Protecting Your Privacy and Security

Fundamentally, the Web is a file-transfer medium: Your web browser asks a web server for a document, which the web server delivers to your computer. At this level of analysis, there's very little to concern you regarding security and privacy. Unfortunately, the Web has grown very complex, and those with ill intentions can abuse complex web browser features to break into your computer, steal sensitive data, display unwanted and annoying content, or track your online activities. You can take some steps to improve your chances of avoiding abuse, but some of these actions can be limiting or complicated to set up. At the very least, though, you should be aware of the issues and the risks you take when you browse the Web.

Minimizing Java and JavaScript Risks

Most modern web browsers support Java and JavaScript, which are programming languages often associated with web pages. JavaScript code can be embedded within a web page, and a JavaScript-enabled web browser will run the JavaScript code automatically. Java programs aren't embedded within web pages, but they are run from them via links. In both cases, enabling their use is a potential landmine; a malicious individual could create a web page that does unfriendly things and make it available to the public.

If you would like to reduce the risk from unfriendly Java or JavaScript code, you must locate the options that enable these features in your browser and disable them. For instance, in Mozilla, pick the Edit O Preferences menu item to bring up the Preferences dialog box. The Java option is in the main Advanced category, and the JavaScript option is in the Advanced O Scripts & Plugins area. The latter area is shown in Figure 8.8.

Figure 8.8: You can disable features such as Java and JavaScript in a web browser's configuration dialog box.

Unfortunately, disabling Java and JavaScript will likely render some web pages useless. A large number of web pages rely on JavaScript for routine operations, and some use Java for vital features, as well. Some web browsers enable you to fine-tune some Java or JavaScript features. For instance, the Mozilla Preferences dialog box shown in Figure 8.8 provides options to allow or disallow certain JavaScript actions, such as opening unrequested windows or reading cookies. If you leave Java and JavaScript enabled, you might want to disable at least some of these actions. Some features, such as opening unrequested windows, are used primarily by a rising bane of web surfers everywhere—pop-up ads, which appear in windows atop your browser window.

Tip You may want to lock down one web browser and use it whenever possible. You can leave another one configured to use Java and JavaScript, and use it only for those sites that require these features.

Attending to Encryption

Some websites—particularly online retailers, banks, and other sites that deal with financial data—provide the option to encrypt data transfers. This encryption uses the Secure Sockets Layer (SSL) protocol. Most web browsers provide a small padlock icon, usually in a status bar near the top or bottom of the window, to indicate whether a page uses SSL encryption. If the padlock icon is closed, encryption is enabled; if it's open, encryption is disabled. Many browsers also come configured to pop up a dialog box that informs you whenever you enter or leave an encrypted site.

Before you send sensitive data, such as credit card numbers, you should check to be sure that the site is using encryption. If it's not, somebody at a site between you and the web server could intercept the communication and steal your data. If a retailer doesn't offer an encrypted order form, you should consider ordering by telephone or buying from another retailer.

Warning Sensitive data can be stolen even if you use a secure website. For instance, retailers' databases have been compromised and credit card numbers stolen from them. Of course, similar risks exist even when you shop at brick-and-mortar retailers. The point is that SSL encryption is not a security panacea.

SSL encryption works through the use of encryption keys. These keys are digital "signatures" provided by one of a handful of companies set up to provide them. Web browsers ship with a number of certificate authorities' (OAs') keys built in. If a website uses one of these CA's keys, the web browser accepts the encryption. Sometimes, though, you'll run across a site that uses a CA that's not recognized by your browser. When this happens, your browser will display a dialog box informing you of this fact and giving you the option of proceeding with the transaction or aborting. As a general rule, it's safest to abort the transfer; an unrecognized key could signal a compromised server—somebody could have broken in or redirected web traffic in an effort to steal sensitive data. It's also possible that the key is valid, but that your browser doesn't recognize it—say, because your browser is old and hasn't been updated with the latest keys. Therefore, you may want to use a more recent browser to perform the transaction.

Filtering Content Using a Proxy Server

The Web is becoming an increasingly hostile environment in many respects. Some of these relate to security, but others are matters of obnoxious content. Examples include banner ads, pop-up ads, pornography, and graphic violence. You might want to filter such content from your web browsing, to save your own sanity, to prevent your children from being exposed to inappropriate material, or to reduce employee time wasted on such material. The question is how to do this. Some web servers provide partial solutions. For instance, Mozilla can prevent JavaScript from opening unrequested windows, which are used almost exclusively by pop-up ads, as described in the earlier section, "Minimizing Java and JavaScript Risks." For the most part, though, the solution lies in the use of a proxy server, which is a server program that sits in-between your web browser and the ultimate web server system. The proxy server can then filter out certain types of content, typically based on sites that it knows serve the objectionable material or on Uniform Resource Locators (URLs) that contain giveaway keywords, such as ads.

The first step in using a proxy server is in setting one up. Many are available, each tailored to a specific need. Popular examples include:

Privoxy This content-filtering proxy server is based on the older Internet Junkbuster and is designed to eliminate banner and pop-up ads as well as tame cookies (see the next section, "Managing Cookies") and other privacy-degrading web features. Read more at http://www.privoxy.org.

