'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Keeping your browser updated
- Use strong, unique passwords
- Using a VPN
- Regularly clean history and cookies
- Understanding private browsing
- Identifying and avoiding phishing and social engineering
- Check installed extensions
- Separate your web uses
- Limit websites granted permissions
- Check secure connections (HTTPS)
- Choice of search engine
In the previous chapter, we went throught the details of the main browsers currently available, along with their advantages and disadvantages in terms of security and privacy.
However, even the most secure browser isn't enough: how you use it remains crucial to protecting your digital security. In this chapter, we take an in-depth look at the essential best practices for minimizing the risks associated with everyday web use.
Keeping your browser updated
The web browser is one of the most exposed software components in a computer system. Unlike most other programs, it processes dynamic content from the Internet in real time, which is fundamentally unreliable. When a website is loaded, the browser executes remote code, which interacts directly with your system via the rendering engine.
This technical complexity, combined with a massive attack surface, makes the browser a priority target for attackers. Critical flaws in rendering engines (such as Blink or Gecko), image analysis libraries or memory managers can enable so-called "zero-click" attacks (simply visit a booby-trapped site and your machine is compromised), or "zero-day" attacks (vulnerability unknown to the vendor).
To reduce these risks, browser publishers release very frequent, often weekly, updates that correct these vulnerabilities as soon as they are identified. These patches are not limited to interface or performance improvements: they actively block real, documented attack vectors.
It is therefore imperative:
- enable automatic updates for your browser and manually check regularly that no updates are available;
- or, if you're using a manually packaged version (e.g. via
apt,flatpakorsnapon Linux), regularly update the whole system via your package manager.
To manually check the version and trigger an update:
- in Firefox:
Menu > Settings > Firefox Updates; - command line under Linux (
aptpackages):
sudo apt update && sudo apt upgrade firefox
Updating your browser, software and operating system is one of the first concrete steps you can take in cybersecurity.
Use strong, unique passwords
When it comes to web security, one of the most common (and dangerous) mistakes is reusing passwords across multiple sites. This practice causes a dangerous domino effect: if a single service is compromised (database leak, phishing, brute force attack...), the attacker can then test the same password on other platforms, gaining access to critical accounts such as your e-mail, bank accounts or workspaces.
The first principle when it comes to passwords is not to reuse them. Each online account should be protected by a unique password, completely distinct from the others. Having a unique password for each account isolates potential attacks and limits their impact.
For example, if you use the same password for a video game platform and for your email account, and this password is compromised via a phishing site linked to the gaming platform, the attacker could then easily access your email account and take control of all your other online accounts.
The second essential principle is having a strong password. A password is considered strong if it is difficult to brute force, i.e. to find by trial and error. This means your passwords should be as random as possible, long, and include a variety of characters (lower case, upper case, numbers and symbols).
Applying these two password security principles (uniqueness and strength) can prove difficult on a day-to-day basis, as it's virtually impossible to memorize a unique, random and robust password for all our accounts. This is where the password manager comes in.
A password manager securely generates and stores strong passwords, allowing you to access all your online accounts without having to memorize them individually. You only need to remember one password, the master password, which gives you access to all your passwords stored in the manager. Using a password manager strengthens your online security, as it prevents the reuse of passwords and systematically generates random passwords.
Using a password manager has a number of advantages: it simplifies your daily life by eliminating the need to memorize a multitude of passwords, and minimizes the main authentication weakness: the user themselves.
When it comes to authentication, the use of a password manager must be complemented by a two-factor authentication (2FA) solution, to be used on all accounts that support it. Ideally, you should use a specialized application, or even better, a physical device such as a Yubikey.
Using a VPN
A VPN (Virtual Private Network) is a tunneling tool that encrypts network traffic between your device and an intermediary server. This server acts as a gateway, redirecting all your connections to the Internet. As a result, your ISP only sees encrypted traffic destined for the VPN, and the sites you visit only see the VPN server's IP address, not yours.
There are several advantages to using a VPN. It protects your browsing on insecure networks (such as public Wi-Fi in airports or hotels, for example), by preventing third parties from intercepting your data. It also hides your real IP address, which can be useful for avoiding basic tracking, or simulating a connection from another country. Last but not least, a VPN is a tool to circumvent censorship. In environments where access to certain content is blocked at ISP level, redirecting your traffic to a VPN server located in an unfiltered country allows you to regain free access.
