Browser selection

This article deals only with securing Mozilla Firefox. Firefox offers an wide selection of extensions that can help secure the browser. Google Chrome, Opera and Safari also offer some extensions, but I have not tested them. Microsoft Internet Explorer appears to support Add-ons, but Version 8 offers none for browsing security.

Internet Explorer is particularly vulnerable. In part, this is because IE is by far the most popular browser, and so it suffers the most attacks. Because it is the most popular browser it is especially targeted for attack by malusers. And compounding the problem, Microsoft has been slow to acknowledge vulnerabilities in its products, never mind fixing them.

Privacy settings

Privacy is not so much about keeping your personal information secret, but about keeping control over your personal information. If I choose to tell Facebook my name, age and browsing habits that’s OK, but my privacy is violated if Facebook finds out about my browsing habits if I don’t tell Facebook myself.

Malware is pretty good at correlating information when you least expect it. For example, you may keep your browsing history confidential, but allow Javascript to change the layout of your screen. To do so Javascript reads elements of the Document Object Model (DOM), including the colour of text. But if a link is coloured purple instead of blue, then Javascript can figure out that you’ve visited that link before, violating your privacy settings for browsing history.

To see your Firefox Privacy settings select Tools, Options and click the Privacy icon.

Settings for Firefox Privacy options

For maximum protection check Tell Web sites I do not want to be tracked and select Firefox will: Never remember history. But having to type in all your passwords and data every time you access the same web sites can be inconvenient, so I actually browse with the setting Firefox will: Use custom settings for history, leaving Always use private browsing mode unchecked. It is usually safe to have Accept cookies from sites turned on, with Accept third-party cookies turned off and Keep until: I close Firefox selected. Custom settings for Clear history when Firefox closes has only Cookies and Active Logins checked:

Firefox Clearing History

Security settings

To see Firefox Security settings select Tools, Options, then click on the Security icon.

Screenshot - Firefox, Tools, Options, Security

For maximum security, make sure all the checkboxes are checked.

Warn me when sites try to install add-ons will avoid drive-by infections, which is when merely browsing a Web page with Javascript enabled can launch malicious processes. This will at least give you a warning.

Block reported attack sites and Block reported web forgeries do add some additional protection from malware sites, but potentially at some expense of your privacy. Every 30 minutes Firefox downloads a list of malware sites. If you browse to such a site then Firefox will check for that particular site immediately before blocking it. It uses Google’s malware list to do so, and will send Google’s cookies when checking.

You can test for phishing protection at the phishing test site and for malware protection at the malware test site.

Use a master password will encrypt the list of passwords stored on your computer. This is mostly useful if your computer should get stolen or left on the bus, but without the Master Password it might be possible for a malware site to retrieve your list of passwords through some (as yet unknown) vulnerability.

Security Extensions

Firefox’s extensive collection of extensions (Add-ons) make it my preferred browser.

NoScript

NoScript prevents Javascript from executing on specific web sites.

Javascript determines the fourth characteristic of a web page (Content, Semantics, Presentation, Behaviour). A well-designed web site will degrade gracefully — if the browser cannot manage the page layout (Presentation), it should still be able to identify the components of a page such as paragraphs and headers (Semantics), and still show the Content. Even if the browser can’t identify a paragraph from a heading (Semantics), it should always show the content. Javascript is responsible for the behaviour of a page. This is what makes Google Maps’ slippy map work when you drag the mouse cursor across the page. That behaviour degrades gracefully, so that when you view Google Maps with Javascript disabled you can still see a static map. Sadly, many web sites today are designed so that Javascript is required to show the content. NoScript addresses this problem by selectively allowing you to enable Javascript for those sites that you trust.

NoScript has expanded its scope so that it now also checks for Cross-Site Scripting vulnerabilities, Application Boundary violations, and other esoteric security concerns.

Adblock Plus

Adblock Plus removes ads. That’s wonderful all by itself, but there’s more! When ads are blocked, you don’t waste any bandwidth downloading them. But there’s more! The hits from Web Bugs aren’t recorded and tracked. And blocked ads from third-party sites can no longer query third-party cookies, or enable cross-site scripting attacks.

When you install Adblock Plus you’ll be asked to subscribe to one of the pre-defined block lists. I usually choose EasyList or Adblock.org.

