In another Cyber Primer, we covered the importance of network security, but it is important to remember that having safe and secure access to the Internet does not mean a person can browse the web entirely worry-free. Insecure websites, outdated browsers, malicious URLs, and the data exposed by your digital exhaust are just some of the privacy and security concerns to be wary of when navigating the digital landscape. In this article, we at Mirai Security detail what to be cautious of, and how to ensure your browsing is secure.
First, it is important to understand HTTP, HTTPS, and their major differences. Hypertext Transfer Protocol (HTTP) is a communication protocol (seen at the beginning of URLs in the form of "http://") that is used for accessing Hypertext Markup Language (HTML) documents over the Internet. Because HTML documents include hyperlinks that can send users to other pages, HTTP has been an integral part of the Internet realizing its connective potential. However, evolving security standards and threat scenarios have made HTTP functionally obsolete. HTTP data is transmitted without encryption, meaning every request and response on a website that uses HTTP is left open to third-party data theft from actors monitoring the web session. Luckily, Hypertext Transfer Protocol Secure (HTTPS) is a secure alternative to this that most websites have adopted. HTTPS utilizes Transport Layer Security (TLS) to encrypt the requests and responses of website session data, making it illegible to malicious third parties. As nearly 80% of websites now use HTTPS, this has largely been a problem that has solved itself, but with 1 in 5 websites still using HTTP, users should always check the beginning of a website's URL before accessing a page.
Beyond HTTP and HTTPS, predatory URLs present a significant risk. Hackers are able to present their malicious URLs in ways that cause the average Internet user to click these links without stopping to think of the repercussions. This can be done in a variety of ways.
As we mentioned in our phishing blog, shortened URLs are a major risk to mobile Internet users. URL shortening done in text messaging heightens the threat of malicious URLs by making them appear innocuous to their recipients, increasing the likelihood one falls prey to a smishing (SMS phishing) attack. However, URL shortening can also be done manually using a URL shortener such as Bitly, allowing hackers to achieve the same effect on non-mobile devices. Other methods for crafting malicious URLs, such as URL spoofing - where URLs are created to mimic those of trusted websites - and overly long URLs designed to overwhelm a user's security vigilance, are just some of the many reasons why web browsers should be cognizant of every link they click. There are several tools for practicing URL safety. Websites such as VirusTotal are good tools for checking the validity of URLs (though one should use discretion before uploading anything personal or private to these websites). Also, observing a link's digital certification through TLS to ensure the site name matches the URL is also beneficial in catching URL spoofing before it can cause any damage. These methods are not foolproof (our partner KnowBe4 has an excellent rundown of the limitations of TLS verification and other rogue URL tricks) but represent a good knowledge base for practicing URL safety.
Sometimes, security concerns while browsing lie not with what is being browsed, but with the browser itself. Though most widely used browsers include built-in encryption and security measures to make browsing a safe endeavour, hackers are constantly finding new ways to exploit their software. At this year's Pwn2Own, every single major web browser, from Google Chrome to Safari to Firefox, was found by the second day of the hacking contest to have zero-day exploits (vulnerabilities unknown to the software provider and their security teams). These results are worrisome enough without the added wrinkle that many Internet users do not regularly update their browsers or clear their browsing data. These users are surfing the web with browsers unequipped with the latest security measures, as they continuously add data to their digital footprint. Additionally, threats to safe browsing can also come from browser extensions that the users themselves have chosen to install. This February, with the help of independent security researcher Jamila Kaya, Chrome pulled 500 malicious extensions from their store for secretly stealing data from users, a fortuitous fix that nonetheless makes one question what other unsafe extensions have yet to be exposed.
Although the results of Pwn2Own and Jamila Kaya's findings are not ideal, ultimately these contests and independent audits allow the companies behind web browsers to catch vulnerabilities and update their software accordingly. Therefore, users should remember to both clear their cache, cookies, and browsing data with frequency, and remember to update their browsers when prompted so that they are outfitted with the latest security patches.
Most of us browse the Internet every day, and the threats that come with this activity can be scary, but are often avoidable. Following these tips will help any user feel just a little bit safer when browsing the web.
Do not enter any information on a non-HTTPS website (e.g HTTP, without the s). Without HTTPS, any data passed is unencrypted.
Shortened URLs are one of the main methods that attackers use to hide and modify malicious URLs.
Do not click any unknown URLs. If you're unsure, use websites such as https://www.virustotal.com/gui/home/upload. Please note that if privacy is a concern you shouldn’t upload documents to websites like these.
Clear your cookies, session data, and cache regularly using a trusted browser extension or doing it manually. Don’t leave your data lying around!
Keep your browser updated, explore the privacy settings and remove unnecessary add-ons/ extensions.
Don't sign into your browser, as it can link further data to your identity. If you need to, you can use an open-source bookmark sync app.