Browser Hardening & Personal Security

Transcript

1. Browser Hardening & Personal Security/Privacy measures Héctor Quartino [email protected]

2. Agenda • What • Why • How • Conclusion

3. What • Some measures to increased personal security & privacy

   • Disclaimers • Personal usage, not necessarily business usage • Defensive measures only • Opinions are personal • No affiliations to any products and services mentioned • YMMV

4. Why • Avoid getting pwned • Reduced tracking of online

   activities

5. Threat Modeling • What do I want to protect? (Assets)

   • Who do I want to protect from? (Adversaries) • How likely do I need to protect? (Risk) • What happens if I fail? (Consequences) • How much trouble am I willing to go to prevent consequences? • There is no such thing as perfect Security • No silver bullets • You always end up having to trust something/someone • Human Factor • Evolving Landscape – what may be secure today may not be secure tomorrow

6. Measures • 2FA • Password Management • Account Management •

   Browser Hardening • Not Covered: – Secure Messaging (Signal > SMS) / IoT (avoid Alexa/Siri/etc.!) – Operating System Hardening (not covered here, see more reading) • Limited User • Keep software updated • Trusted Sources • Encrypt all the things! – Veracrypt (cross-platform) – LUKS (Linux only) – Cryptomator (cloud storage)

7. 2FA – Second Factor Authentication • Authentication factors • What

   you know (passwords) • What you have (soft/hard token) • What you are (biometrics) • Soft / Hard tokens • SMS – basic, can be intercepted or may not always work. Phone can be stolen. • Google Authenticator / Authy – better, but vuln to malware / stolen. Backups? • Yubikey / Nitrokey – Great, less vuln to malware, less likely to be stolen. Backups? • Backup Codes – Keep them safe!

8. Password Management • Bad: Avoid password reuse • Blackhats using

   HBIP password dumps • Bad: Browser/OS managed • Good: Use passphrases • Wordlists: Diceware / BIP39 • Best: Use a password manager • KeePass / KeePassXC / 1Password • Autogenerate passwords • Bonus: Store in external encrypted (non-cloud?) storage • Bonus: Different vaults for sensitive accounts (e.g. banking)

9. Account Management • Don’t put all your eggs in one

   basket a.k.a. Account Segregation • Bad: One account for EVERYTHING • Good: One account for non-important stuff, one for important stuff (or more accounts, depending of importance granularity) • Best: One account per service • Hard to achieve, but isolates breaches from affecting other services • Email providers that provide DNS aliases help (e.g. Fastmail, ProtonMail) • Tune privacy settings • Limit sharing (location, activity, search, status) • Check them periodically, as software updates sometimes reset settings • Keep account recovery settings updated

10. Browser Hardening – Sandbox • Firejail (linux) • Restricts process

    access to filesystem and network resources • Prevents stealing of documents • Sandboxie (Windows) • Use a Virtual Machine (cross-platform) • Virtualbox

11. Browser Hardening – opinionated choices • OS choice: BSD >

    Linux > MacOS > Windows • Browser: Firefox, Chromium (i.e. Chrome degooglified), Brave? • Mobile: Firefox Focus, Firefox • Search Engines: StartPage, DuckDuckGo • VPN services: e.g. ProtonVPN, PIA, WireGuard, AlgoVPN • Additional encryption for data in transit • More privacy, but not necessarily anonymity • Increased Surveillance – lots of shady services out there • Roll your own VPN >>> using a service • Bonus: combine with PiHole • Tor: More anonymity, but not necessarily more secure • Additional encryption for data in transit • Increased Surveillance – potentially compromised endpoints

12. Browser Hardening – Add-Ons • uBlock Origin (Chrome, Firefox) –

    AdBlocker + JavaScript Whitelisting • Cookie Autodelete (Chrome, Firefox) – Cookie whitelisting • HTTPS Everywhere (Chrome, Firefox) – Enforces HTTPS • Decentraleyes (Chrome, Firefox) – local CDN • MultiContainer Tabs (Firefox) – Tabs can’t see other tab • User Agent Switcher (Firefox) • Use Browser Profiles to create different sets of add-ons & settings (Chrome, Firefox)

13. Brower Hardening – uBlock Origin • AdBlocking • Uses multiple

    adblock lists • Can be used to block Javascript… • Advanced mode • Or the other way around – whitelisting!

14. Browser Hardening – Multi Account Containers (Firefox only) • Provides

    a way to separate accounts within the same browser session • More lightweight than separate profiles • Built in since v57 • DEMO • Separated • Cookies • localStorage • indexedDB • Cache • Shared • History • Bookmarks • Passwords • Searches • HSTS, OSCP, TLS exceptions • Permissions • Add-Ons

15. Firefox Hardened profile: user.js • Drop-in set of user preferences

    that harden Firefox’s profile even more, for example: – Disable WebRTC, Service Workers – Show punycode – Force HSTS, OSCP-Stapling – Disable weak ciphers • DEMO

16. Q&A

17. More reading • Surveillance Self Defense: https://ssd.eff.org/ • Privacy Tools:

    https://www.privacytools.io/ • Firefox Hardening: https://github.com/pyllyukko/user.js • MacOS Hardening: https://github.com/drduh/macOS-Security-and-Privacy-G uide • W10Privacy: https://www.winprivacy.de/english-home/ • Ciberseguridad para todos: https://www.youtube.com/playlist?list=PL11Oq7Dez0gPI WpqJSl8TCx9I9F3a2IS1

18. More reading (cont.) • Have I Been Pwned: https://haveibeenpwned.com/ •

    KeePass: https://keepass.info • Firejail: https://firejail.wordpress.com/ • VPN Service Comparison chart: https://thatoneprivacysite.net/vpn-comparison-chart/ • Virtualbox: https://www.virtualbox.org/ • PiHole: https://pi-hole.net/ • Streisand: https://github.com/StreisandEffect/streisand