More than a billion people use the Internet, passing every kind of information in all directions. Much of the information is public, so that there is no concern about others accessing it. However, much is intended to be private (perhaps shared with close friends or family), or even secret. Given the large number of ways of communicating, the varying degrees of concern about keeping data away from prying eyes, and the variety of methods for unauthorized access, security on the Internet is a large and complex topic. The greatest difficulty is not in using the best methods for security, which have been crafted by experts, but in knowing that they exist, knowing what you need them for, and knowing where to find them.
A number of tools are built into the way the Internet works that enable data to be kept private and secure. Most significant among these is public-key encryption, which is used both for making data private and for authenticating users and websites. You rarely need to directly use public-key encryption, but when you use a URL that starts with "https://" or when Firefox warns you about a website's security certificate, public-key encryption is working behind the scenes.
The types of harmful actions that certain people on the Internet try to do fall into several broad categories:
- Defrauding you of money directly
- Stealing your identity (by stealing passwords and other personal information), and then stealing your money
- Harming or hijacking your computer
- Keeping you from accessing certain websites
The "bad guys" have devised a huge variety of strategies for doing these things. People who wish to compromise data security will examine every link in the chain, including you, your computer and its software, your home network, your service provider, the Internet in general, and any sites you might visit, looking for the weakest link. The most valuable information they can get is usually your login name, password, and account numbers for your banking, credit cards, or other financial accounts, in order to assume your identity and drain out as much money as possible.
- Stealing information from websites that you've given it to, such as banks or online merchants. Your bank might not have adequate security on its databases, and someone might steal access information for tens of thousands of accounts. There's not much you can personally do to prevent this. If this happens, the bank must notify you and give you new accounts. Do not reuse your old password.
- Snooping your data traffic and stealing your passwords or personal information. This is what encryption is for, specifically the HTTPS (secure HTTP) protocol. Firefox will let you know when you switch between secure and insecure pages.
- Snooping your data trafic and blocking it from getting through.
- Tricking you into giving them your information or money, via email ("phishing") or phony websites. You can get several kinds of protection from this, but you must still be alert to the warnings you receive, and must be able to recognize phony requests for information. Firefox can help check the identity of websites you visit, to make sure they are run by who they claim to be run by.
- Inserting malicious software onto your computer without your consent. This can happen if your operating system is installed in an insecure way, or is not protected by a firewall.
- Tricking you into installing malicious software. Someone might send you malware in an e-mail. Your mail software can help with this, but you need to understand what not to open.
- Someone might be able to compromise some portion of the Internet, such as a DNS server. They could then reroute traffic to or away from certain sites. This is far less likely than the other possibilities.
Often the same bad guy uses a combination of techniques, such as tricking you into installing malicious software that snoops on your data traffic or that uses your computer to send fraudulent email messages to other Internet users.
Where does that leave you? You have to understand your part in password security and key management, the security settings in your operating system and software, and the signs that you should not open an e-mail or install offered software. Much like you would not leave your keys in your car, and you lock doors when necessary, your participation in security is important and Firefox does a lot to help you with these issues.
On a technical level, the variety of threats present on the Internet include:
- Social engineering, such as phishing (asking for sensitive data while pretending to be someone else with authority to do so)
- SQL injection, adding database commands to URLs
- Cross-site scripting
- Malware, malicious software masquerading as something beneficial, or installed without the user's knowledge
- Government or other snooping
The FLOSS Manual How to Bypass Internet Censorship, http://flossmanuals.net/CircumventionTools explains how and why governments snoop, and how to get around snooping, in addition to methods for accessing blocked Web sites.
You cannot protect a Web site from its own mistakes. You can tell them when you find mistakes, and you can avoid sites that do not protect themselves properly.
Setting up a firewall
In general, if you have an always-on connection to the Internet (such as most broadband connections), you should always use a firewall, rather than connecting your computer directly. The basic reason not to connect directly to the Internet is that it provides too many avenues for someone trying to compromise your computer. Even if you have a perfectly secure setup, you don't want the traffic from those who want to break in and inspect your system or install malware on it. Let your firewall block it once for the whole network.
So how should you connect? Through a router with a built-in firewall. Fortunately, if you have a broadband connection, there is probably a firewall built in to the (cable or DSL) box from your Internet service provider (ISP). Ask your ISP if you're not sure. If you have a wireless router, there is probably also a firewall built into it. Be sure you follow the instructions for setting up your wireless network securely.
