Tech Made Simple

Hot Topics: How to Fix Bluetooth Problems | Quell Pain Relief Review | Best TVs Under $500 | Complete Guide to Facebook Privacy

Use It

author photo

4 Ways Your Browser Leaks Personal Information

by on February 17, 2017
in Computer Safety & Support, Computers and Software, Tips & How-Tos, Privacy :: 5 comments

There’s a lot you can do to browse the web anonymously and avoid being tracked by every website you visit. But no matter what you may have set, the browser can easily become be a leaky faucet when it comes to identifying personal details that could then be exploited by attackers for financial gain.

Back in the day, we would have blamed that glitch-ridden vulnerability fest, Internet Explorer. These days, the major browsers are more or less equal in their propensity to expose our data. For example, Microsoft Edge’s PDF reader leaked personal information and the Web Screenshot Chrome extension, downloaded by 1.2 million people, siphoned details back to a single IP address. These have now been patched.

Here’s how your browser might be compromising your privacy and what you can do about it.

1. Avoid sites that don’t use the HTTPS protocol.

Heading to a website that doesn’t have the “https” prefix means anything you do there is unencrypted. This includes what you click as well as what you type — it’s all visible to any eavesdropper. While that shouldn't be a concern for public content sites where you are simply reading information, it should be a big concern on any site where you are entering personal information such as login credentials, social security numbers or any other information you would not want snoopers to see.

Some websites may include the https prefix on their home page, then default to the unencrypted “http” on other pages. Things get especially dicey when you’re at a site where you need to log in with a password or input payment details.

A recent update to Chrome now flags sites as Secure if they are fully encrypted or Not Secure if they’re unencrypted yet ask for passwords or credit card information. The alert appears on the left of the URL box, and it flags sites whose encryption is faulty.

[EDITOR'S NOTE: Some have smartly pointed out that Techlicious does not currently use HTTPS for our own site. While HTTPS is important for any site where you are logging in or entering any type of personal information, it is far less important for sites where you're simply reading content (which is why even major sites, like CNN.com or Chevrolet.com are not encrypted). And while all of Techlicious isn't encrypted, certain components, such as the Facebook login for our comments, are. However, Techlicious will be moving towards full HTTPS encryption in the future. We have also edited the text above to acknowledge the difference between content sites and sites that should cause concern with lack of HTTPS.]

What to do

Check that page URLs are prefixed with “https” before entering any log-in or payment information.

Download the HTTPS Everywhere extension for Firefox, Chrome and Opera, which automatically encrypts your browser’s communications with major websites if it finds faulty HTTPS links.

2. Minimize the use of plug-ins and extensions.

The web is rife with downloadable software designed to give your browser additional powers. These include extensions that show you how much info Facebook has collected about you and golden oldies Microsoft Silverlight, Adobe Flash and Java, which allow your browser to play animated content.

Unfortunately, these plug-ins can be riddled with vulnerabilities that hackers may exploit for a land grab at your personal info. And when developers fail to update their plug-ins and extensions, people who use them can become targets.

Simply having plug-ins and extensions installed makes your browser vulnerable to attacks, even if a site doesn’t require the plug-in or extension to be used.

What to do

Head into your browser settings to see what plug-ins and extensions you have downloaded, and disable those you infrequently or never use.

You might consider disabling the big three, Microsoft Silverlight, Adobe Flash and Java. Many sites no longer use these plug-ins to play video. Netflix has dropped Silverlight, and YouTube doesn’t use Flash.

If you receive too many messages that you need to run these plug-ins, invest in a script-blocker extension such as NoScript (Firefox) or ScriptNo (Chrome). These stop all Flash and Java by default, with options to build a whitelist of trusted sites that need these plug-ins.

3. Dodge browser fingerprinting.

Websites often query your browser for data such as location, screen size or browser version, so they’re able to load the web pages correctly. However, plug-ins like Adobe Flash and Java also happen to relay a lot more information, including the hardware you’ve installed, the plug-ins installed and, most tellingly, the exact lineup of fonts you have on your computer. This list combines to make a “fingerprint” that’s overwhelmingly unique to your browser, making it highly trackable even if you’ve disabled trackers.

