WWW Privacy & Security
 
I
N
D
E
  X  

WWW Privacy & Security: Intro & Overview

Next to email, the World Wide Web is the one of the more popular parts of the Internet. Along with email, the Web is what caused the Internet Revolution to take off. Until the past few years, though, the Web was considered relatively "innocuous" from a privacy and security perspective. While ICQ and IRC might be rough and tumble, and while one might contract all kinds of viruses and worms via email attachments, it was thought that there wasn't too much that could happen to you while surfing the Internet. Not any more.

With the widespread use of cookies, the increasingly aggressive embedding of active content in web pages, and the alarming rise in self-installing browser add-on "spyware," the World Wide Web has turned into a very privacy unfriendly place. Still worse, popular forms of active content (ActiveX controls, Java applets, JavaScript, and other forms of active scripting) are frequently the cause of gaping security holes in web browsers that can expose users' systems to mischief, tampering, and outright destruction of data.

Your job in this report is to outline the privacy and security threats that home users face on the World Wide Web. Next, you should lay out a series of potential solutions to these privacy and security threats. 

Keep in mind that no one solution will be a complete and acceptable solution for every user. Different users have different needs and concerns with respect to privacy and security. Moreover, many of the solutions that you offer will change your readers' experience of the web in one way or another, and a change that one user might find perfectly acceptable, another user will find absolutely intolerable. Especially when we're dealing with web browsers, it is important that we be up front with our readers about how the solutions we propose will affect their experience of the web.

WWW Threats

The first thing we need to do is explain to our readers as clearly as possible the threats they face while surfing the Web with a web browser like Netscape Communicator or Microsoft Internet Explorer. The threats to privacy and security to which you need to introduce your readers are:

Cookies have received a lot of attention in the popular media over the past few years, so your readers will likely have heard of them, even if they don't fully understand just what cookies are and how they're used. You need to provide your readers with a useful, detailed, but readable account of what cookies are, why they were invented, how they are used, and why they represent a potential threat to their privacy.

It's important to note that cookies do have legitimate uses, so we must be careful not to turn cookies into a virtual bogeyman. If anything, we want to demystify cookies and give our readers a hard-headed, concrete understanding of them.

We also need to be straightforward about the potential privacy threats that arise when web sites and online marketers use cookies for direct marketing purposes. It can be difficult to explain just how and why this threat is in fact a threat, so read the sources that you find carefully and ask questions.

"Web bugs," it should be noted, are probably even more misunderstood than cookies themselves, though web bugs are really just 1x1 pixel .GIF's with cookies tied to them. And not all 1x1 pixel .GIF's are necessarily web bugs. (If a 1x1 pixel .GIF doesn't have a cookie attached to it, it's not a web bug, it's a "spacer" .GIF.) As with cookies, we need to give our readers a clear explanation of web bugs are, how they work, and why they are used.

You can find numerous documents and web pages that discuss cookies and web bugs on the Privacy Docs & FAQ's page:

Privacy Docs & FAQ's

I'd also recommend taking a look at many of the more comprehensive privacy oriented information sites on the General Privacy Info page:

General Privacy Info

...though you'll have to dig around those sites to find specific information about cookies and web bugs.

Don't neglect the privacy organizations listed on the Privacy Groups/Coalitions/Portals page here:

Privacy Groups/Coalitions/Portals

Many of those non-profit organizations will have plenty of solid info about cookies and web bugs.

I think you'll find that cookies are relatively easy to understand and explain. By contrast, active content is a bit hairier, primarily because they involve programming languages used to construct and embed special content and functionality in web pages. The main active content programming technologies are:

Each of these active content types is a programming language that can be used to build special add-ons to web pages in order to "liven up" those web pages. We label these different programming technologies "active content" in order to distinguish them from the standard "static content" of most web pages (plain text, borders, pictures, et al).

