• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

A Guide to Safe Browsing

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

DreamerBrian

Member
Joined
Sep 19, 2010
Location
Seattle
LAST UPDATE: 30MAR11
As a response to a lot of requests for good anti-virus software I have decided to create a thread outlining best practices for browsing the internet. These guidelines do not pertain to a specific browser as they are browser independent and can be utilized no matter which browser you wish to use.


GENERAL BROWSING
Here at Overclockers we emphasize safe browsing mainly by way of analyzing the URL. The URL (Universal Resource Locator) is entered into the rectangular box that is normally near the top of the web browser's window:

21262252.png


Pictured above is a standard URL. This URL uses the prefix "http". HTTP is a protocol that the World Wide Web uses to fetch web pages. HTTP is not a secure protocol. The packets of data that it transfers from the internet to your PC may be intercepted and analysed by anyone who is capable of doing so (not very hard these days). For this reason, HTTPS was created. HTTPS is the secure version of HTTP and mitigates the chance that someone may decode intercepted packets of data by encrypting them. How do you know if you are using HTTPS? Just look at the URL on your web browser:

88883177.png


Notice the "https" prefix of the URL. This means that the website you are accessing is utilizing the secure version of HTTP and, therefore, your browsing is at a much lesser risk of being eavesdropped upon.

The HTTP and HTTPS protocols are available by anyone around the world who wants to use them. That being said, what if someone with ill intentions sets up a website to trick you into providing sensitive information and slaps HTTPS on the page? Sure your browsing is encrypted, but if you securely give a stranger your sensitive information, you are still giving it away without knowing who you are giving it to. How do you know if the website is legit? Lets say you are logged into Newegg and you are about to make a purchase. How do you know that when you get redirected to the page where you are prompted to enter your credit card information you aren't clicking a 'ghost link' that brings to you a Newegg look-alike website with the agenda of obtaining your credit card information? That's where certificates come in.

A website's certificate is proof that the website you are accessing is indeed itself. A certificate is normally displayed as a box with the name of the company that owns the website within the URL box:

68820200.png


Clicking that box will open up another box that will give you more information about the company that owns the website, who the certificate was verified by, and so on.


UPDATE, UPDATE, UPDATE!
A good way to prevent attacks is to keep your PC and any software that uses the internet up to date. Updates are, quite simply, a fix to problems and vulnerabilities within your software. When your software was first installed out of the box it did not come with these fixes. Most good software companies release updates for software on a consistent basis (Microsoft, for example, releases updates every Tuesday) so that the software's users are continually backed by the most up-to-date protection against malicious activity throughout the internet. Those who neglect to update their software are typically the victims of web-based attacks.

Update your Web Browser: Most all web browsers nowadays will automatically update themselves. Some of them tell you that they are doing it beforehand, some of them don't tell you until afterward, and some of them might not tell you at all. As a user of the software, it is your responsibility to ensure that your updates are being installed as soon as they are available.

Update Plugins: A plugin is software that is used to run specific features on websites throughout the web. Some common examples of these are Java, Adobe, and Quicktime plugins. Web-based attacks can be in the form of scripts that these plugins run. These plugins typically prompt you that an update is available via a popup on your desktop. Don't just ignore the popup! If your plugins aren't up-to-date your computer may be at risk of contracting malware when visiting some of those less-than-trusted websites.

Update your Operating System: Your operating system is the most important piece of system software that you have installed on your computer. Ensuring that updates for your operating system are being installed as soon as they become available is an extremely proactive approach to preventing a web-based attack.


BEST PRACTICES
Some really good random suggestions for your everyday browsing:
  • Don't download pirated software! Doing so opens up the door to your computer for embedded malware within the pirated software.
  • Ensure that what you are clicking on is the real deal! Addresses with 1's in place of L's for example are designed so that the user does not notice the difference at a glance. Don't be that person who just glances and assumes everything will be alright.
  • Be aware of how you are connecting to the internet. If using a public or wireless connection, understand that you are at an even greater risk of attack because of the public nature of the connection. Try to avoid accessing accounts within websites that contain your sensitive information on these networks.
  • Avoid downloading "codecs" from websites that are not affiliated with the codec (for example, don't download a DirectX codec unless it's from the DirectX website!).

That's all for now. If you have anything you feel you want to add please feel free to post and I will add it to the guide. Thanks for reading!

Brian
 
Last edited:
Course, all that can be spoofed well enough to fool the average user anyway, so they'll keep calling us to remove viruses and such :)

For most of us, following some simple guidelines are enough. These apply to Windows systems, of course. Stuff the 'lol run linux noob' and 'lol run firefox noob' comments in a sack.

