Take Control of Security for Mac Users (2015)
Surf the Web Safely
The Web is perhaps your Mac’s most obvious gateway to the outside world, and as a result, it’s one of the best places to find people and software that present threats to your security. Even though you’ve secured your Wi-Fi connection, selected good security settings, and chosen strong passwords, a brief visit to a malicious Web site can cause all sorts of harm to your Mac.
In this chapter, I review several keys to safer Web browsing, including using SSL/TLS when possible, making sure your browser uses appropriate settings, and using a combination of common sense and technology to avoid phishing attempts and Web-borne malware. Everything here is applicable to users at all risk levels, although those at higher levels may want to choose more restrictive options, where they exist.
I focus mostly on Safari and Google Chrome, the two most popular Mac Web browsers, but my advice applies to nearly every browser, and you can likely find settings and extensions comparable to the ones I discuss here even if you use Firefox, iCab, Opera, or another browser.
Understand SSL/TLS and Web Browsing
If you can ensure that the connection between your browser and a Web server is securely encrypted, you can also be confident that no one in between can read what you send or receive—that’s especially important when using the Web for email, online shopping, and other private communication.
The standard way for a Web site to encrypt its connection is to use HTTPS, a secure version of the HTTP protocol. HTTPS relies on a technology called TLS (Transport Layer Security), which is the latest generation of an earlier standard called SSL (Secure Sockets Layer). Because most people are still more familiar with the term SSL, I’ll refer to the technology as SSL/TLS. You do not need to know the details about how this works or even remember those initials. But the result of all this technology is that your communication with the site is encrypted in both directions, and in addition, your browser can independently verify that the site is authentic. All this happens automatically, behind the scenes.
You’ll know a site uses HTTPS if the URL starts with https: (although many browsers now hide this portion of the URL) or if you see a lock icon (often in green, perhaps with the company’s name, right next to the URL in your browser’s address bar). You can then click the lock icon to view details about the certificate and confirm its identity.
Note: Ignore any lock icon on the Web page itself—it be there to trick you into thinking a page is secure when it isn’t.
Increasingly, sites that transmit or receive personal data—even just a username and password—use HTTPS by default, which is an excellent idea. In fact, I’d go so far as to say you should assume any password or other personal data entered on a site that doesn’t use HTTPS could be intercepted. Some sites use HTTPS only optionally; you might look for a preference you can enable, which will automatically redirect you to the secure site even if you enter a URL starting with http:.
The Electronic Frontier Foundation (EFF) offers a free browser extension for Chrome, Firefox, and Opera called HTTPSEverywhere (sorry, no Safari version available). This extension has a regularly updated list of sites that offer HTTPS connections and instructs your browser to use HTTPS for those sites, even if you visit the site with a non-HTTPS link or URL. It can’t encrypt sites without HTTPS support, but it can prevent you from accidentally visiting an insecure version of a site.
Alas, HTTPS, for all its virtues, is not foolproof. I’ve read of various hacks and exploits that could enable an attacker to intercept and decrypt an encrypted Web session. However, the real-world risk of encountering such a problem is quite low, and Web browser developers generally fix security problems like these in short order. So, as always, your best defense is to make sure you keep your operating system and browsers (including any security updates) current.
Furthermore, even though SSL/TLS encrypts the connection all the way from your Mac to the Web server—providing the protection of encryption even when you’re on an open Wi-Fi connection—that encryption is specific to the Web site you’re visiting. You can have a secure connection to Web Server A while simultaneously having insecure connections to Web Servers B, C, and D (not to mention email servers and other computers). So don’t think of SSL/TLS as a panacea—it’s just one layer of many that you should include in your security practices.
Configure Browser Security Preferences
Every Web browser has preferences relating to security and privacy, although (unsurprisingly) the line between the two is often blurred. And some settings that may be found under a “security” header—like a preference to block pop-up windows—are really about eliminating annoyances, not necessarily about security.
Security options change from one browser to the next, and from one version to the next. Rather than offer a comprehensive list of security preferences, I want to describe some of the most common and important security settings, along with my recommendations and where to find them in Safari and Chrome. (If you use another browser, such as Firefox, Opera, or iCab, you should be able to find similar settings somewhere in the Preferences window.)
Fraudulent Site Warnings
Fraudsters eager to steal your passwords and your money use all sorts of tricks to make fake Web sites appear familiar, safe, and legitimate. For example, someone might register a domain name using characters that look almost exactly like ordinary English letters—instead of apple.com, how about app1e.com (the digit 1 substituted for the lowercase l)? If you weren’t looking carefully, you might never notice. To make matters worse, some foreign-language characters are visually indistinguishable from English letters (depending on the font). As far as your browser is concerned, it’s taking you to a completely different domain, but if the fake Web site is crafted carefully, you could be fooled into providing your credentials.
