This particular idea has been knocking around in my head for awhile now. Let me first say that I am not a qualified security or IT professional, nor a security researcher. I’ve just been using computers for a hell of a long time, and spent a lot of time on the Internet (I’ve been online in some form or another since I was 9 years old, starting with the DOS AOL client [!]).
I used Windows for way longer than I would have preferred, and didn’t follow the greatest security practices on there; it was a learning curve. I spent a lot of time on keygen and crack sites that were really rather dangerous and virus-ridden back in the day (Astalavista, anyone?). Now I love running Linux because everything’s free, and honestly, security through obscurity for the most part. I’m pretty careful these days, though, both on my laptop and on my phone.
One caveat: I use pretty much exclusively Linux and Android these days, and Windows only on my work computer, so this is pretty heavily Linux-based. However, I’ll be writing about browser and Internet security in particular, and that’s fairly OS-agnostic. If you have Windows suggestions, great! My wife runs Win10 on her laptop, mostly because she wants to be able to play subscription-based Web games that won’t really work on Linux. I had her set up with Linux Mint for awhile on an older laptop, but Win10 seems to work better for her. She said not to be judgy since she got a free license for 2 years for McAfee. I’m not.
I do have a few Windows suggestions, though, from back in the day that still mostly hold true, so I’ll mention those up front. I am not as well-versed in Windows, though, as Linux, so YMMV with these suggestions.
Software to stay safe on Windows
Still the gold standard, IMHO, of anti-malware suites, Spybot has a free version and I think they may also have a subscription/pay version that has a few more features. But honestly, you’re totally fine with the free version. The free version doesn’t have live monitoring, but really, it’s not a big deal to run a scan yourself. Spybot protects your computer against common (and not-so-common) malware and spyware. It has a bit of a learning curve, but is worth learning.
I’m sure the paid versions have some cool features, so if that’s more your jam, go for it. Keep in mind that the free version doesn’t have anti-virus, just anti-spyware. I’ll recommend an anti-virus in a bit.
I always used this in conjunction with Spybot. I really don’t know how much overlap there is between the two, especially now, but back in the day, they nicely complemented each other. This also protects your computer against common spyware. Of course, Windows is such a huge attack surface since so many people default to using it, so there’s plenty of spyware to watch out for.
CCleaner always seemed like a nice software package to me. I can’t say I’ve used it that much. One of the IT guys at work was using it recently when he remoted into my laptop, so they clearly like it. It helps you optimize your PC. The free version seems to be pretty bare-bones, though, unlike it used to be, so you may have to pay to get much of anything out of this.
I don’t normally recommend Microsoft products, at all, but the standard anti-virus, Windows Defender, that comes with Win10 and such, isn’t half bad. Let it run scheduled scans, whatever, and you’ll largely be fine with it, as far as I can tell. It’s updated often and takes care of most things.
This is a relatively new anti-virus/anti-malware software package which uses the robust, tried-and-true ClamAV anti-virus engine. I originally recommended ClamWin to my wife, which is the Windows port of ClamAV, which was written originally for Linux. Immunet is nice as far as I can tell, and does live protection, and worked fine on her computer. As I mentioned, she’s using McAfee for now, which I’m sure is fine too, but I wouldn’t pay for that. Immunet is worth a try.
If you don’t mind doing manual scans, ClamWin is a good option as well, though — and GPL’d open-source!
What browser should I use?
Now, this next part really depends on what browser you use. I’ll start by recommending my favorite browsers, but most people will have their preferences already dialed in. Here’s just my personal favorites.
Firefox (& variants)
Firefox has been around for a long time. IIRC, it first came out in the early 2000s, maybe 2002 or 2003? Anyway, a long time. And it’s only gotten better over the years, with a focus lately on security, privacy, and stability.
I’m sure you’ll do just fine overall with vanilla Firefox. It’s tried-and-true and gets the job done. I’m not sure if this is still true, but Firefox has some telemetry (i.e., sending data back to Mozilla) that is opt-out, rather than opt-in. This looks like a useful guide to hardening your Firefox experience.
However, if you’d like to avoid that built-in telemetry and have even more of a focus on privacy, I’d highly recommend one of Firefox’s many forks. I personally use LibreWolf, which is a really nice fork of Firefox that prioritizes privacy and limiting, if not eliminating, tracking, not only by Mozilla, but also, more importantly, by others. It has a bit of a learning curve to install, and it mostly focuses on Linux support, but otherwise it behaves just like the Firefox you know and love.