On the other hand, contrary to popular belief, a VPN does not provide anonymity. The VPN provider knows your real IP address, can record your connections, and becomes a trusted third party. You delegate your entire online activity to them. If the provider is malicious, subject to binding legal obligations or technically negligent, your data may be exposed.
What's more, a VPN offers no protection against malware, JavaScript tracking or third-party cookies. If you're logged into your Google or Facebook account, using a VPN won't prevent these platforms from accurately identifying you. VPNs don't filter content either, and won't prevent a booby-trapped page from attacking you via a browser vulnerability.
Also, VPN tools should not be confused with the Tor network, which is a decentralized network of encrypted relays to guarantee much stronger anonymity. Tor is slower, but far more robust against global surveillance than a VPN.
A good VPN should have a clear no-logging policy, offer modern technologies (notably WireGuard), allow anonymous use of the service and offer an open source or publicly audited technical base. With this in mind, I recommend tools such as Mullvad or IVPN.
High-profile VPNs should be avoided. Despite their aggressive marketing, they remain centralized commercial services, often based in less protective jurisdictions, and rarely transparent about their actual technical operation.
Regularly clean history and cookies
Every website you visit records session data locally on your computer, of which there are two main types: browsing history and cookies.
The history is a simple local database that lists all the sites visited, with their date, title and sometimes the time they were viewed. It makes it easy to find a previously opened page. But on the other hand, it exposes all your online searches to anyone with access to your session (including malicious software, or an inquisitive relative).
Cookies, on the other hand, are small files stored by the browser at the request of websites. They are used to remember your session (e.g. to stay connected to a site), store your preferences, or track your behavior for statistical purposes. Some cookies are functional (i.e. necessary for a site to function properly), while others are third-party (placed by advertising agencies or trackers on visited pages). The latter enable cross-site tracking, sometimes over years, by cross-referencing your browsing habits to establish an advertising profile.
Regular cleaning of this local data is a simple but effective way of limiting tracking and preserving your privacy. Most browsers offer options for:
- either to delete this data manually (in the settings);
- either to automate deletion each time you close the browser, or for a set period of time (I recommend this option);
- either to launch temporary sessions via a private browsing mode (more on this in the next section).
In Firefox, for example, you can configure automatic deletion via Settings > Privacy & Security.
However, keep in mind that simply deleting cookies is not enough to guarantee your privacy: other, more advanced tracking techniques exist, such as fingerprinting (a unique fingerprint of your browser, your hardware, your IP, your usage...), which require additional measures to circumvent:
- Use a browser offering native fingerprinting resistance: Tor Browser and Mullvad Browser are the best for this, otherwise, other fairly good options are LibreWolf, Brave or Firefox with manual hardening;
- Limit or block JavaScript whenever possible;
- Avoid non-essential extensions;
- In general, adopt a commonplace, consistent profile, to blend in better and limit the possibilities of identification.
Understanding private browsing
The private browsing mode, available in all modern browsers (Firefox, Chrome, Brave, Safari...), is often misunderstood. It is neither an anonymizing tool, nor a protection against online tracking. This mode merely limits the recording of local data on your computer during the active session.
In concrete terms, when you open a window in private browsing:
- browsing history won't be stored locally on your device;
- cookies created during the session will be automatically deleted when the window is closed;
- form data (filled-in fields, passwords) will not be saved;
- temporary files linked to web pages will be deleted after closing.
However, this mode does not hide your activity online: the websites you visit still see your public IP address, can still exploit fingerprinting techniques, and your ISP, or anyone on your local network, can still see the sites you visit.
So it's essential not to confuse private browsing with anonymity. For enhanced protection of your online privacy, you need to use complementary tools such as Tor or a good VPN, depending on the level of threat.
Identifying and avoiding phishing and social engineering
Phishing is a form of social engineering used to trick users into revealing sensitive data without their knowledge: login details, credit card numbers, access codes, confidential documents. This threat is not based on a technical flaw, but on psychological manipulation, exploiting the user's trust, haste or lack of knowledge.
