Safe Browsing Guide

Browser Security

Secure your browser

Man using laptop and holding credit card

Always run an up-to-date version of your web browser. Most browsers (Chrome, Edge, Firefox, and Safari) will automatically check for updates; however, you have the option to manually update your browser as needed.

Use Qualys’ BrowserCheck to confirm your browser, plug-ins and system are patched.

Privacy

Browser Privacy Settings — Vendor information regarding browser privacy settings can be found here:

Exploiting browser vulnerabilities has become a popular way to compromise computers. There are several easy ways to secure your preferred browser, through individual browser settings and add-ons. Browsers aim for a balance of performance and security. Features added by the manufacturer to improve performance may make the browser (and the computer) less secure. In addition, the more add-ons you have installed, the more your browsing experience may be impacted or slowed.

Extensions and plugins

Extensions and plugins are functions found within web browsers that should be scrutinized.

Extensions can be additive or modify browser functionality. For example, ad blockers are used to prevent advertisements from displaying while browsing. However, extensions are written by 3rd party developers who may not have been reviewed/vetted. Therefore, you should consider factors like the number of downloads, permissions (e.g., access to browsing history, passwords, or cameras), reviews, developer reputation, and update frequency (last updated a year ago or a few days ago).

Plugins are executables (.exe) that embed content into a site via Adobe Flash, Java, and QuickTime. Web browsers are phasing out plugins and should not be enabled/installed unless necessary. There are cases where older sites may require the use of a plugin.

Tips:

Install and use an ad blocker such as AdBlock Plus, uBlock Origin, OR uBO Lite (for Chrome or Edge). It is best to use one or the other, not both. Note: uBlock Origin has been depreciated in Google chrome 133. If you are running a newer version of Chrome use uBO Lite (uBOL) which is compatible with Manifest v-3.
Consider uninstalling Adobe Flash or Oracle Java plugins if you have them installed. Many content providers have moved away from these platforms due to ongoing security issues with both. If you need Flash, it's built into Chrome. If something needs Oracle Java, remember it needs to be updated on a regular basis. They continue to be two of the top programs leveraged by malware to compromise computers.

Web Browsing

Before entering sensitive information into a website, look for the security padlock symbol if you are on Edge, Firefox, or Safari. The padlock is one way of checking that a website is using encrypted communication.

A browser address bar showing a padlock icon next to the secure URL “https://security.duke.edu”.

Don’t be fooled by a padlock that appears on the web page itself, because it is possible for a cyber-criminal to copy the image. So, double check that the padlock is in the window frame of the browser itself.
After validating the padlock, you can also check the text before the website name in the address bar. The “https” is another indication that the page you are viewing is using encryption. The “s” in https stands for secure and indicates the communication is encrypted using Transport Layer Security (TLS).
Pay attention to the web address. Check the address and if you click on a link, look to make sure that the address stays the same. If it has changed, then it has taken you to a fraudulent web address where cyber criminals can monitor and access your information.

Scammers may alter the spelling of the URL to imitate a legitimate URL. A scammer may substitute a character such as the letter “i” for “1” and register a site such as secur1ty[.]duke[.]com (not a legitimate duke site) or add the legitimate domain later in the URL i.e. www[.]fakewebpage[.]com/duke[.]edu. (Not a legitimate duke site.)

Example of two deceptive website addresses: one shows a URL using a substituted character to mimic a legitimate domain, and the other shows a longer fake URL that embeds a real domain name inside a misleading address.

Double-click the padlock icon. It will display the certificate information for the page you are viewing to guarantee that you are on a safe, secure website. Make sure the certificate is current and issued to the same company you are visiting. In some cases, your browser may warn you about certificate problems, you are likely visiting a malicious site posing as a legitimate site.

Best Practices:

Use VPN off Duke Network. Duke provides users with access to a VPN client from software.duke.edu. Using a VPN ensures more secure access to internet resources while not on Duke networks.
Do not use the "remember my password" function of a browser or website. Instead, use the 1Password password management service (available to Duke faculty, staff and students). To remove data that may have already been saved, see: Chrome, Edge, Firefox, and Safari.
Enable browser pop-up blocker (instructions available for Chrome, Edge, Firefox, and Safari). Blocking pop-ups can reduce exposure to new threats like clickfix that are used to trick people into running harmful code, which can install malware or steal personal data.
Consider private browsing using Chrome Incognito Window, Edge InPrivate Window, Firefox Private Window, or Safari Private Window as a privacy focused browser.
Configure your browser to load pages with HTTPS connections. Go to your browser settings and then look for HTTPS-Only Mode, or a setting that indicates that HTTPS connections will be attempted whenever possible (instructions are available for Chrome, Edge, and Firefox)
Block downloads. Go to your browser (Chrome, Edge, Firefox, and Safari) settings and look for Downloads. You can select the option to ask where to save your files and, in some browsers, you can block dangerous downloads.
Check autofill. Browsers can store personal data, which may be exposed if details are filled on the wrong site or form (see instructions for Chrome, Edge, Firefox, and Safari). Password managers like 1Password provide their own autofill protection by verifying credentials are only filled on the correct site.

For Advanced Users

The items listed below will add additional security to your web browsing, but from time to time may need adjusting for a site to function. You should read what these extensions do, and research each before deciding if they are the right tools for you. They may be available for other browsers; we have only provided links for Chrome, Edge, Firefox, and Safari here. Users should be comfortable managing Chrome extensions, Edge extensions, Firefox add-ons, or Safari extensions as a prerequisite to using any of the items in this list. Extensions also add to the overall resource use by your browser. Mobile users will find some of these have App corollaries as well.

Ghostery (Chrome, Edge, Firefox, and Safari)– A powerful privacy extension. Block ads, stop trackers and speed up websites. Creating an account allows settings to be shared between machines and browsers.
IP Whois & Flags (Chrome, Edge, and Firefox) – Displays server’s location for all websites, and provides Geo location and WHOIS info on toolbar click.
NoScript (Chrome, Edge, and Firefox) – Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks, “Spectre”, “Meltdown” and other JavaScript exploits.
Privacy Badger (Chrome, Edge, and Firefox) – Protects you from trackers as you surf the web.
Umatrix (Chrome and Firefox) – Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, Facebook, etc.
Web of Trust (Chrome, Edge, Firefox, and Safari) – Instantly know which websites to trust! WOT protects you while you browse, warning you against dangerous sites that host malware, phishing, and more. Creating an account allows shared settings between machines and browsers. You can use a user's Google credentials for login.