Most browsers have caught on to these sorts of tactics, and have built-in (but optional) checks that warn you if you might be visiting an illegitimate site. You should definitely enable these checks:
· Safari: Go to Safari > Preferences > Security and select Warn When Visiting a Fraudulent Website.
· Chrome: Go to Chrome > Preferences > Show Advanced Settings, and in the Privacy section, select Enable Phishing and Malware Protection.
Although browser-based warnings are useful, they’re not foolproof. I return to this topic—including other ways to protect yourself from such sites—in Use Passwords Safely on the Web and Avoid Phishing Attempts, both later in this chapter.
Java, a platform-neutral programming language, has been implicated in so many Web-related security issues that browser vendors, including Apple and Google, have stopped including support for it by default. In fact, Java hasn’t been included with OS X since 2011, although you can download the Java Runtime Environment (JRE) or Java Development Kit (JDK) from Oracle and install extensions for your browsers.
If you need to run Java-based apps on your Mac, feel free to install Java. But the number of legitimate uses for Java within Web pages is vanishingly small, while the security risks of having Java enabled in your browser are significant. My best advice is not to install Java browser extensions in the first place.
Although the real-world risk of problems from using WebGL is extremely small, you can disable it if you want:
· Safari: Go to Safari > Preferences > Security and deselect Allow WebGL. Or, for more detailed control, leave it selected, click Website Settings, and then choose Ask, Block, Allow (the default), or Allow Always from the When Visiting Other Websites pop-up menu. You can also enable or disable specific WebGL-using sites you’ve visited.
With the Allow setting, if you happen to visit a site that Apple knows to contain dangerous WebGL code, an alert will appear—your best bet is to close the tab immediately, but if you’re prepared to take the risk, you can override Safari’s warning and load the page anyway.
· Chrome: In the address field, type chrome://flags and press Return. Then look for the option that says Disable WebGL, and underneath that, click the Enable link. (Yes, that’s counterintuitive—you click Enable to disable.) Then click the Relaunch Now button at the bottom to quit and reopen Chrome.
Safari, Chrome, and most other browsers allow you to install third-party extensions to add features and customize your browsing experience. Examples pertinent to this book include password managers, ad blockers, and malware scanners. Of course, an extension could also be designed to compromise your security without your knowledge. So although I endorse the use of extensions, I urge you to download and install extensions only from well-known, reputable sources.
You can also enable or disable extensions as needed:
· Safari: Go to Safari > Preferences > Extensions. Use the On/Off switch to enable or disable extension support. If it’s on, select an extension and deselect its Enable checkbox to disable it.
· Chrome: Choose Window > Extensions, and then deselect the Enabled checkbox for any extension you want to disable.
Flash and Security
Much like Java, Adobe’s Flash technology can present many security and privacy risks, not to mention adversely affecting your Mac’s performance. The problems were significant enough that Apple stopped including Flash Player with OS X back in 2010, although you can download it from Adobe. I recommend avoiding it if possible.
However, avoiding Flash isn’t always practical, because many Web sites still depend on it. So my suggestion, if and when you need Flash, is to use Chrome as your browser. Flash is built into Chrome (so it works even if you never downloaded Flash Player separately), but Chrome keeps it up to date automatically (which reduces the number of security-related bugs) and is designed to minimize the damage that malicious Flash content could do.
Open “Safe” Files
Safari has a feature whereby certain kinds of files (such as PDF documents and Zip archives) can be opened automatically when you download them. Apple determines which file types it considers “safe” based on their potential to cause harm (for example, disk images were once on the list, but now they aren’t). However, if you prefer not to let Safari open any downloaded files automatically, go to Safari > Preferences > General and deselect Open “Safe” Files after Downloading.
Use Passwords Safely on the Web
Earlier, in Use a Password Manager, I described how tools such as iCloud Keychain, 1Password, Dashlane, and LastPass can keep you secure while eliminating tedious effort—they generate, store, sync, and fill in strong passwords for you on Web forms as needed. Their main purpose is to help you use passwords safely on the Web.
So, if you aren’t already using a password manager of some sort, I strongly recommend doing so!
Password managers can also help protect you against phishing (see Avoid Phishing Attempts, later in this chapter), even if your browser’s built-in security checks do not (see Fraudulent Site Warnings). When you store a password, your password manager remembers the site’s domain name—and will autofill your password in the future only if the domain matches. So, suppose you store a password for icloud.com. Later, you click a link to a fake site that looks like icloud.com, but the domain name is slightly different—maybe not different enough for you to notice (like ic1oud.com instead of icloud.com). When you try to use your password manager to fill in your password, it does nothing, because it checks the URL and finds the domain isn’t an exact match.