In most cases, the attack consists of imitating the appearance of an official site (bank, messaging service, administration, online store, etc.) through a fake website with a disguised URL. Users receive a fraudulent link by e-mail, SMS or messaging apps, and, believing they are interacting with the real site, enter their login credentials.
To avoid these attacks when browsing online, it is important to follow certain basic practices:
-
Analyze the URL: attackers often use addresses very close to the original (e.g.
micr0soft-support.com,paypal-verif.net, etc.). Some also substitute visually similar characters, exploiting Unicode characters. Check that the address corresponds exactly to the expected site, with no suspicious prefixes or suffixes. -
Avoid shortened links: services such as
bit.lyort.cocan mask the final address. If you receive a shortened link, be suspicious or use a URL expansion service to check its destination. -
Beware of alarmist messages: phishing attempts often exploit strong emotions (urgency, threat, reward, curiosity...). An e-mail claiming that your account is about to be blocked or that a parcel cannot be delivered is naturally suspicious.
-
Never transmit sensitive information via a received link: A legitimate institution will never ask you for a password, authentication code or a scanned copy of your ID via a simple e-mail or SMS.
And here are a few preventive measures you can implement directly in your browser to minimize the risk of phishing :
- Access critical sites via your bookmarks:
For important services (related to banking, tax authority, e-mail, etc), and more generally for all the sites you use on a regular basis, save the official URL in your bookmarks and never use a search engine or an external link to get there.
Have you received an e-mail from the tax office containing a link? Don't click on it. Instead, go directly to your personal space using the URL you've saved in your bookmarks. Nowadays, all modern browsers offer a bookmark bar with the option of organizing your links into folders. Take the time to do this once, carefully checking the URL and SSL/TLS certificate, and you'll be able to browse more securely.
- Respect good authentication practices :
It is also essential to follow good authentication practices to limit the potential impact of a phishing attack. The two most important rules are using unique passwords for each service and enabling 2FA.
Let's take an example: if an attacker manages to obtain the password to your Steam account, but you use a different password for each of your accounts, he won't be able to access more sensitive services like your e-mail or banking. And if you've activated two-factor authentication (2FA), then even with the password, the attacker won't be able to log in, since he won't have access to your TOTP application (like Authy, Google Authenticator...).
In addition to these measures, the use of a good password manager as a browser extension can also protect you against fake websites. Indeed, most of these extensions will detect a suspicious URL and refuse to auto-fill your credentials, or even notify you of it, which will prevent you from inadvertently exposing your access details.
- Inspect SSL/TLS certificates:
The padlock icon in the address bar indicates an encrypted connection, but does not guarantee the site's legitimacy. Click on it to examine the certificate (organization, domain, certification authority). his can be helpful if you have doubts about a website's URL.
Phishing only works if you click too quickly. For every link you receive, develop a habit of systematically verifying, even for a site you know. Taking your time to carefully examine and verify URLs, even familiar ones, is one of the best defenses against this type of attack.
Check installed extensions
Browser extensions are modules that add features (ad blocking, translation, note-taking, password manager, Bitcoin Wallets, etc). They run directly in the browser environment and can access all or part of the pages you visit. This makes them powerful, but also potentially dangerous.
A malicious or compromised extension can intercept your personal data, read the content, inject code into web pages or even execute JavaScript in the background. Some extensions retain permanent access to open tabs or browsing history, far beyond what is necessary for their operation.
To limit these risks, install only extensions from official sources (Mozilla Add-ons), always check the permissions requested, and keep their number to a strict minimum. Delete extensions you no longer use, and beware of clones.
Regular checking of your extensions is an important part of keeping your browser secure.
Separate your web uses
Activity compartmentalization is an important practice for limiting the scope of a compromise on the web. It consists in technically separating your different uses of the internet: personal, professional, private or sensitive browsing.
The aim is simple: to prevent an incident involving a specific activity (such as a cookie leak, an attack or session theft) from contaminating your entire digital environment. Several methods can be used, alone or in combination:
-
Use several distinct browsers: for example, Firefox for personal use, Tor or Mullvad for sensitive activities, and Chromium for professional tasks. Each browser uses its own storage instance, which totally isolates cookies, sessions and extensions. This also allows you to tailor browser settings to your specific use cases.
