prefix, and most of us still misuse the term SSL, much like we misuse the term Kleenex.
A plug-in from EFF (Electronic Frontier Foundation) called HTTPS Everywhere for most browsers will ensure that your browser requests a secure connection every time you type in a URL or click on a link. Only if a site does not support HTTPS connections will you default back to cleartext HTTP.
Note: Several browser vendors have announced that eventually this feature will be native and will not require a plug-in.
Look out for the padlock icon, which is usually in the address bar near the URL. You want to see a closed or locked padlock. This informs you that a successful TLS handshake was performed between your browser and the website you are visiting.
You should be concerned if the lock icon is shown as being open or unlocked and potentially labeled by an exclamation point or red slash. This indicates that the session is in plaintext and that TLS was not successfully negotiated.
How to Identify Encryption and Authentication within Your Browser
A locked padlock symbol is not quite the all-clear indicator that proves that you are truly secure; it is just the first step.
Next, you should click on the padlock icon and see if you can access the digital certificate information from the site you are visiting. Make sure it accurately identifies the site, company, and/or organization of the website.
Next, you want to find the details on the negotiated encryption (formally known as the cipher suite). This might be accessible through clicking the padlock, but you may have to dive into the developer options.
For many browsers, you can press F12 (or select Developer Tools from the browser’s menu). From the developer tools area, select the security tab. This is where the level of encryption and authentication is typically displayed.
You want to see TLS 1.3 or 1.2. If it lists anything else, you should be concerned that you might not have the best security protecting your current session. Some websites may be limited to supporting TLS 1.1 or 1.0 - this is unfortunate and you may need to reconsider using those sites until they improve their security support.
8. Keep Clean to Avoid Malware (and Criminal Activity)
Another serious threat to your privacy, anonymity, and overall security is that of malware. Infections of malicious code are rampant, and their sources and vectors are legion. Therefore, you have to take precautions and avoid risky activities that could expose you to new malware.
Install a current generation anti-virus anti-malware scanning program. Set it to monitor your system in real-time, set a schedule to scan your entire system at least once a week, and set to update at least once per day.
Avoid risky activities that could lead to infection. Take extra care when downloading files. Try to find the source of a file before downloading it from a third party. If you can't find the source, then use third-party download sites known to be trustworthy. (I’m hesitant even to recommend examples of third-party download sites that can be trustworthy because such sites can quickly change their terms, reputation, or ownership.)
Avoid opening attachments to emails unless you verify that the sender sent it on purpose. Avoid using portable storage devices from unknown sources; you never know what kinds of systems it has been plugged into. And most of all, avoid participating in the exchange of pirated or copyright-liberated materials, as this is not only a crime, it often exposes you to malware infection.
9. Leave On Purpose
When you finish using a site or a service, use the log out button or command. Don't leave a session hanging and go elsewhere.
Instead, purposely leave, shutting, and locking the door behind you. Hackers may be able to take over your stale sessions, even after you have left the premises. And on a related note, be sure to clear out your cookies in every browser at least once a week.
Cookies are the dropped backstage pass to your online accounts. You can configure your browser to delete cookies each time you close the application. You might also consider running a security tool that cleans out cookies and other browser debris (since many browsers do a poor job of this for themselves); such tools include CCleaner and BleachBit.
10. Bring Your Own Internet
Using free Internet access at coffee shops, restaurants, and other public venues is often convenient. Or at least until you realize just how easy it is to be fooled by a rogue access point, an evil twin attack , sniffing/eavesdropping, DNS spoofing , attacker-in-the-middle/on-path attacks, and hijacking attacks.
Using a VPN will reduce some of these risks, but not completely. The only real way to prevent opportunistic compromises based on public WiFi is not to use it. Instead, bring your own Internet connection. Many cellular providers offer tethering plans or mobile hot-spot options. Or, you can look into independent services like FreedomPop (freedompop.com) or Karma (yourkarma.com). These two services offer relatively inexpensive portable WiFi hot-spot services.
If you can plug into a port with an Ethernet cable, that will be much more secure than using open WiFi networks. Of course, you still need to use a VPN, but at least you will be reasonably sure you plugged into a real port in the wall. If there is no other option other than open WiFi, then be cautious. Ask the manager at the location what the intended WiFi network name is, connect only to the network with the correct name, and immediately launch your VPN.
These are just some of the myriad of steps that you can take to improve your security online. Some focus on privacy, some focus on anonymity, and others address security management. It is up to you to take the necessary steps and precautions to preserve and protect yourself online. No one else is doing it for you.
One of the best ways to keep you and your data protected is to continue reading articles like this one, watching videos, participating in webinars, training and more. Having the knowledge and skill to secure your activities online will help prevent attackers from gaining access to your information.
In a recent white paper, we cover 10 Things Cybersecurity Experts Wish End Users Knew. Read more about how to prevent attacks and make security best practices a daily habit.