Paranoid Web Browsing

Lately I've found myself explaining to several people how to set up their web browser for maximum safety. There are lots of ways to attack a web browser, and the days when you could hop online with Internet Explorer and be fine are long gone (if they ever existed to begin with). Here's what I do to crank up the paranoia level:

1) Use the Firefox web browser. It is not sponsored by a corporation that is interested in tracking your activities. It has a lot of third party plugins for augmenting your privacy and security. It is free to download and it runs on both kinds of operating systems: Windows XP and Windows 7.

2) When I install Firefox, I go to the options page and make a few changes. First, I set my home page to something that's neutral, like http://www.google.com/ . In the privacy tab, I select "Use Custom Settings" and check the box that says "Clear history when Firefox closes." Then I verify through the settings window that this means deleting Cookies, Active Logins and Cache, as well as the three kinds of history.

3) Then I install Firefox plugins using the Tools -> Add-ons window. In the Get Add-ons tab there is a search bar that helps you quickly locate extensions that are useful. The ones that I install are Adblock Plus (for blocking ads), NoScript (for blocking script execution except on sites that I whitelist), Flashblock (for not running flash animation by default), BetterPrivacy (for deleting flash cookies when Firefox exits) and PrivacyChoice Opt-out (for opting out of hundreds of tracking networks like Google and AOL). The most disruptive of those to my usual browsing experience is NoScript; after a fresh install I find that I am constantly having to whitelist my regular sites using the Options button at the lower right that NoScript makes available when a web site requires some type of scripting to behave properly. In the long run, though, NoScript might be the most important protection against attack, because the vast majority of attacks against web browsers involve some kind of scripting, and NoScript ensures that your browser does not run every single script by default, possibly helping me to avoid attacks that the anti-virus programs or browser makers aren't aware of yet.

4) Before logging in to a web site using a username and password, I exit from my web browser and open a new instance. Since I've configured Firefox as described above, this clears out all of the tracking cookies that my previous browsing may have accumulated. When I'm done using the web site that I'm logged in to, I close Firefox again. As a result, amazon.com doesn't know what my google user name is, and doubleclick.net doesn't get to track my interests across multiple web sites. Attacks that involve reading my browsing history are also minimized, because I've cleared my browsing history automatically.

That's about it. Is there anything I've overlooked?


  1. I think #3 is probably the most intimidating step for most folks (that or #1, but I try to not be friends with people who don't use Firefox). I'll be honest, #4 does have the tiniest bit of tin-foil-hat feel to it :)

    Though the talk of tracking reminds me of something that made me chuckle this weekend: when I logged into Facebook to reply to the wave of birthday well-wishes, in the ads block, there was one that said, "Happy Birthday from... Mark Neumann for Governor!" and told me which of my friends follow that group. It was funny and a little bit scary at the same time.

  2. For *any* browser, on *any* OS...Windows, Mac OS X, any Linux, etc

    DO NOT login with administrator privileges. Most browser attacks can be negated because they only run as the current user, not all, but most.