And, since your password manager requires at most a keystroke or two to fill in your credentials, you should never select those “Remember Me” checkboxes, which make it easier for someone who gains control of your Mac to log in without having to supply a password at all.
Use Credit Cards Safely on the Web
Speaking of password managers, nearly all of them (including iCloud Keychain) store not only usernames and passwords, but also other information—including the numbers and expiration dates for any credit cards you care to enter. Because your credit card details are protected with the same strong encryption and master password as your passwords, they’re quite secure.
Note: iCloud Keychain doesn’t store the 3- or 4-digit Card Verification Value (CVV) number from the back of your credit card, but most password managers do. Apple claims it makes you dig your card out of your wallet to fill in that number manually for security reasons, but if a password manager is secure enough to protect your credit card numbers, it should be secure enough to protect the CVV too.
But filling in those values on a Web form—whether manually or via a password manager—is itself a potential security risk. Even if the connection is encrypted, so that no one can intercept your credit card number in transit, what might happen to it once it’s in the vendor’s hands? Is it safe?
You’ve probably heard news reports about credit card information being stolen from major retailers. Sad to say, this happens all the time. Sometimes the vendors haven’t taken sufficient security measures, while other times they took entirely reasonable steps, but the thieves were just a bit smarter. But this sort of thing can happen anywhere—including at local supermarkets and restaurants. Whenever you give someone your credit card number, there’s a chance it’ll be stolen, and nothing about online stores makes them any more intrinsically risky.
Nevertheless, I can’t work up much fear about this, because laws and bank policies protect consumers against fraudulent use of a credit or debit card—or at least limit liability, as long as you report any suspicious transactions promptly. (I should note that debit cards tend to have weaker fraud protection than credit cards.) So, keep an eye on your bank statements online and call your bank immediately if anything appears amiss.
If that’s not good enough for you, I can offer a few other suggestions:
· When an online vendor asks to store your credit card to simplify future purchases, say no. If you’re using a password manager to enter credit card details, it’s only a matter of a few clicks anyway. However, even if you follow this policy generally, consider making exceptions for sites you shop from frequently, especially those with one-click checkout systems like Amazon and Apple. (It’s rare for a week to go by without my purchasing something—an app, album, ebook, or some other digital media—from one of these vendors, and I have become extremely fond of one-click shopping convenience.)
· Use PayPal if that’s an option. Now, I know a lot of people dislike PayPal for one reason or another, but one significant advantage is that it prevents vendors from seeing your credit card number (and, except for goods that must be shipped, your mailing address). Yes, you’re trusting PayPal with a credit card or bank account number, but at least this system limits your exposure.
· See if your bank offers single-use credit card numbers for online purchases. Mine doesn’t, but many do, and if you want to be sure that your credit card number isn’t misused after a single purchase, that could be an option.
Many other online payment systems exist—some of which go to greater lengths to protect your privacy. The best known is Bitcoin (which is accepted at an increasing number of online and brick-and-mortar businesses), but numerous other cryptocurrencies have sprung up. Feel free to experiment with these if you’re willing to accept some financial uncertainty. At this point, the entire field is too unpredictable for me to make any specific recommendations.
Avoid Phishing Attempts
Phishing refers to methods that are used to trick you into supplying your password, credit card number, or other private data, usually on impostor sites or apps that look almost exactly like the real thing but are merely clever copies. Most often, phishing originates with an email message or a social networking message (such as a tweet) that directs you to the fake site. (These messages typically warn you that you must “update” or “confirm” your account settings or suffer dire consequences.) Sometimes phishing sites also appear if you make a slight typing error when entering a URL or if your DNS settings have been compromised.
It’s difficult to say whether phishing is more of a privacy problem or a security problem. Certainly there’s a privacy threat, in that you might inadvertently hand over personal information to an impostor. But if a stolen password could allow someone to break into a bank account, your Mac, or your email account, that’s also a security problem.
In any case, phishing is bad news. Here are some tips to avoid bogus sites:
· If you haven’t already done so, follow the advice in Fraudulent Site Warnings to ensure that your browser is checking for likely phishing sites.
· Think before clicking a link in an email message. If you get a message that appears to be from your bank, PayPal, Amazon, Apple, or whoever insisting that you log in to correct some problem and you’re worried that it might be a legitimate message, open your Web browser and manually type the site’s address. Then log in and see if there are any messages waiting for you. If not, the message is almost certainly fake. (Of course, you sometimes have to click links to confirm your address when signing up for a new account, and many links—such as those in TidBITS issues or messages Take Control sends about new books—are totally legitimate. But if you weren’t expecting a message and are unsure of its authenticity, it’s best not to click any links.)