While you'll find that all of these active content technologies can do similar things, they really are different programming technologies, and each has unique limitations and capabilities. All of them, though, can be used by web sites to do obnoxious and even dangerous things to users' systems through web browsers.

It is important that we give our readers a basic description of each of these forms of active content, though there is no great need to go much beyond basic descriptions. Certainly your readers don't need a crash course in programming with any of these programming languages.

Before we go any further, I ought to alert you to a few key aspects of these forms of active content. 

First, Java and JavaScript, though similarly named, are completely different and are not related in any way.

Second, Java and ActiveX are used to build small executable binary programs that are automatically downloaded by web browsers to users' computers and then executed on users' PC's. By contrast, JavaScript and other forms of active scripting are plain text programs that are embedded in web pages right along with the HTML code used to build those web pages. (if you open up the source for a web page, you can actually see JavaScript right there in the HTML.)

Third, while all the big browsers support Java and JavaScript, ActiveX is supported only by Microsoft Internet Explorer, so you won't find any options in Netscape Communicator, for example, related to ActiveX.

Fourth, all of these forms of active content are supposed to be "sandboxed" -- that is, they are supposed to be limited in the kinds of things they can be used to do on users' systems, Generally speaking, they are supposed to be limited to carrying out actions within the context of the web browser itself (as opposed to the user's wider computer system), though the restrictions on what ActiveX controls can do on a user's system are much weaker that those on Java and JavaScript (which makes ActiveX more powerful and more dangerous).

After we explain each of these forms of active content, we should detail the kinds of obnoxious and malicious things that web sites can do with them. We can't be comprehensive here, because the potential dangers can take many forms. Generally speaking, though, there will be two classes of threats:

  1. intended behavior and functionality that is "by design" -- obnoxious things that web sites can do with these technologies but which are perfectly allowed by the technologies themselves
  2. unintended security holes -- programming bugs in browsers that allow malicious folks to use active content to exploit weaknesses in those browsers in order to compromise users' systems

The two web pages on the class web site listed above for information on cookies are also good places to start in order to get information about active content. In addition, be sure to check out the ActiveX, Java, & Scripting page, which contains links to lots of useful info about these specific technologies, including demos that you can actually run in your browser:

ActiveX, Java, & Scripting

For still more live demos of active content behaving badly, you'll probably also be interested in the Active Content Tests section of the Online Security & Privacy Tests page:

Active Content Tests

These active content tests will show you exactly what these programming technologies are capable of.

Browsers

After we've outlined the privacy and security threats that users face on the Word Wide Web, we need to offer them solutions. The first line of defense is browser configuration. Of all the options you can offer your reader, this is perhaps the easiest and the most effective solution. It's easy to reconfigure the options in our browser, because all we have to do is open the menus in the browser and start checking and unchecking boxes -- no third-party software is required. Browser configuration is also powerful because it directly changes the way the browser interacts with web pages, as opposed to bringing in third-party programs to intercept browser requests and filter or modify them.

You need to deal with all the big browsers that are in use today, and each of them has a different set of options that you'll need to cover separately and in detail. The browsers you'll need to cover are:

In addition, you might consider covering the new Mozilla 0.9x or Netscape 6.x series of browsers, if you're familiar with either of these browsers, though I won't make them requirements. You could also cover Opera (any version), though, again, I won't make it a requirement.

Your job here is threefold. You need to explain how to perform each of the following tasks in all the major browsers:

The best thing you can do to research this particular sub-topic is simply install these browsers, open them up, and start nosing around the options menus. Be sure to check out the Help files for these browsers for details on the various options that you see. In addition, you can find configuration info on many of the web sites listed on these pages:

Privacy Docs & FAQ's

General Privacy Info

Above all, ask questions. I'm familiar with all of the main browsers and would be more than happy to help you sort through the various options menus that you'll find in them.

A word of warning about Internet Explorer 6.0. IE 6.0 is the most recent version of Internet Explorer. While it is very similar in some respects to previous versions, IE 6.0 introduces several new privacy controls that can seem deceptively simple and straightforward. Most of these new privacy controls involve cookie control and can be found on the new Privacy tab in the Internet Options configuration box. 