Force-TLS

Force-TLS requests an encrypted page (https) when the server supports it. The functionality is now built into Firefox directly, but Force-TLS still provides a handy dialogue box to add Web sites for servers that don’t automatically switch to https.

HTTPS Everywhere

HTTPS Everywhere forces a Web pages to use https, and can change the URL for those sites that use different URL paths for their secure content. HTTPS Everywhere only works for Web sites in its Preferences list:

HTTPS-Everywhere preferences

HTTPS Everywhere is not maintained on the Mozilla Add-ons web site, so you have to download it from the EFF directly. Firefox will ask you to verify that you want to install an add-on from an unknown site. Click on the Allow button to install the HTTPS Everywhere add-on.

Installing the HTTPS-Everywhere extension in Firefox

Keeping Updated

Security is not a single solution to a single problem. It is a constantly evolving process that tries to keep up with constantly evolving attacks. It is important to keep everything up-to-date.

Updating the Browser

To ensure that the browser and all its extensions stay up-to-date check all the boxes on the Tools, Options, Advanced, Update screen:

Updating Firefox

Updating Extensions

To update the Firefox extensions select Tools, Add-ons, click on the Tools for all add-ons button, and make sure there is a check mark beside Update Add-ons Automatically. If there is no check mark then click on Update Add-ons Automatically, and you should also perform updates manually by selecting Check for Updates. If there are any updates a View all updates link will be displayed, click on it, then click on the Update now button for each add-on in the list.

Screenshot showing the 'Update' menu

Updating the Operating System

Finally, no amount of browser security will keep you safe if your operating system is not safe. Be sure to activate Windows Updates (or Linux Updates, or AppleMac Updates), and keep your Anti-virus software, firewall, spam filters and other security software up-to-date.

–Bob.

Delete

The rest of us, Prone to Pecadillos, may occasionally write blogposts and then change our minds about the content. When that happens it’s best not to make changes or delete posts without letting your readers know.

Instead of making a wholesale change to a post it’s better to create a new post. Imagine if someone wrote about a similar issue, quoted from your post and provided links to it. Now your post has changed, and the links no longer make sense because the content has changed. Or someone makes a comment on a post, the content of the post is changed, and now the comment has nothing to do with the post.

Instead, create a new post with a new link. It’s a good idea to keep the original post; you could delete it, but then other people’s links would return an error (that’s called “link rot”).

About the only good reason for modifying an existing post is to correct an error. Even then you shouldn’t delete the incorrect material, but indicate it should be deleted by using the <del> tag, and marking the new material with an <ins> tag. For example:

The Javan Rhinoceros <del>has only one survivor </del> <ins> is now extinct</ins> in Vietnam.

This would show with crossed-out text for <del> and highlighted text for <ins>, like this:

The Javan Rhinoceros has only one survivor is now extinct in Vietnam.

(which is a sad development, and may be worthy of a post of its own).

If you really want to delete a post then replace it with text like “This post has been removed by the author”. If you do that then you should delete or hide the comments too.

These are open and transparent ways to indicate deletions. It’s merely an online publishing convention, since there really isn’t a style guide for HTML like Strunk and White’s in the online world. Or, more accurately, there are far too many Strunk and White’s in the online world!

–Bob.

Delete by delete08 is used under a CC-BY-NC license

Key by Quasimondo

Some ID would also be a good idea, for those who do not already know you.

No no no.

If people don’t know you, then they shouldn’t be signing your key. If you don’t know someone, then you shouldn’t be signing their key.

Using ID of any sort is assigning trust by proxy to an “authority”. You’re no longer vouching for a person based on your own knowledge, but relying on the “authority” to provide that trust. If you’re going to rely on third-party authorities you might as well revert to a hierarchical PKI and pay lots of money to a certificate authority to assign levels of trust for you.

The point of the keysigning is to associate a key value with a real person, with no opportunity for a Man in the Middle attack ^[1]. It is not to verify name, address and permission to drive in Ontario.

When I sign your key it is not because the government says that you’re allowed to drive under your name, but I sign your key because I believe that you’re the same guy who drinks Jagermeister and hacks on Blackberries and hangs out at the Syrup Festival. It is based on my personal knowledge of you, and my trust in your claim that you own the GPG key with fingerprint D2CCE5EA ^[2].

