Paranoid Penguin - Brutally Practical Linux Desktop Security

Firefox's default security settings are surprisingly okay. Personally, however, I prefer to disable third-party cookies (which admittedly breaks some sites), and sometimes I temporarily turn third-party cookies back on. I also like to turn off my browsing history completely. I don't need to know where I've been, and neither does anybody else. Figure 2 shows these privacy settings.

Figure 2. Firefox Privacy Settings

Under Firefox's Security settings, I certainly want to make sure Firefox's default warnings for add-on installations, suspected forgeries and other suspected hostile sites are intact. I also turn off all password caching—the very idea of allowing my browser to store passwords is, if you ask me, the way of tears. Figure 3 shows these settings.

Figure 3. Firefox Security Settings

Finally, I should mention a couple useful Firefox add-ons. I swear by Adblock Plus, which enforces a blacklist of known Web advertisement sites whose content is frequently streamed to various other sites. Blocking those sites effectively blocks in-line ads. You can get Adblock Plus by searching for “adblock plus” in Firefox's Get add-ons tool, under Tools→Add-ons.

I realize this breaks various people's Internet revenue streams, but I use Adblock Plus less for aesthetic or performance reasons (ad-blocking certainly shortens Web site load times) than for security. Blocking ads reduces the attack surfaces of the sites you visit and, therefore, reduces your chances of being exposed to spyware or other hostile content.

It may be difficult for a given Web hacker to compromise nytimes.com directly, but it's considerably easier to compromise one or more advertisers whose content is loaded in tandem with http://www.nytimes.com. Personally, I'm less worried about destroying Internet ad revenue than I am about protecting my humble browser.

(Before I forget to mention it, you should minimize the number of unfamiliar sites you visit in the first place when using an untrusted network for the very same reason.)

Finally, the Firefox add-on Ghostery allows you to see what Web bugs (trackers), ad feeds and other hidden scripts are active on each Web site you visit. For most such scripts, Ghostery can tell you from whence it originates and why you should or shouldn't worry about it. You can get Ghostery at www.ghostery.com.

Now that Ubuntu and Firefox are hardened for DEFCON use, here are some things I'll do when actually connected to that wicked DEFCON WLAN to minimize my chances of ending up on the Wall of Sheep.

Always, always assume somebody can and will eavesdrop on all network traffic. Whether you personally can believe or imagine how they'll do this or not is unimportant—it's the attacker's imagination and skill that matter here, not yours. The only sensible assumption for you to make about the network's integrity is that there isn't any, and that someone can see all traffic going to and from your system. Accordingly, you must not log on to any remote system through any unencrypted protocol.

Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based login involving an http:// URL rather than https://, therefore, are all off limits. In the modern era, all these applications (remote shell, file transfer, e-mail and most Web applications) can and should be used in encrypted implementations, such as SSH, FTPS or SFTP, IMAPS, POP3S and https, at least for logons and other sensitive transactions.

If your home or corporate network supports it, use a strong VPN protocol such as IPsec or SSL-VPN to connect back, and do all your Web surfing and other Internet business via the home network. Yes, this will degrade the performance and speed of your Web-surfing experience; however, it will all but obliterate risks associated with eavesdropping, DNS spoofing, evil twinning and similar attacks (although, of course, if your home or corporate network is targeted further downstream from the hostile LAN you're connected to locally, those downstream attacks will apply).