Browser

Disposable Qube

Doing web browsing on a disposable qube is great from a security standpoint as it ensures that any malware that manages to escape the browser is removed at the end of the browsing session. The downside is that (by design) you lose any persistent state - so bookmarks, autofills, cookies, remember me's, etc. Remember to modify the *template* of the disposable vm (accessible via the Qubes Manager) to modify every disposable vm. The vm name should not have the standard 'dispXXX' format - if it has that format, then your changes are not going to be saved.

Multiple Qubes

Using multiple qubes for different security contexts (ie. corporate vpn vs. general web browsing) helps prevent a browser sandbox breakages. This helps to ensure that, for example, malicious code from a random website can't be used to try and attack corporate services behind a VPN.

Plugins

Warning: any plugins you install in your browser can read and modify any web page you visit. Don't install any browser plugin you can't verify or trust.

Adblocker

Ad networks have been used to distribute malware in the past. Using Adblock plus or Ublock origin to prevent ad networks sending possibly compromised ads to you.

HTTPS everywhere

Made by the EFF, HTTPS everywhere transparently rewrites http links and redirects http addresses to https when a domain is in it's whitelist of "known https aware domains".

Noscript

Most browser based exploits are based from, or involve, a javascript sandbox escape. By enabling noscript, it's possible to only execute on pages as required, minimizing exposure.

DuckDuckGo

DuckDuckGo is a privacy respecting search engine - Setting it as your default search engine (and removing Google et al), makes sense from a security standpoint. When using DDG as a default search engine, it also makes sense to set your home page to be https://start.duckduckgo.com/ rather than the usual Google home page.

Disable Unicode (if you don't need it)

By default, xn–80ak6aa92e.com will render as something that looks like 'Apple.com' due to punicode support. This makes phishing a lot easier. You can disable this by setting: network.IDN_show_punycode to true in about:config in your default firefox install.

Disable telemetry

Firefox by default sends some (anonimised) data about your browser usage back to Mozilla. Disable that by going to Tools -> Options -> Advanced -> Data Choice and unticking all of the options there.

Security/Browser (last edited 2019-04-02 10:57:38 by admin)