The Web of Trust extends this, so that since I trust your identity and judgment, I’m also likely to grant some level of trust to the people you trust. After a successful keysigning party then I’m going to trust many more people because they’re all trusted by people I trust. And I’ll be trusted by more people, because they trust the people who have signed my key.

So, how do you hold a keysigning party? Here’s an excerpt from the PGP FAQ:

The comp.security.pgp FAQ

Wouter Slegers

Copyright © 1996, 1997, 1998, 1999, 2000,
2001 by Arnoud Engelfriet

Copyright © 2002 by Wouter Slegers

This FAQ is copyright © 2001 by Wouter Slegers.

It may be distributed freely in online electronic form, provided the copyright notice is left intact. Since this FAQ is always available from USENET and the PGP network, there should be no problems getting access to it. However mirrors with outdated versions can confuse the users, so I request you not to mirror this FAQ elsewhere.

[...]

Q: What’s a key signing party?

A: A key signing party is a get-together with various other users of PGP for the purpose of meeting and signing keys. This helps to extend the web of trust to a great degree, making it easier for you to find one or more trusted paths to someone whose public key you didn’t have.

Kevin Herron has an example of a keysigning party announcement page ^[3].

Q: How do I organize a key signing party?

A: Though the idea is simple, actually doing it is a bit complex, because you don’t want to compromise other people’s private keys or spread viruses (which is a risk whenever floppies are swapped willy-nilly). Usually, these parties involve meeting everyone at the party, verifying their identity and getting key fingerprints from them, and signing their key at home.

Derek Atkins has recommended this method:

There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:

1. You announce the keysigning session, and ask everyone who plans to come to send you (or some single person who will be there) their public key. The RSVP also allows for a count of the number of people for step 3.

2. You compile the public keys into a single keyring, run pgp -kvc on that keyring, and save the output to a file.

3. Print out N copies of the pgp -kvc file onto hardcopy, and bring this and the keyring on media to the meeting.

4. At the meeting, distribute the printouts, and provide a site to retrieve the keyring (an ftp site works, or you can make floppy copies, or whatever — it doesn’t matter).

5. When you are all in the room, each person stands up, and people vouch for this person (e.g., “Yes, this really is Derek Atkins — I went to school with him for 6 years, and lived with him for 2″).

6. Each person securely obtains their own fingerprint, and after being vouched for, they then read out their fingerprint out loud so everyone can verify it on the printout they have.

7. After everyone finishes this protocol, they can go home, obtain the keyring, run pgp -kvc on it themselves, and re-verify the bits, and sign the keys at their own leisure.

8. To save load on the keyservers, you can optionally send all signatures to the original person, who can collate them again into a single keyring and propagate that single keyring to the keyservers and to each individual.

I’m going to have to put my key signature where my mouth is. Hopefully there will be another key signing party soon, for which I will be more prepared.

–Bob.

^[1] Yes, it is still possible to have a meatspace MitM attack if you’re signing keys for people you don’t know and relying on ID. If you’ve never met me before then it is possible that someone mugs me in the parking lot, takes my ID and wears my goofy hat. If you don’t know me you would never be able to tell the difference, and you’d be signing a key for the wrong person.

^[2] Although that’s really my PGP key, so as not to divulge the identity of innocent and unsuspecting Key Signing Party Organizers.

^[3] Sadly, Kevin Herron makes the same mistake of requiring "Positive picture ID". Please ignore that part.

Key by Quasimondo is used under a Creative Commons by-nc license.

Don't Panic, They're Only Vogons by Patrick Hoesly

After dissing Google Plus I was persuaded to try it out for a while before rendering a verdict. So now it’s been over two months, and my verdict is: Mostly Harmless.

When I get home after a hard day of working with a computer, I sit down for a pleasant evening of relaxation with a computer. I read my e-mail, read the news, and read the microblogs. I subscribe to 55 people on Identi.ca, and I follow 84 people on Twitter. Those 139 people generate sufficient 140 character messages to keep me reading until bedtime and beyond.

But on my Google Plus account, I have 27 people in my circles. Those 27 people create a lot of large messages. In fact, they generate a lot more content than my 139 Identicats and Tweeple, since Google Plus puts no limit on the size of messages.

