|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
With many things ranging from banks to your local router using web interfaces to log into them, do you….. Close all other web site tabs when you are
[See the full post at: Do you use a different browser for…..?]
Susan Bradley Patch Lady/Prudent patcher
Your browser brand for doing online banking should be a different browser than what you use for Twitter and other general web activity, which should be a different browser than what you use for managing things on your network.
Can you explain the reason for this?
What does a phishing scam have to do with browser security? Is the idea that people who are fooled by phishing will be less likely to visit fake banking websites if they train themselves to manually open their banking website by normally only using it in a different browser?
No, I don’t use separate browsers. I use Firefox for everything. I have it set to open bank URLs in the banking container (container tabs), and everything else runs in the regular container. I use ad and script blocking to limit the ability of malicious sites to try to cause harm, and the browser is up to date.
My router will not accept connections to the admin interface from the WAN… it’s only available from the local IPs within the LAN itself (typically 192.168.x.x or 10.0.0.x). I could restrict it even more by limiting it to wired connections, but my wifi password is a randomly generated string of characters of the maximum allowable length, I think 63 characters, so it is doubtful anyone’s going to break that (rather than one of the other 50 wireless networks I can detect from my house, which are more likely to have ‘password’ or ‘1234’ or some other such thing, as people often use).
And then there’s the router admin password itself, which is also not likely to be guessed. I’m not a high value target (just a home user, not wealthy, not privy to any juicy state or corporate secrets), so I am not worried about being targeted. I’m a nobody, so my main threats are random attacks, not a bad actor who wants to get something from me specifically.
I am currently using Bitwarden to store my passwords in Firefox, set to require a master password that is quite strong (random characters that have no meaning to me, and more than 12 characters). All of my passwords are long (12 characters minimum, if permitted by the site, and with newer sites being assigned even longer ones), randomly generated strings of characters that can contain uppercase letters, lowercase letters, numbers, and special characters. I’d never be able to remember them all, so I don’t try to. Now I only have to remember one strong password for the password vault (and another for my user account in the OS, but that’s another topic), which is much more feasible.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
No, I don’t use separate browsers. I use Firefox for everything. I have it set to open bank URLs in the banking container (container tabs), and everything else runs in the regular container.
Hi Ascaris:
When you say you are using “containers” are you referring to the Mozilla browser extension named Firefox Multi-Account Containers at https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?
Could someone explain how containers differ from the Private Browsing feature built in to Firefox and why containers might be safer than using Private Browsing to log into an online banking account? I’ve never used the containers add-on but the Mozilla support article Multi-Account Containers says that “Containers are disabled in Private Browsing windows and when Never Remember History is selected in your privacy settings“.
———–
64-bit Win 10 Pro v21H2 build 19044.1706 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1689 * Firefox v100.0.2 * uBlock Origin for FF v1.42.4 * Malwarebytes Browser Guard for FF v2.4.2
I would like to see if @WCHS can add any more about Firefox containers.
I don’t have any more to add to the Lifewire article or the Firefox help page about Multi-Account Containers. They pretty much say it all about how to set up containers and use them. Notice that they also mention the Firefox Facebook container, which is a separate Firefox extension and keeps Facebook corralled.
I notice that @Imacri asked about the difference between Firefox Private browsing and the Firefox Multi=Account extension. I don’t really know. I don’t use Firefox Private Browsing; my understanding is that it doesn’t keep a history. But, I think it’s possible that the business going on under one tab is apparent to the business going on in another tab at the time both tabs are open. But whatever business has gone on, the URLs are not remembered when Private Browsing closes.
On the other hand, the Firefox Multi-Account Container extension keeps a history of the URLs. I’m the only one using my laptop and I don’t visit untoward sites or search for ways to murder people, so I don’t care that my history of usage is known. I find it helpful, as a matter of fact, because I can easily find again something that I viewed some days ago, but can’t remember where.
But, with containers, the business going on under one tab is contained in its own space and separate from the business going on in another tab contained its own separate space, which means that the “left hand doesn’t know what the right had is doing”, so to speak. I guess that also means that a hacker/voyeur who had gained access to what I was doing in one container would not be able to pass that information through the container walls to somewhere else.
Here’s a concrete example. Before I started using the Firefox Multi-Account Containers extension, I noticed that something I mentioned in my web-based e-mail (a back ache I had had or a movie I had seen, for example) would suddenly prompt ads popping up when I accessed a URL that has ads on it and the ads are tailored to the user (a website for a local TV station, for example). So, my e-mail was being monitored and information was somehow leaking out and being scooped up by other web sites I was visiting. I don’t know if this fits the definition of hacking or not. But, it is a kind of voyeurism.
