A friend asked me, “What can I do to keep safe on the Internet?”
These days, most Internet access is through browsers. But not all of it. I do not use web mail. Electronic mail should be done with a dedicated tool like Thunderbird, configured for viewing messages in plain text form, and with local storage (on my computer) of the address book and the Trash and Sent folders.
Servers also maintain sessions, as when you click “Add to my shopping cart.” That’s an anonymous session. When you sign into your Amazon account, the new cookie gives access to your account including your credit card information.
The same-origin rule means you can be signed in to Amazon in one browser tab to set up a purchase, while you are signed into your bank in another tab to make sure the purchase is not a bad idea. Your browser should send the bank cookies to the bank site only, and the Amazon cookies to Amazon only.
A cross-site scripting (or XSS) attack could confuse your browser. It might think that a component of a hostile page really comes from a trustworthy site, sending a cookie that provides access to your bank account to the Russian mob.
A cookie can include an expiration date-and-time, at which time the browser will delete it. Or, better yet, since not everyone keeps their clock synchronized with NTP, a session cookie specifies no expiration time and is deleted when the browser exits. Or, when the browser restarts after a crash and finds a stale session cookie already stored.
This is why a more cautious site invites you to click a “Log Out” button to invalidate your authentication cookie, and then tells you to close and restart your browser.
The hassle is that I must stop all processes of that browser in order to have the session cookies deleted. Every tab of every window until that browser’s processes are all terminated.
But I was in the middle of something…
I solve this problem by running two different browsers simultaneously.
I start Firefox, which opens a number of tabs to monitor what’s going on in the world. BBC News, National Weather Service radar from the nearest site and the next site to the southwest plus regional radar composites, aurora alerts, and more.
Then I start Chrome, where I get things done — test web pages I’m writing and uploading in a terminal window, search Google, search Wikipedia, sign in to blog.learningtree.com to upload these blogs, and more.
If I need to sign-in to a critical account, meaning my finances or personal information — Amazon, a bank, PayPal, health-care records — I open a new tab in Firefox and do it there.
When I’m done, I click “Log Out”, close that tab, and close the browser. Then, because it’s Firefox and who knows what it might still be doing, I go to the terminal window and:
$ pkill firefox $ pgrep firefox
As Ripley said in Aliens, “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.”
I might have two or three things underway in Chrome when I need to do a quick secure check of something critical. Firefox is just monitoring things, so I do the check there and then kill off Firefox. When I restart Firefox it will go back to its standard set of tabs. Meanwhile my Chrome-based projects continue.
It’s not that I think Firefox is more secure. Actually, I think Chrome has a slight security advantage. But Firefox is secure enough, and I much prefer Chrome for my interactive work.
The key thing is that I don’t leave sensitive cookies lying around, and I don’t interrupt my work.
Try compartmentalizing your Internet access with multiple browsers.