Who is left? Those on dial-up. You are OK. You don't need a firewall because you have a connection, but not an IP number. You aren't on the Internet; you can just talk to it.
How do you set up the firewall on your router? Well, probably there is an IP address that you can connect to in the router before you connect to the Internet that will serve a Web page with instructions for the firewall and the Internet connection. Check in the manual, or on the manufacturer's Web site (from a different network, of course, one that has a firewall running), or with your ISP. You want an incoming and outgoing connection to the Web, and you might need an e-mail connection. Don't enable anything else unless you know why you need it.
Setting up security on a new computer
When you connect a new computer to your firewalled network, it may be in a vulnerable state. It certainly does not have the latest security updates for its operating system. Go directly to the update page and get the latest patches or packages. After your system is up to date, then you can think about getting your email or surfing the Web or downloading files.
Choose strong passwords. Your browser or your operating system can remember them for you.
Try to avoid using the same password for accounts that contain important personal information, such as credit card numbers, as for accounts that just store non-critical preferences. If bad guys get your password for one site, they are likely to try it on other sites where they've figured out you have accounts.
If you need to use the same passwords on more than one computer, you can take an encrypted copy of the Firefox password file with you. Then you have to remember only the decryption key for that file. A strong password is as random as you can make it, out of whatever characters are permitted on each site. It is also at least 8 characters.
- Weak: 042986 (if that is your birthday or anniversary), any dictionary word, any name, any default password provided by or for a Web site
- Strong: m*N4W3@q. Strong passwords have a mix of upper and lower case letters, numbers, and punctuation characters (some sites do not allow punctuation in passwords). One common strategy is to use initial letters from a phrase or title you'll remember, but then substitute numbers and punctuation for some of the letters.
If your are given the option of creating a password recovery question try to select a question/answer combination that is not commonly known by others (or one that could be searched for like where you went to high school).
If a message is vague throughout, it may come from malware rather than a real person, and if from a person, then someone intent on fraud. If you get an offer that seems too good to be true, assume it is. If a message appears to come from a business, but it has a lot of spelling and grammar mistakes, it may be fraudulent (but even real messages may have some mistakes).
- A legitimate business will never ask for your password, credit card number or other personal information in email. Don't respond to such messages, or click any links in them. If in doubt, go to the main URL for the site by typing it into the Location bar rather than by clicking a link. You could also find and call the customer service number.
- Don't open love letters from strangers. (The I Love You virus).
- Don't respond to offers of millions of dollars from Nigeria or thousands of dollars a week for stuffing envelopes. (Nigerian 429 spam, other spam).
- Don't respond to chain letters. They are illegal as well as pointless.
- If someone says how great your site is, but doesn't mention the name or URL, or anything else about it, they are trying to scam you.
- If someone you never heard of sends you software, don't install or run it. It is probably malware. Don't run it even if it says it is a game or utility you would like. It is probably a Trojan Horse.
- Don't open unidentified files from friends or co-workers. A virus might have sent them. If the message doesn't clearly identify the file and its purpose, ask first. "Here's that spreadsheet I mentioned" doesn't qualify.
- While you are at it, don't pass on scare stories that come to you in e-mail. Most of them are groundless rumors, some rising to the level of Urban Legend. Some are deliberate hoaxes. Real threats will make the news. When you see such a scare story, check it out at Snopes.com, the Urban Legends pages. Check it even if the story claims that the sender "checked on Snopes, and it's real", because hoaxers certainly will lie. (This isn't a security issue, but it keeps you from wasting other people's time with false email messages.)
- When you go to a bank site, PayPal, or other financial site, look for the https: prefix on the URL, and look at the identity information that Firefox gets from the site.
- Use secure HTTP for Google mail and other sites dealing with your sensitive private information.
- While visiting websites or reading email, pay attention to URLs and filename extensions, and to warnings from Firefox. Make sure the URL really goes where you expect it to. Some examples of phony names:
- google.com.exe is most probably a virus, and certainly not a Web site.
- woohoo.png.exe is not a naughty picture, but most likely a virus.
- mail.google.aoeu.com is not Google mail, and neither is mail.g00gle.com.