Secure browsing with Chrome and Firefox

Google is leading the push to an encrypted and more secure internet. The Chrome browser’s security team is changing the way Google Chrome handles web pages, with Firefox playing catchup.

Have you noticed that little padlock icon that often appears on your browser’s address bar? Look at the left end of the navigation bar. What do you see?

On Chrome: 

On Firefox: 

On Internet Explorer (to the right): 

 

With the default HTTP protocol (the S stands for ‘secure’) all information is sent in plain text (unencrypted); any computer in between the sender and receiver can read the traffic. The padlock with the HTTPS means that the connection between your computer and the computer at the other end is secure, i.e. the traffic is encrypted and information cannot be snooped by a third party in transit. This is why people who build websites in a responsible fashion have at least ensured that their login pages and sensitive information (such as credit card information) is served over HTTPS instead of HTTP.

If you click on the padlock, you might see some more information that helps verify that the site is indeed owned by those who claim to own it. Like so:

Nevertheless, few people actually watch out for the padlock to see whether the sites that they login to are secure. We need something simpler. This is what Chrome and Firefox have done: when a user goes to a page that requires sensitive information to be put in, it checks whether the connection is over HTTPS. If it is not, they warn the user that the page is not secure.

See what happens when I click the ‘login’ box for Qantas’ site.

Chrome:

Firefox:

What if a technically-informed user tries to force the website to use HTTPS, but the site tries to ‘downgrade’ to HTTP? See the example when I navigate to https://www.trivago.hk

On Chrome:

On Firefox:

Also notice how different these warnings are from equivalent warnings in Internet Explorer:

While it does look ugly and slightly menacing, we have come across them enough times, especially at our workplaces, that we have learned to click through the warning to reach the sites that we wish to reach. Chrome and Firefox makes the clicking a little bit more difficult in order to secure their users.

The major browsers, including Safari and IE/Edge have gone further for sites that they consider to be actually malicious. They block them to prevent the user from unintentionally accessing them.

The long-term goal from Google is to make all sites use HTTPS so that our browsing is generally more secure. Google will give HTTPS-using sites an advantage over sites that do not use it in their search results. The plan was announced in advance so that website owners would have the time to make the required changes. It has also given Mozilla time to catch up and join the plan.

 

What can you do to improve your browsing security?

  1. Use a modern browser such as Chrome or Firefox (stop using Internet Explorer) that puts in the effort to protect you.
  2. Use the ‘HTTPS Everywhere’ add-on from EFF (Electronic Frontier Foundation) to force sites to use HTTPS if there is an HTTPS version.
  3. Use an ad-blocker to prevent malicious advertisements from showing up.

Also see:

https://www.essaysonsecurity.com/2016/12/21/securing-yourself-online/

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

https://support.mozilla.org/t5/Protect-your-privacy/How-to-stay-safe-on-the-web/ta-p/26286

 

What are Free Basics and why did India block it?

Free Basics (under the umbrella of internet.org) is a service by Facebook to bring “essential services” of the internet to the unconnected people of the world for free. Doing so would improve their access to information on a variety of matters such as health, banking and of course, Facebook. Sites such as the BBC and Wikipedia were included. Facebook estimates that 50% of the people it connected this way upgraded to a paid plan within months.

The initiative was heavily publicised. The prime minister of India backed it on his social media accounts. The criticism came from the already-connected people of India: an internet that is curated by Facebook goes against the principle of net-neutrality. The protests were vociferous and it lead to a call for input by the Telecom Regulatory Authority of India (TRAI), multiple rounds of consultation including an open-house that finally lead to the ruling (short version): internet service pricing that discriminated based on content in India was illegal. TRAI has made an exception for emergency services, with the caveat that the differential pricing for emergencies must be made known to TRAI within seven days.

What is the big deal with net-neutrality? Net-neutrality is the idea that all data on the internet should be treated equally i.e. It is not OK to prevent access to some sites or some types of content or to ask the user to pay extra for it. In the absence of net-neutrality, internet service providers (ISPs) would be able to control what the user can and can’t do or see on the internet. Net-neutrality also acts in favour of openness of the internet, preventing sites with a particular agenda from dominating information.

A well-known example is when American ISP Comcast throttled the bandwidth of its users who viewed videos on streaming-site Netflix and demanded Netflix to pay charges for the additional bandwidth usage. Netflix was forced to pay after its users found themselves practically unable to view videos.

The BBC may be benign, but some may prefer their news to come from another provider who sees the world in a different light from the BBC. For one media organisation to dominate the news made available to the poor of India for free would be quite an impressive coup for that outlet – one that we really do not want, given that all media have their own agenda and political leanings.

TRAI has ruled that all plans that differentiate on content is banned. The decision is significant as it considers the threat against net-neutrality to be a more serious one than that a majority of Indians not be connected at all.

TRAI’s ruling in its entirety is worth reading for its detail and its simple language.

Why do we have so many privacy concerns regarding the internet?

We are provided with news all the time about how Facebook and Google are using our information and violating our privacy. Why is this a new concern that appears to have arisen only in the last decade?

Consider some traditional services: the purchase of goods at a shop, the transfer of money at a bank, the usage of a television channel. They all involve the customer paying the provider (shop, bank, cable provider) an amount of money for the service or good. There is clarity on who the customer is, i.e. the person who receives the good or the service.

How about someone who uses Gmail? He pays no money to Google for the service. Likewise a user of Facebook. How do these non-traditional service providers make their money? They serve advertisements to the users and get money from the companies that wish to advertise. Users are not the customers of Google and Facebook, advertisers are.

The money tends to come in depending on the number of clicks on the advertisements. Why would a user click on an advertisement? To state the obvious: an advertisement is more likely to be clicked if it is relevant to the user. Here is the interesting question: How do Google and Facebook find out what is relevant to their users? They collect data about their users: their browsing habits, the things that they search for, people who are connected to them and therefore are likely to have similar browsing habits…  This is where the privacy concerns come in. The catchy quote goes thus: “If you are not paying for it, you are the product.”

Apple’s CEO Tim Cook criticised this model of doing business – an easy task, since his company gets its money up-front from the user: “I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information,” said Cook. “They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong.”

Take a look at this advertisement by Mozilla.

Imagine someone following you around and noting down everything that you are doing: where you are, how long you remain, what you looked at, what you wore. Some of the technology sites that we are addicted to are the digital equivalents of the creepy guy in the video doing exactly that. In real life we may get a restraining order trying to keep this person away from us. In our online lives, we have invited him into our homes.

More posts on this subject will follow.