Security Lesson 4: Play Safer Online
Browse the Internet without getting Attacked
The average user is most vulnerable when they're browsing the internet. It is too easy to make decisions that can compromise your security and provide attackers valuable advantages. Let's make better decisions together.
Secure Browsing with https://
Websites start with either http://
or https://
. If the 's' is missing, your traffic is unencrypted and open to attackers! This could be because the website forgot to implement https, didn't have time, didn't care about security, or simply made a mistake. Never submit information to a site that doesn't have https. You can also protect yourself further by installing HTTPS Everywhere, a browser extension that attempts to use https even on sites that were setup for http. Note that it makes an attempt but doesn't work on every single website.
Accessing the Internet
WiFi at Home
Most people just set up their WiFi at home without a password, or leave it with the default. This is dangerous and exposes your WiFi to be logged into from anyone. They can redirect traffic to their own devices and collect your personal information. Malicious actors will drive down streets looking for vulnerable WiFi networks.
Your router is the device with antennae you got from your internet provider, and is where you can protect yourself.
The default passwords to access routers are often published online, and most of them are just admin
or password
, so it is very easy to guess your way into a router that hasn't been properly secured. Take these steps right now:
- Change the username and password you use to log onto your WiFi (absolute minimum)
- Change the
admin
orroot
password that accesses and modifies your router settings - Add a separate
guest
account with a different username and password - Ensure the device is using at least
WPA2
encryption (notWEP
orWPA
) - Add the passwords above to your password manager you set up in Lesson 3
The bonus is you can now choose a fun usernames like wutangwifi
and passwords like ghostdogsamurai
and you're being way more secure. Way easier than the random string of characters that came with your router you have to dig out every time someone needs WiFi, right?
To do everything above, you just need to log into the router. You can do this from your phone or laptop, and it should only take a few minutes. The information you need will be printed on the side of the router. If not, just google the 'model number' and 'change passwords' into Google to find a guide.
WiFi in Public Places
When accessing public WiFi networks you are only as secure as the people who set up the network made you. It's also more dangerous because there will be many more people already in the same network. Think of the places cafés & coffee shops, libraries, restaurants, anywhere you may log into private accounts or enter information. The most classic one is logging in to check your banking information at a coffee shop.
Some things that attackers can do:
- if there is unencrypted traffic (such as
http
) they can access the actual information being entered like credit card numbers or usernames and passwords - be especially diligent that sites usehttps
in public - see what sites you access (like which email or bank) to make guesses and start more advanced identity attacks
- in some cases they could directly access your machine - this is far more difficult though
To protect yourself you should make use of a VPN, which we'll get into a bit below.
VPNs (Virtual Private Networks)
A VPN can be thought of as a network of computers used to connect to remote sites. The VPN secures your internet connection to ensure that most (but not all) data you’re sending and receiving is encrypted and safe from attackers.
There are many VPN providers to choose from. Most cost money but there are some free. A popular and easy-to-use free choice is TunnelBear. A popular paid choice is ExpressVPN. Do your own research. There are many considerations like the level of security and encryption, how many logs are kept on users, and how likely those logs will be handed over to the authorities if they suspect illegal usage.
VPNs can provide nice advantages beyond security, like watching that Netflix show that's blocked in the country you're on vacation in. Note however that content providers are working to block this sort of usage so there's no guarantee the VPN will work. The use of VPNs was also one of the key security tools used to help journalists and dissidents during the Arab Spring anonymously communicate.
VPNs are not a perfect tool and have flaws. You should still always use a VPN when entering or viewing private information on public networks.
KRACK WiFi Vulnerability
Unfortunately, a major vulnerability was found in WiFi WPA2 encryption back in 2016 called KRACK (Key Reinstallation Attack). This is a serious vulnerability and means even wpa2
protections we set above can be bypassed, allowing attackers to intercept sent and received data. Ultimately all router providers must update their software to protect against these attacks, but you can protect yourself by keeping your devices updated like we learned in Lesson 2. Advanced users may want to google their 'router model KRACK protection' to see if there are settings they can opt for more security.
Blocking Trackers and Ads
There are many entities that want your private information online. The most common one is advertisers. The reason Google is valued at more than $1.5 trillion and Facebook over $850 billion is that they have an amazingly high quality product for their primary customer; no, not you the user, but advertisers. Others like insurance providers also want your data so they can guess risks about you and charge higher premiums. You can do a lot to protect yourself against advertisers.
- One, you can remove ads from your life by using ad blockers. This also makes the internet way less stressful and overwhelming of a place to be.
- Two, you can reduce the amount of information they can collect through your browser by using tracking protections.
Ad Blockers
Add an ad blocker to have a much cleaner and crisper experience online, and avoid being manipulated by advertisers. Some can even block ads in youtube videos. Two popular choices that I use are Adblock Plus (also has a mobile browser app, note this is unrelated to the similarly named AdBlock) and uBlock Origin (which is optimized for high performance, note this is unrelated to uBlock.org).
Note: Confusingly, Adblock Plus is unrelated to the similarly named AdBlock and uBlock Origin is unrelated to uBlock.
Go ahead and install one or more ad blockers on your browser and also mobile device. Note that running ad blocking can slow down your machine a bit so if this is a problem try out a different one. There are many choices, check out this Tom's Guide article to help decide which one you want to use.
Protections Against Trackers
Beyond just blocking ads there are browser extensions that can prevent companies from tracking your browsing online. The most common method trackers use are cookies, basically little text files a website stores on your machine. Now companies use sneakier web beacons like Facebook Pixel, a little invisible pixel that loads on sites without you knowing but allows Facebook to know you went there, even if you're not logged in to Facebook.
These attacks can be blocked by browser extensions like Ghostery and Disconnect (which also has an iOS app). Add one now!
Proceed to Lesson 5: Don’t Lose Your Memories
Back to the Lesson Plan
Header image credit: Yuri Samoilov