Google Chrome (& Chromium variants)
I can’t say I’d recommend Chrome these days, not with the amount of tracking and data-Hoovering Google loves to do to each and every one of us. I used to be hugely into Chrome, and actually compiling Chromium, the open-source underpinning/foundation for Chrome, routinely from source myself. Chromium is available in package form on most OSes, particularly Linux distributions, and that’s the only one I’d recommend on laptops.
I have to use Chrome for work, and Google suite in general, which I’m not thrilled about, but oh well, whatcha gonna do? But I don’t use vanilla Chrome in my personal life.
I actually really like Bromite, which bills itself as an “unGoogled Chromium,” available for Android. The author works diligently to strip out Google tracking and other anti-features and updates it fairly often based on Chromium code. It even has a built-in ad-blocker and supports DNS-over-HTTPS (DoH). Bromite is easily available through the main website and also has a F-Droid repository (more on F-Droid later). That’s all I use on my phone, and am quite happy with it.
If you have other browser suggestions, let me know. I used to use Vivaldi, which is based on Chrome, and used Brave for a bit on Android, but they’re not my style. YMMV.
I’ve picked a browser. How do I secure it?
Glad you asked! Again, this is the largely OS-agnostic part, dependent mostly upon the browser you use. Since Firefox and Chrome-based browsers are what most people use, I’ll focus on steps you can take to harden your browser, or make it more secure against malware and attacks from webpages and others.
Nothing is 100%, of course, but I hope these tips are helpful. They’ve made my browsing experience much better overall.
The extensions I’ll mention below are available, as far as I know, both on Firefox and Chrome-based browsers.
Ad-blocking and other extensions
NoScript lets you block individual elements of a website, based on the elements loaded from various sites. For example, you can block Google Analytics, which has trackers everywhere, or DoubleClick, which is now owned by Google. You aren’t missing anything by blocking those.
Keep in mind that it’ll take a little while to figure out your protection, since you’ll be allowing certain sites and blocking others. Once you’ve set that up for each site you visit, though, you shouldn’t really have to tweak it.
(The link above gives links to both Firefox and Chrome versions)
uBlock Origin is the gold standard in ad- and malware-blocking, however, for your browser. It can be as granular or as broad as you want. It also takes a lot of time up-front to allow/block the sites you want, but it’s worth the trouble. If that doesn’t sound like your cup of tea, then NoScript might be better.
I personally use both NoScript and uBlock together and find they nicely complement each other (cf. Spybot & SpywareBlaster above), but then that means twice the tweaking involved. Over time, though, I’ve pretty much figured out what needs to be blocked and what doesn’t.
This extension was created by the Electronic Frontier Foundation (EFF), an organization devoted to fighting for privacy on the Internet and information freedom, inter alia. This is like a “lite” version of the above two extensions, and pretty much figures out blocking on its own.
You can certainly tweak it yourself if you like, but its defaults are pretty workable, so it doesn’t need much. You can set it and forget it, really. It works nicely alongside the last two as well.
Also created by the EFF, HTTPS-Everywhere forces all sites you visit to have the https:// prefix, rather than http://. Overall, this is largely unnecessary these days, as most browsers have a HTTPS-only or HTTPS-forcing mode (Firefox does, at least). Back in the day, it was necessary, but depending on your browser, I don’t know if it really is any more.
Have you ever noticed the utm_source, utm_medium, utm_campaigns, and other such tags after the ? in a URL? Well, bad news: those are tracking terms and identifiers that will pass along data to advertisers and the websites you’re visiting. They’re a pain to get rid of, especially on phone browsers.
However, on your computer/laptop browser, there’s an extension that will strip them from URLs you visit, and it’s called ClearURLs. Highly recommend using this one!!
Do you want to wean yourself off of Google services? Corporate social media? Or maybe you still want to use them, but you want to avoid the worst parts of the tracking that came along with them. Privacy Redirect rewrites YouTube, Twitter, Instagram, Reddit, Google Maps, and even Google searches to open and free alternatives (Invidious, Nitter, Bibliogram, libreddit, OpenStreetMap, and DuckDuckGo/other non-Google searches, respectively). You can tweak the hell out of it and redirect all, some, or none of these services. It’s wonderful.
I can’t entirely figure out what this is for. It “emulates Content Delivery Networks to improve your online privacy.” If you spend enough time tweaking NoScript or uBlock Origin, you’ll see a lot of elements in a webpage loading that have “cdn” in their URLs. Basically, these sites are relays through which resources on a page load, and often they are injected with tracking and other nastiness. LocalCDN aims to avoid those CDNs and source those elements in other ways.
