Safe Web browsing

By Alex Polling

    In the earliest years the Web was very safe. In fact, to be hacked while browsing the web was much less probable, than, say, to catch cold while watching someone eat ice cream. Web pages were not as interactive as they are now; they were more like movies, family albums or books. It is not an exaggeration that animated gif pictures caused greater excitement than contemporary Flash applications. Watching was all you were doing, and no one ever thought about any underground activities that might be happening during that watching time.
    As we all know, a system containing many elements is expected to be more vulnerable, since each element can contain (or be a part of) a security hole, just as a house that has many windows is potentially less secure. With time, web pages become more and more interactive. At first there was JavaScript, a language that made it possible for web pages to think, to validate information, to create cookies and pop-up windows. Then came downloadable ActiveX components that have even more control over pages and computers. So let’s see what simple steps we can take to make our online browsing safer.

    Downloads. In a nutshell, the files should be downloaded only from trusted sources and checked with your anti-virus, since even a trusted source might be infected. It’s recommended that once you see a download dialog window, you select the Save option, instead of Open in order to check the file before opening.

Passwords. Most sites require registration if you want to use all their features. If you use the same password on a few sites, there is a risk that once an account on one of the sites is hacked, the same will be true for the rest of the sites. One technique is to invent some algorithm to mix a few letters of web site or page name with your permanent password, in order to avoid password duplication, yet keeping yourself free from an excessive number of passwords, e.g., micpassword, livpassword, etc. There’s no need to mention that the password itself should be strong, which means that it should:

not be too short
contain digits
contain letters both from upper and lower case

Cookies. Cookies are small pieces of information stored on your computer as a result of your browsing activities. Cookies can contain your email, password or any other data that you usually enter when you’re on a particular web site, in order to use it later for transparent login. In theory, a site can read only its own cookies. Unfortunately, cookies can be stolen. There are many ways to do it, and one of them is through using fake URLs. This means that a malicious web site can show an allegedly harmless link that your browser may interpret as link to a known online store, because its name is present somewhere in the link, and use the cookies of that site. Examples of spoofed URLs are below:

Such links can make a site visitor think he is on one site, while actually he is on another site.

Turning cookies off would be a radical solution; usually what should be done is:

regularly update your browser
if possible, use a browser other than IE (for example FireFox or Opera)
pay attention to links containing the names of popular web sites
set the security level in your browser to medium or high level

ActiveX controls. ActiveX controls should be allowed to install only when they come from a trusted source or when you are totally sure what they’re for in a particular case. Your browser will display a dialog window asking to install the ActiveX control and you should be careful deciding whether to allow it or not.

Pop-up windows. Attackers can use popup windows that look like offers, but their purpose is to install malicious code. Pop-up window are also frequently used to display annoying or even offensive content. Disabling popup windows seems to be a reasonable step to more comfortable web browsing. SP2 for Windows XP already contains Pop-up Blocker for IE, but there are other tools that do the same thing.

We grant you permission to use our articles on your web site or your newsletters, under the condition that non of the content is changed, and non of the links are removed.