Squid The Squid proxy (http://www.squid-cache.org) is designed primarily as a speed enhancer for midsized to large sites. By retaining recently accessed web pages, the proxy can return subsequent requests for the same site more rapidly than a true site access. Squid is extremely flexible, though, and add-on packages enable it to serve as a content filter.

SquidGuard This package is an add-on that adds content filtering features to Squid. You can use it to filter ads, porn, Java, and even JavaScript. You can read more at http://www.squidguard.org.

DansGuardian This program is another Squid add-on that can be used to filter ads, porn, hate speech, and other objectionable content. Rather than use a list of "banned" URLs, DansGuardian works by scanning each web page for content, which means it requires less frequent updates to its rules than some other filters. Its web page is http://dansguardian.org.

You should read the instructions for the proxy server to learn how to configure and install it. If you want to block access by people who might want to get around the proxy (say, employees or children), you should run the proxy server on a separate computer and use iptables (described in Chapter 20, "Controlling Network Access") to prevent direct access to web servers from anything but the proxy server computer.

Tip You can use a Linux proxy server to protect non-Linux systems running on the same network as the Linux system.

Once the proxy server software is running, you must normally reconfigure your web browser to use it. You can do this from your browser's configuration tool. For instance, in Mozilla, you would pick Edit O Preferences to open the Preferences dialog box, and then select the Advanced O Proxies category within that dialog box, as shown in Figure 8.9. Select Manual Proxy Configuration, enter the hostname of the proxy server in the HTTP Proxy field, and enter the port on which the proxy server runs in the matching Port field. (Most proxy servers run on port 8000 or port 8080 by default.) Some proxy servers handle SSL (secure web server) transactions, FTP transactions, and so on, so you should enter the server's hostname and port number for these protocols, if appropriate. If you're not blocking all normal outgoing web access, you can enter exceptions in the No Proxy For field. Some websites simply don't work well through a proxy, so these exceptions may be necessary.

[^j Click To expand

Figure 8.9: All major web browsers enable you to specify one or more proxy servers to use instead of direct access.

Managing Cookies

Some types of web transactions require that the server be able to track a user, at least over a limited period of time. For instance, when you buy a product at a web-based retailer, the retailer must know that the person who submits a credit card number is the same person who ordered the copy of Moby Dick and Heathers. One way to perform this tracking is to use a feature known as a cookie. This is a code that the web server asks your browser to store, either temporarily or permanently, as a means of identification. When you begin entering items into a web page's shopping basket, the retailer's web server asks your browser to store a cookie. When you perform subsequent actions, the web server asks for the cookie back, enabling it to track who's ordering what. Cookies can also be used over the long term to enable identity tracking in order to simplify or even eliminate the need to "log in" to web pages that require authorization, such as subscription-based sites.

Unfortunately, cookies can be a powerful tool for those who wish to track your online activities across many sites. For instance, an advertiser might associate cookies with its banner ads, which appear on many sites. The advertiser can then tell which of those sites you've visited. What's more, a handful of companies dominate web-based advertising, so you can be tracked in this way even when the sites you visit carry very different ads. Many people consider the collection of such a database of information on their activities intrusive at best.

One way to manage cookies is to examine the cookie files themselves. For instance, Mozilla stores cookies in the cookies.txt file in the -/.mozilla/default directory or an oddly-named subdirectory of that directory, such as sysog9b8.slt. You can examine this file to learn who's been planting cookies on your system, and edit it to remove unwanted cookies. Unfortunately, this step is temporary—when you revisit a site, its cookies will be added back to your system, although they'll be new cookies unassociated with your original cookies. Also, some web browsers' cookie files aren't easily interpretable. Opera uses a binary format for its cookies, for instance. A more extreme trick is to set up the cookie file as a symbolic link to /dev/null, but this practice is extreme—it means that your system won't remember any cookies. All of these techniques apply only to permanent cookies, which the website tells your browser to store on disk. Many sites also use temporary cookies, which last only as long as the browser is running. Modifying the cookie file won't affect these temporary cookies.

Some proxy servers, such as Privoxy, are designed to intercept and selectively filter cookies, thereby blocking their introduction on your computer. Sometimes these measures can go too far, though—they can block not only privacy-degrading cookies but those required for a web page's normal operation, such as those used by Internet retailers' shopping carts.

Yet another cookie-management tool is the web browser itself. Today's browsers include various cookie-management tools, such as those shown in Figure 8.10 from Mozilla's Preferences dialog box. You can enable all cookies, disable all cookies, or set various restrictions on them. For instance, you might enable cookies only for the originating website, which can foil some tracking done by third-party advertisers. In theory, having the browser ask you before accepting cookies may sound good, but in practice you'll see several cookie requests per page for some web pages if you pick this option, so it can become very tedious very fast. Some browsers, such as Opera, enable you to specify the servers from which you'll accept cookies, and refuse all others.

Click To expand

Figure 8.10: Setting the appropriate cookie options can help you protect your privacy on the Web.

Team LIB

0 0

Post a comment