- Run antivirus. I don't care if you think you are 'too smart to catch a virus,' you'll eventually be attacked by one, and AV is better than nothing. MSE works fine. Also give Malwarebytes a run every once in a while just in case.

- Don't pirate software. I shouldn't even have to say this, but thieving morons abound in the wild, and tend to get themselves infected quite often.

- Pay attention to what you click on. I'm looking at you, guy who just got phished out of your WoW account yet again after clicking an urgent notice from "B1izzard" in your spam folder that looks like it was written by a four year old ESOL student. Better yet, just don't click any links in your email at all. Maybe the Newegg shell shockers, but those usually suck anyway ;)

- Disable autorun. USB sticks can and do carry viruses. I think MS recently issued a patch that disables autorun for everything but optical media, not sure what OSes they applied the patch to though, which leads me to...

- Get a legit copy of Windows Vista or 7, and keep it up to date. If you are running XP at this point, you are just asking for trouble. It's outdated, it's insecure, and it's unstable compared to Vista/7. Get with the times.

- Patch Flash, Abode Reader, and Java. When they start nagging you to update, do it. Don't just click 'postpone' for months on end and wonder why you got infected.

- Be alert for odd browser behavior such as sites you don't recognize opening on their own rather than the site you intended to visit, warnings appearing from software you didn't install (I'm looking at you, "Vista Security 2011"), sketchy popups appearing when you are just sitting at the desktop or in a non-browser program, and any "system notifications" with strange misspelled language. "ALERT COMPUTER MAYBE INFECTED! SCAN NOW WITH REGISTRED VERSION FOR PRESERVING SECURTY!!" is a definite red flag.

- I know you really want to see Britney Spears naked (why??) but for the love of meth, don't give that site permission to install an activeX "codec" pack you need to see the video. It's a virus, I promise.

- If you do get infected or suspect that you might be, it's essential that you remove the machine from internet access as soon as possible. Unplug the ethernet cable or disable the wireless adapter or router right away. Many modern infections will rapidly summon their peers to join them for a party at your place. The more baddies you have get in, the worse the hangover and cleanup.

I'm probably forgetting several things but it's late and I already typed much more than I meant to :)
 
I'll add in a few items:

--> Consider running a browser that supports AdBlock+ and NoScript! addons/extensions. Currently, Firefox and Chrome support these. Many exploits have occurred via advertisement images loaded from 3rd party sites. Also, quite a few web-based exploits require scripting to work.

--> Use a 'sandbox' for your browser. Sandboxie is an excellent example (that I use and recommend) that helps to prevent exploits and such from modifying the OS.

--> Update your operating system. Windows, Mac OS, Linux, whatever...all of them have software updates. Download and install them.

--> Don't share your system. Family, friends, it doesn't matter. It's like your tooth brush; would you share your tooth brush with Uncle Bob? No? Then don't share your computer with him, either. They may do something stupid on your computer.

--> Be careful with 'how' you connect to the internet (for laptop/mobile users). That free WiFi at the local coffee shop, or your neighbors open access point, could be recording/compromising your internet traffic. Be warned.

Edit: Adding an item...
 
Last edited:
I think using a Sandbox program is definitely the most secure but also really unnecessary.


Honestly, common sense is king. Firefox even without Noscript and a good head on your shoulders is all you really need. I didn't run AV for ages, have done lots of sketchy things in the past and have never been burned.

Keepass, however, is awesome IMO. It's free and bulletproof, the only downside is you can't really log in to stuff from a mobile phone which isn't really a big deal for me.

Also, lock your phone. Seriously. I keep mine unlocked at home(most of the time) but any time I step foot outside I put a PW on my iPhone. It also really reduces the likelihood of anyone bothering to keep your phone if they decide to steal it. I know this doesn't directly relate to safe browsing but it's still personal security.
 
--> Don't share your system. Family, friends, it doesn't matter. It's like your tooth brush; would you share your tooth brush with Uncle Bob? No? Then don't share your computer with him, either. They may do something stupid on your computer.[\quote]
This is a bug one with me .It is the reason my girlfriend has her own and doesn't touch mine.

Also the other comment about using an av
I have talked to and heard from countless people saying stuff like "I've never used av and I don't have a virus and never had one EVER"
BS how do you know you don't really? You don't and chances are you have been carrying around one or more for years.
I don't care how careful you are eventually something is going to slip itself in trust me it has happened to me and I am about the most careful person I know.