After I started using the container extension, I didn’t see this tailored-ad activity any more. But, again, this does’t seem to fit a strict definition of hacking.
And now I also use another Firefox extension, uBlock Origin, which cuts out/hides ads on websites altogether, so even if information about me were being passed from one web site to another to tailor ads for my viewing, I wouldn’t see them because uBlock Origins hides them from me.
I don’t use online banking as it is too potentially dangerous. Some people would like me to use it, for their convenience mostly. not mine. And I don’t have a smart phone, just a flip phone for emergencies, like Gibbs. 🙂 Call me a Luddite if you wish,
Addressing Susan’s specific questions:
Close all other web site tabs when you are managing your router?
Use a different browser that you reserve for highly secure tasks?
Use in private browsing when managing sensitive sites and devices?
Don’t save sensitive passwords in your browser?
What do you do to keep the password of your router a bit more protected?
I don’t believe closing other tabs really does anything productive, but I could be wrong
A different browser isn’t really necessary. If using Firefox, restarting with a different profile is sufficient. That said, using extensions that auto-discard cookies, either when navigating to a new site or closing a tab are useful. Plus, discarding all cookies at the end of a session.
There are several approaches to keeping session cookies separate from each other. One is use of private mode. With Firefox, there’s an extension called Multi Account Containers that allows for simultaneous logins with different IDs to the same site. The Chrome version of Edge also allows for that kind of access with multiple profiles that can be accessed simultaneously. Microsoft intends that for use by users that have accounts with multiple Microsoft-hosted services, but I’ve found that that works for any situation where you need to have multiple accounts visible at the same time. In each case, the key is keeping cookies for each session separate from each other.
The only browser I would consider allowing to keep sensitive passwords would be Firefox, but only with a strong master password. However, for the bulk of my passwords, external storage is necessary. I’m also suspicious of browser extensions that allow for close integration with the browser, and to that end, I’m willing to tolerate the comparative lesser convenience of using KeePass, over something that requires an extension. Also by not having tight integration, use of KeePass allows me to use my password store not only on any browser, but also with other applications outside of my browser that require login credentials, even cert-based logins.
Although it’s not for everybody, I also commend use of NoScript. In my personal usage, I normally disable all scripting as a default, and then enable individual scripting hosts as I determine are necessary. That one does take some tinkering to manage, and there are scripting hosts that I permanently whitelist, partly because I trust them, and partly because I access them frequently. However this approach takes some patience, and definitely breaks sites. But for a task such as accessing a router, it goes a long way to make sure that no scripting is active at that time.
I use Firefox for all browsing. I’ll only use another browser when a site doesn’t work right in Firefox.
Private browsing is useful for firing up a temporary session like when looking for coupon codes. Or if I need to briefly log in to a site using an alternate account.
Firefox Multi-Account Containers and Simple Tab Groups addons are useful for keeping a group of tabs in a work-related session.
I used to use containers for keeping financial sessions separate from other browsing until Firefox fully enabled Site Isolation in version 95. With each web site running in a separate process, cross-site hacks are much harder if not impossible. Site Isolation litters Windows Task Manager with dozens of firefox.exe processes if you keep lots of tabs open but the extra security is worth it. I still keep Facebook and Twitter confined to their own containers for privacy.
Site Isolation info:
https://www.makeuseof.com/how-firefox-site-isolation-security-architecture-works/
https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/
Alex: “I never do banking on my PC. For banking I use my iPhone /iPad.
I did online banking before the era of the iPhone but these were another days.”
Well, I never use an iPhone or an iPad to do my banking because I have neither. I disliked cellphones cordially from the first, more than 30 years ago, when they were just coming out worldwide, and have never changed my attitude towards them. I only have had four clamshell cell phones in succession, counting my present one, using them now and then, when there is no better alternative. And I just keep on finding that often there is one. As to tablets, I’ve never had the need to use one. And even so, I am still around and keen to keep going.
Besides, I keep reading about cell-phone “apps” that are loaded with spyware and even less salubrious features.
Everything I do online I do, as have been doing for decades, with browsers and email clients on a laptop.
And as I have explained, I do my online banking with a browser that is different from my usual one, but with the same usual kind of native safety features plus adons.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I use firefox with privacy badger and cookies autodelete. Have never heard of containers until this thread. No passwords are saved in the browser, I use keepass. I do banking and trading in firefox, have never been phished. If I ever want to look at a site and don’t want my isp to see I use brave with in private tor mode. Other than about $20 of credit card fraud attempts per year I don’t have any problems. I don’t do any banking on my phone but I use it for authenticator 2fa codes. I refuse to use my doctor’s medical online portal. They made me an account without my consent and I refuse to activate it but waiting for the day when they are breached and all my private health info is public.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
