HIPS Series > Safer Web Surfing

How to take this course

The World Wide Web (WWW or Web) provides access to billions of pages of content.  It's an easy and convenient way to get information for a range of purposes.  But the Web is not a completely secure place -- indeed, some parts of it are very dangerous.  It poses large security risks if used unsafely.

The average worker today spends hundreds of hours a year surfing the Web at work, and hundreds more doing so at home.  Take the time to learn how to do it right.

A Web browser is a relatively simple piece of software.  Given a unique Web address -- formally called a "uniform resource locator" or URL -- it coordinates communication between your computer and the server computer where a particular Web site's content is stored.

When you open your browser and type in a URL, the browser translates the address (using a system called DNS), contacts the particular server, and requests the page you asked for. 

When the server sends the page contents, the browser translates the codes for the text, images and other elements (written in a language like HTML or XML), formats all that for your computer screen and displays the result.

Web sites may also offer the opportunity to "stream" audio and video, or download files containing documents, images, software or other content.  While the vast majority of Web content is benign, it's possible for it to contain harmful elements like viruses or data-harvesting spyware. 

Web pages may be "static" (the same for everyone) or dynamically created, such as when a search engine constructs a page of results for a particular query. 

Powerful "active" elements in a page may be used to enhance the visual experience -- in effect, running small programs on your computer.  Unfortunately, these active elements can also be used for malicious purposes.   If you follow safe practices however, you'll generally be just fine.

In the physical world, not all locations are equally safe.  The same is true of the virtual world.  The difference in the virtual world is that you are only one click away from a potentially dangerous location -- and the signs of danger will rarely be obvious.

What do we mean by dangerous?  If your Internet browser is not up to date and configured with appropriate security settings, even a short visit at a web site can result in infestation with malicious software.  (We discuss browser updating and security settings below.)

Be sure you are going where you think you are.   Particularly when you visit a Web site where you'll be exchanging sensitive information -- such a bank or credit card web site --  type the URL into the browser address bar, or use a bookmark you created after typing in the URL.

When you place your cursor over a link, most browsers will display the link's actual URL in the "status bar" at the bottom of the window.  Get in the habit of looking at the address to be sure it matches where you think you're going.

Get URLs from trusted sources.  Rely on a physical (paper) document that you know is authentic, or a Web search engine utility you trust (using a URL for that search utility that you know is authentic).

Do not rely on links in an email message unless you are absolutely confident of the source.  You could fall victim to a phishing scam that directs you to a phony Web site, where you'll be tricked into disclosing personal information for identity theft.  This is a very common crime, with millions of victims every year.

Note that in most email systems, senders' email addresses can be easily faked.  Just because an email appears to come from someone in your organization, or even someone you know, does not necessarily guarantee authenticity.    

Use caution whenever you click.  Clicking on the links of a Web page -- formally, they're called "hyperlinks" -- usually just takes you to a different page.  But links can also initiate downloading/running software on your system.   That's fine if you intended to do that, and the site is trustworthy.   (This is another reason to get in the habit of looking at the browser status bar to check what a link is "really" going to do.)

Be particularly cautious about clicking on links in pop-up windows and advertisements.

Use even more caution whenever you download.  Downloaded software can be infected.  Having up-to-date anti-virus and anti-spyware on your system is an essential protection, but it doesn't guarantee that downloading is safe.  Be sure you're using a trusted source.

Freeware and shareware sites are risky.  Peer-to-peer (P2P) downloads are particularly risky.  Malicious software is endemic to such services.  That's why most organizations prohibit downloading from such sites/services onto workplace systems. 

Use the greatest caution whenever you initiate the execution of a program.   Some web-based utilities require installation/execution of a (small) program on your system -- called a "client."  But unless you are absolutely confident in the source, allowing programs to be installed and executed on your computer is very risky. 

Make sure the connection is "secure" (encrypted) whenever you are exchanging sensitive data.  You can identify a secure connection by the "https" at the leftmost part of the site's address (URL) in the browser's address bar, and by a "lock" icon somewhere in the browser's status bar (usually on the right bottom corner).