22 of the 27 people are in my Tech Circle. But instead of receiving only technical content from these people, they’re posting messages about vacations, favourite bands, philosophy, and yes, pictures of cats.  Now, this happens on the microblogs too, but on a microblog it’s limited to 140 characters, and I can ignore them.  On Google Plus the posts are much longer, have pictures attached, comments from other people, and those ubiquitous “John Q. Public originally shared this post” and “Click to +1 this post”.  Google Plus does not have the tools to filter messages by content, or even a method to collapse a conversation thread.

There’s no Atom/RSS feed, so I can’t use my preferred feed reader to analyze, sort and organize my Google Plus message stream. And I don’t know of any third-party applications to read, write and manage content on Google Plus. Google Plus does allow the export of all its content, under Account Settings, Data Liberation. Contact info is in the standard vCard format, suitable for importing into addressbooks.

Kudos to Google for giving users useful control of their data. Still, Google also has access to that data, and continues to collect ever more. In the past I’ve recommended Google Mail as a preferred no-cost e-mail host. Recently Google has taken to verifying new users by requiring them to supply a phone number. Google then sends a text message for the user to enter into the registration form. This is a level of data collection that I find creepy, and so I no longer recommend Google Mail.

Finally, to top it all off are the Google Nymwars. Much has been written about why Google’s policy of requiring real names is wrong-headed. Some people whom I might follow have stopped using Google Plus because of the nymwar controversy. I think I’ll be joining them in disdaining Google Plus.

• Google Minus: Banality of user content (not Google’s fault)
• Google Minus: Lack of management tools
• Google Plus: User control over data
• Google Minus: Google control over data
• Google Minus: Nymwars

I think that Google Plus is not the Facebook Killer the folks in Mountain View want it to be.

The image 740 – Towel Day – Pattern by Patrick Hoesly is used under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.

Google Plus Screenshot

I won’t be using it. Google has too much of my data already.

For gushing, sycophantic reviews see Mashable and Techcrunch.

Update 8 July 2011: Someone pointed out that I should probably investigate Google Plus before dissing it, so I’m licking the Google salt block. There will another blog post with the results of this investigation… In the meantime, Circle Me!

Update: 13 October 2011: The Verdict on Google Plus: Mostly Harmless

I’m specifically looking for a free/libre operating system that will run a Graphical User Interface on a 10-year-old laptop, 700 MHz Intel CPU, 256 MiBytes RAM (but 128 MiBytes would be better), an 8 GiByte hard drive and an 800×600 screen.

If you know of any other lightweight distributions please leave a comment. Also please leave a comment if you can help fill out the chart – the distributions’ documentation is pretty inadequate when it comes to listing minimium system requirements.

I expect this post to be a continuous work-in-progress.

–Bob.

Added 14 June 2011: Thanx for the suggestions from @dwa, @headphonica, @darkestkhan, @flying_squirrel and @circuidipity, all added above.

Added 17 June 2011: @schestowitz points me to a Linux Devices article on Tiny Core Linux.

Added 28 July 2011: @chaslinux reminded me of The Working Centre’s distribution, WCLP.

Added 4 August 2011:Just saw antiX mentioned on Identi.ca.

It needs to have CalDAV connectivity, so that I can use Evolution, Sunbird or Thunderbird/Lightning as my only client. Ideally, it will also have a Web interface for both administration and calendar viewing, exports to iCal (.ics) files, supports iMIP, and offers Atom/RSS feeds of calendar items.

Here’s what I’ve found so far. If you know of others, please leave a comment.

There’s also a list at CalConnect’s CalDAV Servers

The other calendars I’ve been trying are WordPress plugins. There is much promise in their description blurbs, but so far I’ve rejected Calendar JCM (no longer supported), Event Calendar / Scheduler (missing .php modules when running), and The Events Calendar. WP Events Calendar works, but had no iCal or Atom/RSS feeds. I’ve added iCal for Events Calendar for one of my WordPress installations, since it at least provides an iCal download for “WP Events Calendar”…

11 January 2011: Originally posted
26 March 2011: Added Linuxaria’s suggestions
16 April 2011: Added WordPress plugin info; added CalDAV column; filled in some attributes

This is a “living” post, so it will float back to the top of the blog as I update it.

–Bob.

Google Juice by Johannes P. Osterhoff

There are many people who specialize in Search Engine Optimization (SEO). They claim to be able to improve your rank on search engines, but here are some common-sense tips you can apply yourself.

1

The best thing to maintain good page rank with ANY search engine is to have good content. This isn’t something an SEO company can do for you — you have to provide that content yourself. Repeating someone else’s content may bring you a few hits, but the search engines will quickly determine that the original site has hosted that content longer, and rank them higher.

Google is additionally funny in that they will count the number of sites that link to you, assuming that if you warrant many links, you must have something the Google customers want. If you switch Hosting Providers or change to a different domain name then anyone linking to the old domain name may have (temporarily) dead links. That will drain your Googlejuice right quick. If you have multiple domain names with the same content then the Google page rank is diluted. Better to have one domain with 1000 links than two domains with 500 each. You should ask your Hosting Provider to set up “301 redirected permanently” for any non-primary domains. Google is smart enough to figure out that http://www.example.com is the same as http://example.com, but I prefer no www. Why? See http://no-www.org/.

2

The second best thing you can do is to have valid HTML for all your Web pages. Sadly, many sites fail badly on that account (including this one). Have a look at the W3C HTML validator for this home page. As I write this, this blog’s home page has 29 errors. That will drain my Googlejuice right quick. If a search engine can’t parse HTML it won’t index content, or rank the page up high. That counts for all search engines, not just Google. I’ve written about this in Invalid HTML Considered Harmful. There are consultants that can help you correct invalid HTML; you may know one or two already

3

The third-best thing is to make sure your pages are accessible. If your site works well on alternative browers (PDAs, game consoles, cell phones) and assistive devices (braille readers, text-to-speech readers) and plain text browsers like Lynx then it’s a pretty sure thing that search engines can index the content too. Avoid Javascript, but if you use Javascript make sure that content delivery isn’t Javascript dependent — make plenty of use of the <noscript> tag. Don’t use non-indexable technologies like Flash, PDFs, Silverlight, or ActiveX. Google is getting pretty good at indexing PDFs and even Flash, but you’ll get better results with plain HTML. I’ve never seen a PDF that wouldn’t work as well-designed HTML. Non-indexable technologies won’t drain your Googlejuice, but they do nothing to boost it either.

4

The fourth best thing you can do is not play jiggery-pokery with hidden text, irrelevant keywords, cloaking, “sneaky” redirects, comment spam on other sites, or fake affiliate sites. If you try to outsmart search engines’ ranking algorithms to artificially boost your ranking, you may succeed for a few days or weeks before you’re banned altogether. That will drain your Googlejuice right quick. Besides, jiggery-pokery is a lot of hard work, better spent creating good content.

Update 1 March 2011: Told you so!

–Bob.

Google Juice by Johannes P. Osterhoff is used under a Creative Commons by-nc-nd license.

Today is the deadline for submitting comments to the CRTC on the proposed tariff increases for Usage Based Billing. These are the comments I submitted:

I am opposed to the current Usage Based Billing proposal.

 

The cost of Telecom in Canada is already among of the highest in the world. Allowing Usage Based Billing will only increase that cost for both consumers and business, especially the third-party Internet providers. Canadian-based business is already looking for foreign ownership for the telecom sector; don’t price those Canadian businesses out of the market by increasing the rates for telecom services.

 

I understand that the carriers feel the need to increase the capacity of their infrastructure, but they have provided no evidence of the current capacities or bandwidth usage, making me wonder if these extra charges are justified. I do believe that billing based on usage (akin to electricity or water use) is a fair way to charge for Internet use, but only if it is the only charge. Carriers must not charge for bandwidth AND set bandwidth caps with overage fees. It cost no more to deliver the first gigabyte in a billing cycle than it costs to deliver the 60th.

 

Also, there must be a clear separation of bandwidth providers and content providers. To the consumer, it certainly seems like the carriers are raising the cost of providing streaming media such as NetFlix, while at the same time introducing such services themselves. It certainly gives the perception of anti-competitive billing, trying to force NetFlix out of the market by making it too expensive.

 

–Bob Jonkman
6 James St.
Elmira ON Canada
+1-519-635-9413

(CRTC Comment Reference number: 139217 )

Feel free to use any of these comments in your own submission!

autoroute à emails by Biscarotte

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.