Like I said, I’m not 100% sure how it works, but it helps improve privacy as well. Check out their FAQ for a little more information.
I’ve hardened my browser. Now what?
We’re not quite done with the browser. I personally think DNS-over-HTTPS (DoH) is worthwhile to enable in your browser. There are a number of DoH providers out there, but I prefer AdGuard, which is free.
Speaking of that, AdGuard DNS is really great. DNS, or Domain Name Service, is what translates those numerical IPs into alphanumeric hostnames and vice versa. Basically, so you can go to https://www.google.com/ instead of whatever its IP address is, since the words are a lot easier to remember.
AdGuard DNS has built-in adblocking, so you can avoid even more ads by using it.
How do you set it up, you ask? Apparently AdGuard has clients for Windows, Mac, and Android. But you can also set it up in your connection settings so you’re using AdGuard’s DNS servers. They provide instructions for whatever OS you’re using (I use Xubuntu), so check out this page.
The link I just mentioned also tells how to set up DoH through AdGuard. DoH is fairly easy to set up in Firefox, and even in Chrome (though it’s a bit harder in the latter), and AdGuard’s site will tell you what URLs to use — check out the “DNS Privacy” section.
You can even set up AdGuard as your DNS servers in your router, enabling it for every computer on your network! As far as I know, there are instructions listed on the AdGuard DNS page for that also.
Blokada is an ad-blocker for Android. I think it may be available for iPhone as well but have no idea. It runs all traffic through a VPN on your Android phone and blocks ads and tracking servers as they come through. You can block or allow whatever you like, as it keeps a running list of what has been blocked/allowed.
Blokada also lets you set your DNS provider and has a number of them built-in, many of which perform further ad-blocking. That’s actually how I found out about AdGuard, since I’ve been using their DNS on my phone ever since I started using Blokada.
It’s a revelation, and will make your phone browsing experience so much better.
More general best security practices
A password manager
We all have so many passwords to remember these days, what with all the sites we go to for nearly everything. I used to basically use the same password on almost every site, with only a few variations. Not Great, Bob, not great! Many say that your passwords should be fairly long; some say you should set it to a mnemonic phrase of words you can easily remember. Everyone’s got a slightly-different philosophy on it.
Personally, I like being able to generate very random 30+ character passwords and save them in an encrypted vault.
That’s why I really love Bitwarden. It’s free and open-source, although they do have some paid perks if you’re so inclined. You can set up an account on their site (perfectly fine), but if you want to take it to the next level, you can self-host Bitwarden on your own server. I run Bitwarden as an app through YunoHost, a software package that runs on top of Debian server, and it’s very nice.
Bitwarden has Firefox and Chrome extensions, and even a great Android app, so I can use it on all my devices (well, laptop and phone!), but it also has a great web interface.
Bottom line: start using a password manager and secure all of your online accounts with stronger passwords.
Two-Factor Authentication (aka 2FA)
Have you ever logged into a website and they ask to send you an email or a text to confirm it’s really you? Well, that is a very common form of two-factor authentication — where you not only need to provide a password, but also another layer of authentication (the second factor), in order to prove you’re you. Which is a good thing.
However, text messages (and even emails) can be intercepted or tampered with in transit. It’s not super likely or super common, but it does happen. I’ve heard of people’s SIM cards being cloned or stolen, and then they’re able to receive SMS texts with authentication codes and then log into someone’s account. Not great.
A more secure way to do two-factor authentication (or for short, 2FA), is via a client which receives authentication codes, or “one-time pads,” which expire after a certain amount of time and are then regenerated perpetually. Google has been doing this for quite a while with Google Authenticator, but plenty of other organizations created their own 2FA implementations.
My favorite is Aegis Authenticator. Not only can you password-protect (and encrypt) the vault of websites you’re generating codes for, but you can securely back up, export, and even import lists of code providers. There are others that are great, I’m sure, but I really enjoy Aegis. It’s for Android, though, so if you use iOS, I’m sure there is something comparable.
That’s pretty much the data dump of my thoughts on how to stay safe on the Internet and in your digital life in general. I’ve been meaning, as I said, to write this for awhile, and I hope these are as helpful for you as they are for me.
I’m happy to hear your suggestions for things to add (or remove, even!) from this list, so please do. I’m pretty well-covered myself, though, with this particular suite, but I am sure other suggestions would help others!
Thanks for reading!