· You can usually see the destination of a link in your email app without clicking it. For example, in Apple Mail, you can hover over the link to see its destination, or you can view the message source (in Mail, choose View > Message > Raw Source) to see the underlying URL. If the domain name in a URL doesn’t check out (for example, it says apple.com.some.random.domain.ru) or you can’t even see the text or HTML of a message because it’s encoded in a stream of numbers and letters, you know where to find the Delete key.
· Check the site’s certificate. Real banking, commerce, and similar sites nearly always use HTTPS (refer back to Understand SSL/TLS and Web Browsing), and you can usually click a lock icon in your browser’s address bar to verify the site’s SSL certificate. If there’s no certificate, if you see a certificate warning, or if the site doesn’t even use HTTPS, you may be dealing with an impostor.
· Let technology help. Most password managers (see Use Passwords Safely on the Web) confirm each site’s identity before entering your credentials, so if your passwords aren’t autofilled when you think they should be, you might be on a fake site.
Explore Helpful Browser Extensions
I’d like to wrap up this chapter with a brief mention of browser extensions you can add to enhance your security and/or privacy.
One tool I’m quite fond of is Adblock Plus, a free extension available for Safari, Google Chrome, Firefox, and Opera. Adblock Plus is highly customizable, letting you selectively or globally block ads, tracking cookies, and social media buttons (which let you tweet, like, or otherwise spread the word about a page—and track you in the process) without interfering with normal browsing and local storage the way private browsing modes do. It also offers protection against domains that could infect your computer with malware.
Note: Confusingly, there’s also a browser extension called AdBlock (with a capital B and without the Plus), which does something similar. Feel free to try it, but I prefer Adblock Plus.
If you use Adblock Plus, be sure to visit its Options screen and deselect “Allow some non-intrusive advertising.” Companies like Google and Amazon pay to be on a list of exclusions so you’ll still see their ads even if you use Adblock Plus—but only if that box is checked. Since avoiding ads and associated tracking is the whole point of Adblock Plus, you shouldn’t give it any loopholes!
Another fantastic free tool is called Ghostery—available as a browser extension for Safari, Google Chrome, Firefox, and Opera; and as a stand-alone iOS Web browser. It displays a list of all the trackers of various sorts—both honorable and ignoble—present on any given Web page and lets you enable or disable them (individually or by category). It’s highly educational as well as effective at increasing your privacy.
If you want much more extensive lists, try these:
· Safari: Apple’s list of Security Extensions for Safari contains password managers, ad blockers, malware detectors, and a variety of other security-related tools.
· Chrome: The Chrome Web Store has hundreds of extensions that claim to solve one or more security problems—and nearly all of them are free.
· Firefox: You can find well over 1,000 Firefox extensions in the Privacy & Security category.
Tip: I refer you back to the sidebar Beware Bundled Adware!, wherein I mention browser extensions you should avoid: those that clutter your browsing experience with additional, intrusive ads.
What about Tor?
You may have heard of an anonymous Web-browsing system called Tor, which originally stood for “The Onion Router.” Tor not only encrypts data but also does so multiple times, sending it through a series of randomly selected relays called nodes—each of which knows only about the previous and next node in the chain, but not the information’s origin (unless it happens to be the “entry” node) or destination (unless it’s the “exit” node). This process makes it extremely difficult to determine the source of any Web transaction.
Tor is all about anonymity, which as I’ve mentioned is much different from security. But there could be cases in which the only way to protect your physical security is to use the Web anonymously.
To use Tor on a Mac, you download software called a Tor Bundle, which includes a customized version of Firefox and several other components, all with extremely strong privacy settings enabled by default. Full instructions for installation and use are on the Tor site.
Tor is not without its drawbacks. For example:
· Weaknesses in the Tor system have been discovered that can be exploited under the right conditions to reveal private data. For example, someone who runs a Tor exit node could monitor unencrypted traffic flowing between it and the rest of the Internet—and indeed, it’s widely believed that the FBI runs a large number of Tor exit nodes to do just that.
· Someone monitoring your Internet connection can tell you’re using Tor, even though they can’t necessarily tell what you’re doing with it. Some ISPs and countries block all known Tor traffic. There are ways to work around this problem in some instances, but they make the process of Web browsing that much more cumbersome.
· Merely using Tor could result in unwanted attention from the NSA, including having your encrypted communications retained indefinitely.
· Using Tor makes Web browsing slow. No, I mean really slow. And forget watching videos, regardless—Flash, QuickTime, and other plug-ins are blocked because they pose a big security risk.
I say more about Tor, and about ensuring privacy and anonymity on the Web generally, in Take Control of Your Online Privacy.