How to secure your Web browser
This is a condensed version of the recommendations I send to Global Integrity staff regarding how to make a browser secure and reduce (but not eliminate!) the risk of spying by security services and other bad actors. As of yesterday, Google is once again raising hell over China targeting activists using less-secure browsers.
The bottom line is this: if you work on human rights, anti-corruption or other politically sensitive topics, your email and online behavior is being intercepted and archived by security services worldwide. It is scary. It is unavoidable. It is also routine. People can and do operated effectively knowing that governments and corporations will read their email. Your behavior will adjust somewhat, but life goes on.
However, some basic precautions can push back against this by preventing less sophisticated attacks. For example, the recommendations below would likely have prevented the widespread interception of Facebook passwords by Tunisian security during the 2010 protests. All of the products below are free; most are open source and “libre” as well. They are also chosen because they run silently and do not require care and feeding. Annoying tools get uninstalled, so we’ve limited the list to things that run unobtrusively and have been extensively tested.
Why: Online security starts with an up-to-date browser. We recommend the brand-new Firefox 4. I’ve been using the beta version for several months and it’s a great browser in many ways. It’s also more secure than any alternative on the market (both Chrome and Internet Explorer have their issues), so we require it of Global Integrity staff.
How: Download the browser, and set it as the default. Set the browser to never record your page history. If you have an older version of Internet Explorer, uninstall it entirely.
We also suggest you to run the following browser plugins, particularly on laptops.
Why: Forces many popular sites (Facebook, Google, etc) to use encryption, preventing some spying.
How: Download plugin.
Why: Prevents adbot trackers from loading, in addition to blocking ads.
How: Download plugin. Pick the default “subscription” for your language of choice — this is the ad blacklist.
Why: Blocks tracking scripts and other badness.
How: Download plugin. Configure to “block all” and “no alerts” so it will run silently.
Web of Trust
Why: Warns of known malware websites via a popup and reputation icons on search results pages.
How: Download plugin. Set security to less noisy “moderate” setting.
For wifi devices:
Hotspot Shield virtual private network (VPN)
Why: Prevents local snooping by creating an encrypted “tunnel” between your PC and a random IP address originating on US soil. Also defeats much local censorship, by obscuring the sites you are looking at. There are many VPN services; Hotspot Shield is a free, ad-supported service.
How: Install the Hotspot Shield client to your machine. You will then have to activate the VPN each time you want to use it (use it any time you are on wifi or an untrusted local ISP). You should do this before you open your browser. Hotspot Shield will slow down traffic, but should work ok for everything except video.
For portable storage (mainly laptops, but also portable hard drives and thumb drives):
TrueCrypt disc encryption
Why: Encrypts data on hard drives. Many jurisdictions, including the United States, assert the right to examine (read as “copy”) your hard drive at any border crossing, even without a cause for suspicion. Encryption also prevents harm from loss or theft of a device.
How: This takes a little work to set up, but there is good documentation on the TrueCrypt website, and once it’s installed, it is very stable and simple to use. I recommend full disc encryption for laptops; there’s too much system information that leaks out of an encrypted vault.
If you run Windows, you should also be running Windows Security Essentials (a reasonably effective anti-virus / anti-spyware program from Microsoft). If you’re running AVG Antivirus, you can replace it with the Microsoft product; AVG has gotten intrusive and unstable lately so I have stopped recommending it. Running a Linux operating system (like Ubuntu Netbook) is almost always more secure, but is outside the scope of this guide.
If you are using a device that forces you into a browser other than the one you choose, you have a defective device (ahem, iPad). Perhaps you can return it?
I can also give a shout out to Skype, which isn’t a browser, but is a reasonably secure way to chat with people.
For more advice on this subject, consult the experts at the Electronic Frontier Foundation, such as their excellent Surveillance Self Defense guide.