Web safety

From MTULUG
Jump to:navigation Jump to:search

The internet can be a safe place from malware and scams if one is aware of what's going on. Sometimes, when there's a good phishing email, I'll open up burp to check out what configuration they have and see how they managed to do the things they were doing out of curiosity.

When doing something sketchy (clicking phishing links, navigating onion sites, etc.), never: use your real name, give your phone number, give your credit card number, give your social security number, etc.

Links

When you hover over a link, your web browser should tell you where the link is leading to (Firefox shows it on the bottom left). Pay attention to this path. Does it look weird? Sadly, to obfuscate the final destination, many malicious actors will redirect the link multiple times so it may take some time to find the final destination. Using curl, you can follow the redirects over and over again until you get to your final page. Amazon is not very nice and will consistently send malicious looking links in their emails.

If you're following links via email (don't, but), I recommend you open the source code of the email and look for Return-Path: rather than Sender: because people can simply edit the Sender: email to whatever they want, and if it gets past your spam filter (which it probably won't), your email client may show you that it's sent from someone, and being sent to someone else. Technically, one can also edit the Return-Path: , and I'm not technical (or spammy) enough with email to recognize what can be spoofed and what cannot. Simply look at the header of your email and check around at the header lines (ignoring any Arc-* or X-* stuff) to see if anything is fishy with the link. Finally, if someone's email account is compromised, there's no way to validate any of this stuff, because they are genuinely sending you a malicious email from a genuine return address.

Certificates

In the end, if you're tech savvy enough, check out the certificate of the website. Using openssl,

openssl s_client -connect $1:443

where $1 is any link (google.com, facebook.com, etc.), or set this in a bash script. This will give you information about the certificate. A website like Google or Facebook will give you a good, basic certificate.

...
subject=C = US, ST = California, L = Menlo Park, O = "Facebook, Inc.", CN = *.facebook.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
...

Or for Google,

...
subject=CN = *.google.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
...

Again, Amazon does not seem to care, and gives you a suspicious looking certificate (it's not something like *.amazon.com):

...
subject=CN = *.peg.a2z.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
...

Just remember that anyone can buy a DigiCert certificate. If a link has a DigiCert certificate, it may just mean that someone spent $50 to get that certificate. Certificates are not the most trustworthy; spammers will find a loophole that DigiCert has tried to cover up, but if spammers are lazy (and most are), you will see a certificate from Let's Encrypt. It's good for user sites, but would Amazon use Let's Encrypt? No. So, if you see a link that connects to "amazon.com" and you check the link with openssl and it's Let's Encrypt, something is fishy and caution should be taken there.

Would www.navy.mil use Let's Encrypt?

...
subject=CN = www.navy.mil

issuer=C = US, O = Let's Encrypt, CN = R3
...

O-oh. Okay. They actually do use Let's Encrypt. If you're in the military, you should know that a mil TLD should indicate a shitty secure website.

JavaScript

JavaScript is typically a safe use in the clearweb and it's almost a requirement for modern websites. On *.onion sites, JavaScript ought to be disabled and Javascript is not disabled by default using the Tor Browser for some reason.

To disable JavaScript:

1. Navigate to about:config.

2. Search javascript.enabled and set this value to false.

Any site that requires JavaScript on an onion site is malicious or run by an idiot. There's no way to tell, so don't trust the site. If you disable JavaScript and don't just wildly click dubious links, you're relatively safe on any onion site.

If you'd like a fine-tuning of your sites rather than disabling JavaScript for every website, a necessity for adblockers, install uMatrix or (as uMatrix is no longer maintained), install uBlock Origin and check the box for I am an advanced user, which will allow for a more confusing manner to disable JavaScript from each domain (no matter what gorhill has been telling us that uMatrix and uBlock are equivalent -- they most definitely are not).