-
Create multiple profiles within a single browser: some browsers allow you to create independent profiles, each with its own history, sessions, extensions and settings. This is a slightly less restrictive solution than using several separate browsers, but is still less effective.
-
Use built-in containers: Firefox offers the [Multi-Account Containers] extension (https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/), which lets you open separate tabs, each with its own login and cookies. You can also automatically assign certain sites to a specific container, to keep them separate each time they're opened.
- Use an isolated system environment: For particularly sensitive uses, you can also run your browser within a virtual machine or Docker container, to keep it completely separate from your main environment.
Limit websites granted permissions
Modern browsers allow sites to request access to sensitive resources on your device, such as the camera, microphone, geolocation or system notifications. These features are useful for certain applications (videoconferencing, interactive maps...), but they also open the door to abuse if poorly controlled.
When a site asks you for access to one of these resources, the browser displays a pop-up prompt that you must accept. However, if you accept it once without realizing, this permission may remain persistently active for all your future visits to this site. This means, for example, that a site could activate your microphone or camera again without asking you, if you have not manually revoked this right.
For added security:
- Grant permissions only when strictly needed for legitimate feature;
- Prefer the "allow once" option if available;
- Manually revoke permissions granted via browser settings on a regularly.
Check secure connections (HTTPS)
Whenever you submit personal, confidential or financial information to a website, whether it's a password, a credit card number or a simple registration form, it's important to ensure that the connection between your browser and the site is encrypted.
This is precisely the role of HTTPS (HyperText Transfer Protocol Secure). This protocol is based on TLS (Transport Layer Security) encryption, which enables :
- encrypt the data exchanged (no one can read or modify them in transit);
- verify the authenticity of the remote server via a digital certificate ;
- prevent man-in-the-middle (MITM) attacks, common on public or compromised networks.
In concrete terms, an HTTPS-enabled site is indicated by a closed padlock in your browser's address bar, usually at the top left of the Interface. Clicking on this padlock displays information about the site's TLS certificate (certification authority, validity date, etc.). The site address also systematically begins with
https://.Conversely, if the site is still using HTTP (without the "S"), the connection is unencrypted. Any information entered can then be intercepted by a malicious actor located between you and the site: network operator, access provider, booby-trapped Wi-Fi hotspot, local malware, etc.
In theory, you should always check this information manually before entering data on a website. In practice, most modern browsers automatically flag HTTP sites as insecure. You can also activate an option to force the use of the HTTPS protocol in your browser's security settings, enabling you to block sites that don't support it.
In fact, very few sites today are accessible only via HTTP. This protocol is largely being abandoned in favor of HTTPS, not only for obvious security reasons, but also because it is penalized by search engines and flagged as potentially dangerous by modern browsers, which does not inspire trust among visitors.
Choice of search engine
As we've already seen, it's important to distinguish between two elements that are often confused: the browser, which is an application installed on your computer (such as Firefox or Brave) and used to display web pages, and the search engine, which is an online service (such as Google) to which you submit queries to obtain results. These two elements are independent, although browsers often integrate a particular engine by default.
The search engine you use has a direct influence on your privacy. In fact, every search you do can be :
- associated with your IP address if you are not using Tor or a VPN ;
- linked to your login and password if you are connected to an account ;
- stored and analyzed to create a behavioral profile;
- used for targeted advertising or resale to third parties.
So an engine like Google provides fast, relevant results (although some studies suggest that Google is becoming less and less effective), but at the cost of systematically monitoring your queries. Bing (Microsoft) and Yahoo follow a similar model of collecting your online activities to feed their advertising networks.
To limit this tracking, we recommend choosing privacy-respecting search engines that do not store any personal identifiers or your search history:
- Startpage;
- Kagi Search;
- Qwant;
- Mojeek;
- SearXNG (which can be self-hosted).
In most browsers, you can manually configure the default search engine in the settings. This lets you avoid Google without changing your browser.
The best practices presented in this chapter form the basis for more secure, sovereign browsing. If you adopt them regularly, you will significantly reduce your exposure to threats.
Now that we've looked at the use of browsers and computers, in the next section we'll explore how to regain control of our cell phone.
Quiz
Quiz1/5
scu2024.3
What local data enables advertisers to track your browsing habits across multiple sites?