Use common sense is one of the biggest things to remember. Think before you click or open that file.
 
Also the other comment about using an av
I have talked to and heard from countless people saying stuff like "I've never used av and I don't have a virus and never had one EVER"
BS how do you know you don't really? You don't and chances are you have been carrying around one or more for years.
I don't care how careful you are eventually something is going to slip itself in trust me it has happened to me and I am about the most careful person I know.

Use common sense is one of the biggest things to remember. Think before you click or open that file.

Who you know or don't know doesn't really have any bearing on whether or not you can safely use a PC without AV and the answer is you can.

I know for a fact that I didn't get infected because when I installed my AV it found nothing including my backup drive which stores absolutely everything. Not to mention I work with some pretty sensitive stuff and I'd know in about 2 hours if someone had control of my PC.


Things don't "slip themself in" you either allow something to slip in or you don't. Obviously mistakes could be made but safe browsing without AV is completely possible and not even difficult.
 
88883177.png


Notice the "https" prefix of the URL. This means that the website you are accessing is utilizing the secure version of HTTP and, therefore, your browsing is at a much lesser risk of malicious activity.

At a lesser risk of evesdropping.

The HTTP and HTTPS protocols are available by anyone around the world who wants to use them. That being said, what if someone with ill intentions sets up a website to trick you into providing sensitive information and slaps HTTPS on the page? Sure your browsing is secure, but if you securely give a stranger your sensitive information, you are still giving it away without knowing who you are giving it to.

The problem here is that you are saying the browsing is secure. It's incorrect, you can only know it's encrypted, saying it's secure implies a lot more. What you are trying to say is correct and a good point, but the "your browsing is secure" part is maybe a bit badly worded.

How do you know if the website is legit? Lets say you are logged into Newegg and you are about to make a purchase. How do you know that when you get redirected to the page where you are prompted to enter your credit card information you aren't clicking a 'ghost link' that brings to you a Newegg look-alike website with the agenda of obtaining your credit card information? That's where certificates come in.

A website's certificate is proof that the website you are accessing is indeed itself.

It will only proove that the person who requested the certificate from the CA had access to the contact email address for the web site submitted to the domain name registrar. It's maybe a long shot, but still...

The biggest problem is that to really have any kind of trust towards a certificate you would really have to check it manually. Just having the "lock icon" in itself is pretty meaningless. I'll be the first to admit that I don't bother checking it manually myself even remotely often enough.
 
Who you know or don't know doesn't really have any bearing on whether or not you can safely use a PC without AV and the answer is you can.

I know for a fact that I didn't get infected because when I installed my AV it found nothing including my backup drive which stores absolutely everything. Not to mention I work with some pretty sensitive stuff and I'd know in about 2 hours if someone had control of my PC.


Things don't "slip themself in" you either allow something to slip in or you don't. Obviously mistakes could be made but safe browsing without AV is completely possible and not even difficult.

Scanning with AV that was installed on an infected system will tell you absolutely nothing. The AV could be subverted or even the whole installation spoofed for all you know. If you really are a high value target, you certainly would not know within two hours if someone had control. They would go for maximum stealth, and you would be none the wiser. That's already the trend overall: stealth first, other stuff later. The fake AV nag malware is amateur hour compared to the real threat.
 
Who you know or don't know doesn't really have any bearing on whether or not you can safely use a PC without AV and the answer is you can.
wtf is this supposed to mean calm down there lumpy lol

I know for a fact that I didn't get infected because when I installed my AV it found nothing including my backup drive which stores absolutely everything. Not to mention I work with some pretty sensitive stuff and I'd know in about 2 hours if someone had control of my PC.
Doesn't mean it never happened and you didn't know because you didn't have one
If you think that no one can get by things and have control of stuff without you knowing you really shouldn't be on the internet

Things don't "slip themself in" you either allow something to slip in or you don't. Obviously mistakes could be made but safe browsing without AV is completely possible and not even difficult.
Of course they can and I didn't mean some 12 year old wth a trojan wrapped in a jpeg
 
Acid burn I like your reference about the 12 year old kid. Hahahaha I remember script kiddies. You are correct with everything you said.

You do not have to open a link or a certain program in order for you to get hacked. Yes they do "slip in by themselves." there are so many exploits and vulnerabilities out there it's not funny. No matter how protected you are, there is always a way just remember that. Like they say, "if there is a will there is a way"

:D
 
thanks for creating such amazing value topic, being a computer network person i always need such handy info.
 
Back