-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-001
Evaluating Your Web Browser's Security Settings
Check the security settings in your web browser to make sure they are
at an appropriate level. While increasing your security may affect the
functionality of some web sites, it could prevent you from being
attacked.
Why are security settings for web browsers important?
Your web browser is your primary connection to the rest of the
internet, and multiple applications may rely on your browser, or
elements within your browser, to function. This makes the security
settings within your browser even more important. Many web
applications try to enhance your browsing experience by enabling
different types of functionality, but this functionality might be
unnecessary and may leave you susceptible to being attacked. The
safest policy is to disable the majority of those features unless you
decide they are necessary. If you determine that a site is
trustworthy, you can choose to enable the functionality temporarily
and then disable it once you are finished visiting the site.
Where can you find the settings?
Each web browser is different, so you may have to look around. For
example, in Internet Explorer, you can find them by clicking Tools on
your menu bar, selecting Internet Options..., choosing the Security
tab, and clicking the Custom Level... button. However, in Firefox, you
click Tools on the menu bar and select Options.... Click the Content,
Privacy, and Security tabs to explore the basic security options.
Browsers have different security options and configurations, so
familiarize yourself with the menu options, check the help feature, or
refer to the vendor's web site.
While every application has settings that are selected by default, you
may discover that your browser also has predefined security levels
that you can select. For example, Internet Explorer offers custom
settings that allow you to select a particular level of security;
features are enabled or disabled based on your selection. Even with
these guides, it is helpful to have an understanding of what the
different terms mean so that you can evaluate the features to
determine which settings are appropriate for you.
How do you know what your settings should be?
Ideally, you would set your security for the highest level possible.
However, restricting certain features may limit some web pages from
loading or functioning properly. The best approach is to adopt the
highest level of security and only enable features when you require
their functionality.
What do the different terms mean?
Different browsers use different terms, but here are some terms and
options you may find:
* Zones - Your browser may give you the option of putting web sites
into different segments, or zones, and allow you to define
different security restrictions for each zone.
For example, Internet Explorer identifies the following zones:
+ Internet - This is the general zone for all public web sites.
When you browse the internet, the settings for this zone are
automatically applied to the sites you visit. To give you the
best protection as you browse, you should set the security to
the highest level; at the very least, you should maintain a
medium level.
+ Local intranet - If you are in an office setting that has its
own intranet, this zone contains those internal pages.
Because the web content is maintained on an internal web
server, it is usually safe to have less restrictive settings
for these pages. However, some viruses have tapped into this
zone, so be aware of what sites are listed and what
privileges they are being given.
+ Trusted sites - If you believe that certain sites are
designed with security in mind, and you feel that content
from the site can be trusted not to contain malicious
materials, you can add them to your trusted sites and apply
settings accordingly. You may also require that only sites
that implement Secure Sockets Layer (SSL) can be active in
this zone. This permits you to verify that the site you are
visiting is the site that it claims to be (see Protecting
Your Privacy and Understanding Web Site Certificates for more
information). This is an optional zone but may be useful if
you personally maintain multiple web sites or if your
organization has multiple sites. Even if you trust them,
avoid applying low security levels to external sites--if they
are attacked, you might also become a victim.
+ Restricted sites - If there are particular sites you think
might not be safe, you can identify them and define
heightened security settings. Because the security settings
may not be enough to protect you, the best precaution is to
avoid navigating to any sites that make you question whether
or not they're safe.
* JavaScript - Some web sites rely on web scripts such as JavaScript
to achieve a certain appearance or functionality, but these
scripts may be used in attacks (see Browsing Safely: Understanding
Active Content and Cookies for more information).
* Java and ActiveX controls - These programs are used to develop or
execute active content that provides some functionality, but they
may put you at risk (see Browsing Safely: Understanding Active
Content and Cookies for more information).
* Plug-ins - Sometimes browsers require the installation of
additional software known as plug-ins to provide additional
functionality. Like Java and ActiveX controls, plug-ins may be
used in an attack, so before installing them, make sure that they
are necessary and that the site you have to download them from is
trustworthy.
You may also find options that allow you to take the following
security measures:
* Manage cookies - You can disable, restrict, or allow cookies as
appropriate. Generally, it is best to disable cookies and then
enable them if you visit a site you trust that requires them (see
Browsing Safely: Understanding Active Content and Cookies for more
information).
* Block pop-up windows - Although turning this feature on could
restrict the functionality of certain web sites, it will also
minimize the number of pop-up ads you receive, some of which may
be malicious (see Recognizing and Avoiding Spyware for more
information).
_________________________________________________________________
Authors: Mindi McDowell, Jason Rafail
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Note: This tip was previously published and is being re-distributed
to increase awareness.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST05-001.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR4ZM1PRFkHkM87XOAQIU2Af+IHBdZI4BDUt6Gib5DjYjcbABNCJQgg5e
/CQ6X9MDRFkHY4XYXaEJYAtfqqcngNR2B2JlSoG6WJXt/ODUMsj48tWIYBhrFMzJ
GxuceV6Y1IsKuT7RTLgVfrgndQdEujd+EKqk1nVwe5PzE1hkON/CGd+lVbZ8RkHJ
F2HLP/pNtHAEc4swkS2aARfb/wUNR/B/ZARiWrzX9t+OMk7y/L3AYBDMAJ+jzK/q
GetkvfRpyfN12utlAqLTMX8c25iNibq7wPMTTKptfoXvqjpk9PaKyRCeb99hIARC
97hu5qWJ8fO5rqIoogbJR8D8Des8sQq9D4yPCeUOqSxuNSyboEQerA==
=aLqA
-----END PGP SIGNATURE-----
