Browser Settings

Security Settings

The browser (in addition to the e-mail client) can also be a gateway for malware, therefore you should
  1. keep it always (automatically) up to date and
  2. set it as as secure as possible:
    • Active elements should not be executed at all or only after your explicit consent - keyword Click to Play.
      For many browsers there are extensions (add-ons) with which you can enforce this for Javascript (NoScript, uMatrix, …).
    • You should prevent special characters from other character sets (Unicode or IPA) from being used in the address line to create a false address (homograph attack).
      In Firefox, set the value of network.IDN_show_punycode to true by entering about:config in the address line.
      sso.tugrŠ°z.at looks almost like sso.tugraz.at, but the first "a" is not a German a, but a Cyrillic letter. With the above settings, you will see sso.xn--tugrz-7ve.at in the browser and thus cannot confuse it with sso.tugraz.at.
    • If you are thinking about saving access data in the browser, make sure that your browser encrypts this data beforehand.
      For Firefox, enable the item "Use a Primary Password" in the settings in the area "Security":

    • To prevent scripts from reading access data from other pages, you should prevent (hidden) form fields from being filled in without your knowledge.
      In Firefox, use about:config to set the value of signon.autofillForms to false.
      It also makes sense to set the value of signon.includeOtherSubdomainsInLookup to false.
    • If the browser supports it, then you should enable website isolation.
      For Chromium-based browsers (Chrome, Opera), this is done by entering chrome://flags/#enable-site-per-process in the address bar, then enable Strict site isolation.

      In Firefox, this is done using about:config and fission.autostart true.

Privacy Settings

Privacy settings using Firefox as an example
  1. In the "Privacy & Security" area, set "Enhanced Tracking Protection" to Strict.
    If this causes problems with individual pages, you can define an exception via the shield symbol (left of the address bar).
  2. Set the item "Send websites a "Do Not Track" signal that you don't want to be tracked" to Always.
  3. "Delete cookies and site data when Firefox is closed" and "Clear history when Firefox closes" should be enabled.
  4. Search suggestions in the address bar should be disabled, otherwise every character you enter will be transmitted to the search engine you set (often Google) - you are also better protected if you set a more privacy-friendly search engine like DuckDuckGo right away.
  5. In addition to the above-mentioned uMatrix, there is also uBlock to block advertisements (also available for many other browsers).
  6. Using the add-on I don't care about cookies" you also get rid of all cookie requests - but not the cookies themselves: You usually agree to their use anyway and with the settings made above you are on the safe side.
  7. Using the add-on "Firefox Multi-Account Containers" you can split the browser into several, separate areas and define that certain pages are always opened in certain containers; the default settings include Work and Leisure. With the add-on Temporary Containers you can expand this concept with containers whose data is automatically deleted when the tab is closed.

Test Your Settings

At testsafebrowsing.appspot.com you can safely test how secure your browser is configured and at i amiunique.org you can learn how much your browser reveals about you (cookies, canvas i fingerprinting, …).

Further tips can be found, for example, at the US CERT.