If a browser window looks right but does not have a secure connection when it is supposed to -- anytime you're asked for sensitive information like user-IDs, passwords, account numbers -- do not enter information into that window.  Browser windows can be faked.  (It's a classic phishing trick to put a fake window in front of a genuine one.)  If the window doesn't have an address bar, so you can see where you are, do not enter any information.

Personal computers come with a Web browser installed -- Internet Explorer (IE) for Windows systems, and Safari for Macs.  Alternative browsers can offer additional features, a different look and feel, and, sometimes, better security.  (Because, IE is the dominant browser for Windows, it tends to be the dominant target for hacker attacks.) 

Popular alternatives to Internet Explorer include Firefox, Netscape and Opera.  All are free.  Firefox, Netscape and Opera also are available in Max OS (as well as Linux) versions.

Note that some Web services and sites are designed to make use of features found only in Internet Explorer; they will look/behave differently, if they work at all, using other browsers.  If you are a Windows user, you can use an alternative to IE for much of your browsing, but probably not all of it.

Note that you will need to pick a "default" browser -- that will automatically open any time you click on a link (such as in an email).  The other browsers you'll need to start up manually.

Whichever browser you use, it is critical that you use appropriate security settings.  This is much more important than the particular browser you choose.

Security is increased by disabling "active" components that run programs on your computer.  This can make your browsing much safer, but also less enjoyable and functional.  If you set a high security level you may have to periodically reduce it (e.g., to download or execute a file from a trusted site).

For Internet Explorer, use the Tools > Internet Options > Security menu.  Set at least a medium level of security for general browsing.  Or set the security level to high, and put regularly-used web sites in the Trusted Zone.  For other browsers, the Tools menu will have different options and settings.

Whichever browser you decide to use, it is critical to keep it updated.  This is also more important than the particular browser you choose.  Internet Explorer, Firefox, Netscape, Opera and Safari all can be set to update themselves automatically (without your intervention) or to prompt you when updated versions are available.

It is also critical that you keep the rest of your software updated, including the anti-virus and anti-spyware you use, as well as your operating system as a whole.  Vulnerabilities in software that is not up to date are always targeted by hackers.

Remember that even the newest software cannot assure 100% security.  If you don't browse safely, using the guidelines above, you're likely to encounter problems sooner or later.

8. Keep in mind what you leave behind

For your convenience, most browsers keep a "history" of all the sites you have visited. The number of days, weeks or months of history is usually something you can set.

When you type in a part of an address, the browser can help you find it again by filling in the remainder of the URL. When you forget the address entirely, but have at least some memory of when you visited, you can search the history for likely addresses.

If you use a shared computer, you may not want others to be able to see where you've been. So you will need to flush (delete) the history records.

Most browsers also keep a "cache" of temporary copies of recently-visited pages, to allow you to view them faster if you return. They can also keep copies of things you've entered in online forms (like names, addresses and telephone numbers), online passwords, downloads, and so on.

As with histories, this record may not be something you wish to shared with other users of a shared computer.

9. Keep in mind what the Web sites have left behind

Web sites regularly use "cookies" and "session variables" to keep track of where you have been on the site.  This can enhance your experience -- e.g., to remember the particular pages you've visited, so you can quickly return to them.  

Not coincidentally, cookies also helps the site's designers figure out how to make it more attractive, which can help their business.  You'll have to decide if the cost in privacy is worth the convenience to you

Cookies that sites use to do this are called "first-party cookies" -- because the company that produces the site generates and uses them.  (In a report from an anti-spyware product, they will typically reveal their affiliation by including the name of the company in the file name.)

Cookies that track your behavior across many sites, typically tracked by a marketing organization, are called "third-party cookies."   Most likely, you'll want to get rid of those using anti-spyware or anti-adware tools. For more information, see the entry on spyware and adware.

You can set your browser to reject all cookies, but that will cause some Web sites to perform in a limited way, and others will not perform at all.

10. If you remember nothing else

(1) Keep your browser software up to date.

(2) Use appropriate security settings.

(3) Rely on trusted sources for Web addresses.

(4) Remember that all destinations on the Web are not equally safe.  Adjust your behavior while surfing in accordance with the risk.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •