Secure Web Browsing
Use a secure web browser
Internet Explorer is not recommended as a general-use browser. If you use an online service that requires Internet Explorer, reserve it solely for that use, and use a modern browser for general web browsing.
Keep your web browser software updated
Malicious software often takes advantage of security flaws in common programs and operating systems. These flaws are routinely discovered and fixed in updates. Modern web browsers download available updates automatically but may need to be restarted to apply updates. It is a good idea to confirm that your browser is configured to update automatically, and also to make sure to restart your browser occasionally to install any pending updates.
Be careful about entering private data on public computers
Public computers may be infected with malware intended to steal private data, or set up with software or hardware designed to record keyboard strokes. Whenever possible, avoid entering private data including passwords and credit card numbers on public computers. If you ever have to enter your password on a public computer, it is a good practice to change that password once you get back to your personal computer. Being set up for multi-factor authentication can also help mitigate the threat of your password being stolen by a public computer. When you finish using a public computer, always clear the browser data, completely close out of the browser, and restart the computer.
When signing up for new accounts, use unique passwords
It is important to use a unique password for each account. Passwords can be exposed in many ways, some of which might not even be within your control. If one of your passwords is exposed, all of your accounts using that password are at risk of compromise. A common way that Caltech accounts are compromised is that a completely unrelated service is breached, and people had the same password on that service as the one they use at Caltech. Make sure to choose a different password for every one of your accounts.
Don't store passwords in your web browser
Most web browsers will offer to save your passwords for you. These mechanisms are designed with convenience in mind and are often not as secure as they should be. If you store your passwords in your browser they may be viewable by someone else using your computer, or retrievable by an attacker. A better solution is to use a dedicated password management tool.
Encrypted communications (http vs https)
Be aware of whether or not the website you are browsing is using encrypted communications. In most web browsers, you will see this in the address bar as "http" (not encrypted) or "https" (encrypted). Some browsers have stopped showing "http" or "https" and instead use green lock icon representing encrypted and a red, yellow, or gray warning symbol for not encrypted. If your connection to a website you are browsing is not encrypted, the data you send to that website (including passwords and credit card numbers) may be viewable by others. Do not log in or submit any private data to a website when the connection is not encrypted. Even if you are not submitting private information to a website, an encrypted connection is an important defense mechanism against the site content being modified at some point on its way from the server to your computer.
Trusted communications (valid SSL certificate)
An encrypted connection to a server is not sufficient for the connection to be considered secure. A website must also have a valid certificate proving that it is actually what it claims to be. If you browse to a site and the URL includes "https" (encrypted), but your browser warns you about certificate problems, you might be visiting a malicious site that is impersonating a legitimate site. Do not log in or submit any private data to a website when your browser warns you about certificate problems.
Beware of suspicious emails, links, and downloads
Be aware when reading email and browsing the web. The sender of an email can be spoofed. If an email is suspicious, do not follow any links or download attachments. If you are unsure, hover over a link to see where it points. Watch out for fake Caltech email addresses and URLs that are crafted to look legitimate, such as email@example.com or courses.caltech.edu.cvve.cf. See How to Read a URL for information on how to spot a malicious fake website based on the URL. If you receive an email you think is malicious (or if you're not sure), report it to information security.
Plugins vs extensions
Plugins and extensions are two different ways of adding functionality to web browsers and both have security implications. Plugins are executable programs that work to embed some content into a particular site (some examples are Java and Flash). Extensions add or change functionality of the web browser itself (examples include ad blockers and bookmark managers).
Browser plugins such as Java and Flash have a poor security reputation and most web browsers have either phased them out or are in the process of phasing them out. Unfortunately some applications built around these plugins have been slow to shift to more modern alternatives. If you don't absolutely need a particular plugin to get your job done, you should uninstall it completely. If you still need a plugin, make sure you keep it up to date to limit your exposure to related security problems.
Browser extensions can add or change the functionality of your web browser in many useful ways. However, it is important to be aware of the security and privacy implications of using extensions. Extensions are written by third-party developers and when you install them, you allow your web browser to share some or all of your browsing data with the extension. Attackers can create malicious extensions designed to steal your private data. Scrutinize extensions before installing them. Look at things like the number of previous downloads and ratings/reviews, and which permissions the extension is requesting to have. It is a good idea to occasionally review your installed extensions and remove any you are not using.