See how unique your browser is at Panopticlick, a browser tester set up by the Electronic Frontier Foundation. The site will tell you how unique your fingerprint is and provide all of the geeky details, if you’re interested.

What to do

There’s not a lot you can do about browser fingerprinting. In theory, protection from fingerprinting involves a device with the same settings and programs as the most other people. For example, an iPhone would offer better protection than an Android because it has less ability to be customized and made unique; a Chrome user would be less unique than, say, a Linux user.

Chrome and Firefox users could try extensions that randomize what data is reported by the browser, because presenting a different fingerprint every time makes tracking impossible. Random Agent Spoofer (Firefox) and Random User Agent (Chrome) have decent reviews at their respective app stores.

4. Prevent phishing attacks on browser autofill.

Your browser’s autofill function exists to make it easier and faster to fill in forms that ask for the same tedious information—your name, address and date of birth. The convenience of saving such information often outweighs any concerns over the security chops of a browser.

However, a web developer recently discovered that certain browsers, including Chrome, Safari and Opera, as well as the password manager extension LastPass, could be tricked into revealing more saved personal information without the user realizing it.

This phishing attack would occur via hidden text boxes coded into a malicious site, alongside a couple of visible requests for innocuous information like your name and email address — say, a pretense at getting a discount offer. When you type in the info, the autofill feature ends up adding other information saved to the browser autofill or LastPass vault, which could include enough details to enable credit card fraud.

What to do

Avoid typing in any personal information on websites you’re not sure about. Log out of LastPass so that any personal profile information you have saved there is safely encrypted. Delete credit card information from your browser, or turn off the autofill feature entirely. Here’s how.

Chrome: Preferences > Show advanced settings > Passwords and forms. Here, you can manage what information is saved to auto-fill and uncheck “Enable Autofill to fill out web forms in a single click.”

Safari: Preferences > AutoFill. Manage what information is autofilled and delete or edit what’s saved.

Opera: Settings > Privacy & security > Autofill. Manage what information is autofilled and delete or edit what’s saved.

Firefox: Firefox is currently safe from this exploit because it doesn’t yet sport a multi-box autofill system.

[Image credit: computer with web browser and HTTPS image via BigStockPhoto.com]



Discussion loading

gravatar

https not on your site!!

From Gerritt on February 20, 2017 :: 5:49 pm

You know your site is not https right?? Should we block Techlicious??

Reply

gravatar

I noticed the same thing:

From Alex on February 20, 2017 :: 8:06 pm

I noticed the same thing: not secure nor encrypted. Sad, I love this Website. I have had problems with it (e.g., pop-ups, dropping off).  You’ve corrected these, thank you, but why not make it secure?
Have I been lucky for going on this site for over 267 times (according to the info button) and having no real major problem?

Reply

avatar

Valid observation!

From Josh Kirschner on February 21, 2017 :: 3:56 pm

With content sites, such as ours, connecting via HTTPS is less of a concern because you’re generally not providing any sensitive information - you’re just reading articles. For that reason, many content sites do not use HTTPS.

Though Techlicious does not force HTTPS for readers, with plugins or any other area where you need to login (such as our Facebook login, the social sharing widgets or the Deals Store), those are HTTPS and you’ll see that when you try to use them.

Techlicious is exploring implementing HTTPS site-wide in the future.

Reply

gravatar

Good to hear. You

From Alex on February 21, 2017 :: 4:43 pm

Good to hear.  You are, if not always on the button for some, perfect for me.  Thank you for all your very good information and responses.

Reply

avatar

Thank you!

From Josh Kirschner on February 22, 2017 :: 10:31 am

We try to always be on the button, but we’re happy to be called out when you read something that seems out of whack or needs clarification. It makes the content better for everyone.

© Techlicious LLC. Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us | Terms of Use | Privacy Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

site design: Juxtaprose