Security news that informs and inspires

Labs Presents: Browser Settings When Using Personal VPNs

By

The main point of using a personal VPN is to surf the interwebs in privacy, away from prying eyes. Lock down the browser before starting up the personal VPN for maximum benefits.

The main point of using a personal VPN is to surf the interwebs in privacy, away from prying eyes. Therefore it makes sense to lock down your browser and disable things that can be used by attackers against you.

Even though revealing your public IP address is considered “not as bad” as a full-on breach of your system, if you are using a personal VPN, even that can have an impact. Making some changs to your browser and device setup can enhance the benefits of having a personal VPN.

Patch If Possible

Yup, this is a “duh” thing. Make sure you are using the latest version of your browser. New patches are released all the time, some include security fixes, many include new features that can include enhancements to privacy and security choices.

Get Native (Large) Apps

Extremely large web-based implementations may be the only way to go, but if you have a choice between using (for example) Skype for Web or Skype for Mac, use the native application instead of the web version. Depending on the browser and the browser implementation of the app, you may be forced to use extra plugins or turn on features you’d normally want off (WebRTC leaps to mind).

Disable Historically Insecure Things

What does this mean? Disable Flash, most sites will work without it just fine. If you can, disable Java, and (hardest of all) JavaScript. That last one is going to make your browser look like it’s the 90s, at best, and at its worst, entire features on websites will simply not work. This means you have a decision to make on what is more important - disabling a feature that is often used to execute routines designed to leak your whereabouts, or being able to actually use the various features of a website you are wanting to use while connected via your personal VPN? The sad part is that some sites like your browser-based email might have security and privacy settings only reachable via

Delete History and Cookies

In the event something happens and a malicious site is even partially even to compromise your browser, remember that cookies and browser history will contain information that could reveal who you are or where you are located. Before hitting the Interwebs, delete your browser history and cookies. Yes this will create usability issues for certain sites, but it helps add a layer of protection.

Disable Autofill Forms, Save Passwords.

This is debatable. On one hand, you shouldn’t allow your browser to start throwing data around that is personal in nature. Yes it is very convenient, but if some malicious code manages to start running there could be consequences. On the other hand, if you cannot remember things like account names and passwords, storing them using the browser is slightly better than cutting and pasting from an unencrypted text file in your home directory.

If you are serious about storing your password somewhere, use a password manager (such as LastPass or 1Password), instead, to safely store credentials. In the individual browser instructions below I am assuming you are using a password manager and can disable browser autofill and saved passwords.

Use Security-Related Extensions

There are a number of choices for helping to protect yourself from rogue (or just unwanted) ads, pop-ups, and various web tracking techniques. Both Adblock Plus and Ghostery are two ad blockers that work well, although they do odd things like “acceptable ads” and “anonymous tracking for resale to marketers” respectively (the latest Ghostery does appear to allow you to opt out of that). My personal favorite is uBlock Origin, and I am currently experimenting with using it in conjunction with Ghostery.

In uBlock Origin, click “Open the dashboard”. In the Privacy section make sure “Prevent WebRTC from leaking local IP addresses” is checked. I was unable to find a spot in Chrome to disable WebRTC, so having this option in uBlock Origin is nice.

Another good extension to use is HTTPS Everywhere (Firefox and Chrome only), to help ensure you are only visiting sites via the encrypted https instead of plaintext http.

Setting Up the Browsers

We’ll look at three major browsers - Chrome, Firefox, and Edge - and go over settings to help lock things down. Bear in mind that browser versions and therefore things like menu settings change over time, but as of October 2018 this was current. Also bear in mind that for Chrome and Firefox the menu choices may be slightly different from platform to platform.

Configuring Mozilla Firefox

For Mozilla Firefox, make sure you perform the following steps.

  • In the address bar, type in “about:preferences”, or select “Preferences” from the “three pancake” menu in the upper right corner.
  • Select General on the left and scroll down to make sure “Always ask where to save files” under Downloads is selected.
  • Click on Privacy and Security on the left, and uncheck “Autofill addresses”.
  • Scroll past the History section for now, we’ll come back to it. Instead, scroll down to the Tracking Protection section. Under “Use Tracking Protection to block known traders” select Always.
  • Under “Send websites a ‘Do Not Track’ signal that you don’t want to be tracked” select Always.
  • Now scroll back up to the History section, select “Never remember history” in the pull-down next to “Firefox will ”. If it was something else previously, you will have to restart your browser to save the changes. Do so.

If for some reason you need something like web history enabled to better utilize a website, you can always select “New Private Window” from the three pancake menu (or the shortcut ctrl+shift+p) and a new window will open. This window will have the strictest settings, and all browser history, temp Internet files, cookies, and so on will be deleted upon its closing.

Adjusting Google Chrome

For Google Chrome, make sure you perform the following steps.

  • Under the “three stacked dots” menu in the upper right corner of the browser, select Settings and scroll down and click on Advanced Settings.
  • Make sure “Protect you and your device from dangerous sites” and “Send a ‘Do Not Track’ request with your browsing traffic” are both selected.
  • In the Passwords and forms section, go into both Autofill settings and Manage password. Ensure both are off.
  • In the Download section, turn on “Ask where to save each file before downloading”.

Tweaking Microsoft Edge

For Microsoft Edge, make sure you perform the following steps.

  • Under the “three dots” menu, select Settings and scroll to the bottom of that menu to “View Advanced Settings”. Start scrolling down, we have a few settings to adjust.
  • The “Use Adobe Flash Player” button should be set to Off.
  • The “Ask me what to do with each download” button should be set to On.
  • The “Offer to save passwords” button should be set to Off.
  • The “Save form entries” button should be set to Off.
  • The “Send Do Not Track requests” button should be set to On.
  • In the address bar, type in “about:flags” and enter. Make sure the checkbox next to “Hide my local IP address over WebRTC connections” is checked. Supposedly this is only a partial fix, make sure you’re using uBlock Origin (see above).
  • Restart your browser.

Additionally, under that same “three dots” menu you can select New InPrivate window, and this launches a new browser window that does not save browser history, temp Internet files, cookies and the like. They all go away after you close the InPrivate window.