Protecting your personal items, from passports to baseball cards, usually means securing a lock. Protecting your digital data, from financial records to family photos, isn’t as straightforward.
“More and more data is coming through the browser,” says Cooper Quintin, staff technologist at the Electronic Frontier Foundation, “and more and more of that is potentially at risk, if your browser were to get compromised.”
To improve your desktop browser’s security, experts recommend taking the following steps.
Ensure that it’s up-to-date
No matter which browser you choose to use, “it’s extremely important to have the latest version,” Quintin says, “because bugs and vulnerabilities are found all the time in browsers.”
Attackers often attempt to take advantage of unpatched issues in out-of-date versions. To ensure that you are running the latest version of your browser, restart it, and follow any prompts to update it.
Make plug-ins click-to-play
Attackers also target plug-ins, software programs designed to handle specific aspects of the browser experience, such as playing videos.
Because plug-ins comprise a significant amount of code, they are capable of delivering malware or giving an attacker remote control of your machine. Popular plug-ins include Java (supported by Oracle), Silverlight (Microsoft), QuickTime (Apple), and Flash Player (Adobe Systems), the last of which has become notorious for serious and prevalent vulnerabilities.
To better protect your browser from plug-in vulnerabilities, you can change your browser’s settings to require it to ask your permission before running each plug-in. You can have it block any plug-in content it identifies as unnecessary or potentially malicious. Or you can disable each plug-in you’re concerned about, says Richard Barnes, Firefox security lead at Mozilla.
“By turning off Flash, you can make yourself safer because it’s one less piece of code for attackers to be able to exploit,” Barnes says. “The cost of that, of course, is that you might not be able to use some sites that depend on Flash.”
Many sites have moved away from Flash in recent years, Barnes notes. And Google has pledged to block it on Chrome for most sites by the end of this year.
Block location tracking
Website publishers often track their visitors’ location to learn more about their audience, serve location-based ads, and provide location-based services such as maps and directions. But a remote attacker who pairs your location with your browsing habits could more accurately determine who and where you are.
Quintin recommends updating your browser settings, requiring it to ask for your permission each time it is prompted to disclose your location.
“It can increase privacy a lot,” Quintin says, “but the trade-off is that some websites will stop working.”
Disable automatic access to your computer’s mic and camera
You might not think about your computer’s webcam or mic, unless using an application such as Skype. But if your browser settings are configured to allow a site to access either without getting your permission first, a site attacker could surreptitiously record you.
“It’s a huge violation of privacy,” Quintin says.
This can still be an issue on sites you consider trustworthy, Quintin says. An attacker might have discovered a way to run his own malicious code on the site, which could secretly turn on the mic or camera. To address this potential issue, change your browser settings to require permission every time a site wants to access either.
Check the URL bar for “HTTPS” before submitting passwords
Before you enter your password on a site’s log-in page, ensure that the URL bar displays a “HTTPS” (and possibly a lock icon), indicating that browser’s connection to the site is encrypted. When present, anyone eavesdropping on your connection won’t be able to see what you type, such as your password. This helps protect unauthorized access to your accounts, which is especially important for services pertaining to sensitive data such as banking.
To go the extra mile, Barnes recommends that wherever possible, you enable two-factor authentication, requiring an extra step of verification—usually by SMS or an authenticator app—to ensure that the person attempting to log into your account is indeed you.