When approaching Internet Explorer 6.0, please have a look at the many resources I've put together specifically on this particular browser:

P3P & Internet Explorer 6.0 Privacy Info

Internet Explorer 6.0 Resources

Read around and take a look at the new Privacy tab in the Internet Options box. Then come and see me. We'll probably have to sit down and go through that Privacy tab, especially since many of those new options involve the P3P privacy standard.

Filtering Software

The next set of solutions that we can offer our readers involves a special kind of software that we'll call web filtering software. No, we're NOT talking about that type of software that parents can use to monitor and censor the web sites that their children visit. Rather, we're talking about software than can filter and block such things as:

In the past year there has been an explosion in programs that users can download and install to filter out unwelcome and potentially dangerous content on the web. Many of these software programs are free, but many of them are for pay also.

You'll find software that specializes in filtering one particular type of content. For example, there are programs that we can classify as:

You'll also find web filtering software that is "comprehensive" in that it can filter, block, or manage all the different types of content that we discussed above.

Your job in this particular sub-topic is to introduce your readers to the various types of web filtering software that are available and explain what they can do. You can find links to all these different types of programs on the WWW Privacy Filtering page:

WWW Privacy Filtering

When you're investigating these various web filtering programs, keep in mind that many of them have add-on utilities or "block lists" that have been built by individual users and that can be used in conjunction with the main program. See the WWW Privacy Filtering - Block Lists & Misc Utilities page for links to these add-ons and block lists:

WWW Privacy Filtering - Block Lists & Misc Utilities

In fact, I've made a few block lists myself for programs like AtGuard, Norton Internet Security, and Agnitum Outpost (all of which are personal firewalls with ad blocking capabilities). You can find those block lists on this page:

Ad Blocking Resources

At some point you'll simply have to download, install, and use a number of these programs so that you can explain how they work to your readers. You'll likely be floored by the sheer number of programs out there, though. If you're wondering which programs would be good ones to try, see me. I'll have plenty of suggestions for you.

I mentioned that there are "block lists" that you can use with many of these web filtering programs. A "block list," by the way, is merely a list that specifies what specific things (URLs, fragments of URL's, types of content, etc.) should be blocked by a filtering program. There's another type of "block list," though, that isn't designed to be used with a filtering program such as we discussed above. These "freestanding" block lists are designed for use by Windows itself or by a web browser directly. This second type of block list is handy because it doesn't require third-party software at all.

The most popular type of "freestanding" block list is the HOSTS file. A HOSTS file is a file that is used by the Windows networking components which provide your Internet applications the means to connect to the web. A HOSTS file was originally designed to speed up networking connections, but clever users figured out that the HOSTS file (which is really just a plain text file) could be used to filter web content as well. In effect, these users decided to use a HOSTS file for the exact opposite purpose for which the HOSTS file was originally intended.

For information on what a HOSTS file is and how it works, see this set of links:

HOSTS Files & Utilities

While you'll find that many users have built HOSTS files that you can download and use on your own computer, the best by far is the HOSTS file built by Stephen Martin:

http://www.smartin-designs.com/

It's important to note that there are limitations on what the HOSTS file can do, and you will have to explain these limitations and caveats to your readers.

Two other types of "freestanding" block lists are .PIC rules and .PAC files, which are block lists designed to be used by web browsers. These particular block lists are a bit more obscure, though you can find info on them here:

.PAC Files & .PIC Rules

And one last note about "free-standing" block lists: there's a list for Internet Explorer that I've made, though technically it's not "block list" per se, because it doesn't actually block ads (though it does block cookies and script-based popups). What IE-SPYAD does do, however, is load a list of known advertising and marketing sites and domains into Internet Explorer's Restricted zone, putting severe restrictions on what those sites and domains can do (e.g., no cookies or active content, among other things). You can IE-SPYAD on this page:

Ad Blocking Resources

SSL & "Secure" Transactions

This sub-topic is a bit different than the others we've discussed so far, mainly because in this topic we're not dealing with the usual set of threats to privacy and security on the web (cookies, web bugs, active content, etc.). Instead we'll be introducing our readers to a special encryption technology that web browsers use in order to let web surfers make online transactions over secure network connections. That crypto technology is SSL, which stands for Secure Sockets Layer.

If you've ever bought something on the web (say a book or a CD at Amazon, or a relic at eBay) or if you've done online banking or stock trading (with a bank or online brokerage firm), then you probably noticed a few things when you actually got to the page where you provided sensitive financial info like your credit card or your account number:

  1. a little padlock icon at the bottom of your browser window
  2. a web address that began https:// (instead of the normal http://)

Both of these things were indications that your web browser had established a secure, encrypted networking connection with the web site with which you were doing business in order to exchange that sensitive information safely. The technology that your web browser was using to establish that encrypted networking connection was SSL.

Your job in this topic is relatively straightforward:

In addition, we can also introduce the following topics, which are a bit more advanced, but which some of your readers might find interesting:

This topic shouldn't require you to give out as many step-by-step instructions as the previous topics, mainly because so much of the business of establishing secure connections for financial transactions is handled transparently by the browsers themselves and requires little user intervention. Nevertheless, your readers should have an appreciation for what's going on and for the importance of SSL in securing the web.

To research this topic, I'd start by looking around in the options menus of the major browsers and checking out the Help files for explanations of just what those options are. If you need help identifying the options related to SSL and secure transactions, let me know. You can also find plenty of information about SSL and digital certificates on this page:

PKI: SSL, S/MIME, Certificates, & Signatures

Be careful on that page, as there are links to crypto-related info that might not be directly pertinent to your discussion of SSL and web browsers.

For links to the programs I mentioned above (IECrypto & Fortify), see this page:

Misc Crypto Tools

And, finally, there are several web pages that will test your browser's SSL capabilities and give you a report on the SSL connections it is capable of establishing:

SSL Checks

Anonymous Proxies

Our final topic with respect to web browsers involves the use of proxies. A proxy is simply a "middleman" that stands between you and the web sites that you visit. We can use proxies to anonymize our browsing, in effect preventing those web sites from discovering who we are and where we're coming from, as well as other information about us and our browser.

There are several ways that we can use proxies. We can:

No matter what method we employ to use a proxy with our web browser, the underlying principles remain the same. The only things that change are the ways we access those proxy servers with our web browser and the kinds of configuration changes we make to our web browser in order to make those proxies work.

Your job is to explain what proxies are, how they work, and why we use them to anonymize our web surfing. Then you need to explain the several strategies for using proxies that we outlined above.

For basic information on proxies, check the links towards the bottom of this page:

Proxy Info

That same page contains lists of known proxy servers around the world that you can use with your web browser. Be sure to check for instructions on configuring your web browser to use a proxy server, though. To get a sense of the kinds of info that a web browser reveals about you to every web site you visit, run some of the Browser Privacy Tests found on this page:

Browser Privacy Tests

For links to auto-proxy programs, check this page:

Web Surfing Anonymizing

Probably the two best programs to try are MultiProxy and A4P (the same ones we mentioned above). Again, when trying out either one of these programs, be sure to read the acommpanying documentation first for step-by-step instructions on how to configure your browser to work with these programs.

For links to re-webbers and other proxy services (many for pay) that allow you to surf the web anonymously, see this page:

Web Services

Please don't hesitate to ask questions or to request assistance in using proxies or auto-proxy programs. I'd be happy to sit down with you and walk you through the basics.

This Page Last Updated: Mar. 26, 2002

Home [frames]        Home [no frames]

Advice, Organization, & Compilation 
© 2000, 2001, 2002 Eric L. Howes