Disabling the majority of features in a Web browser may be the safest bet to keep malicious hackers at bay, says a US based IT security watchdog.
The United States Computer Emergency Readiness Team (US-CERT) said in a report: "Many Web applications try to enhance your browsing experience by enabling different types of functionality, but this might be unnecessary and may leave you susceptible to being attacked." The IT security group is part of the US Department of Homeland Security.
"The safest policy is to disable the majority of those features unless you decide they are necessary," the research team said.
While the exact browser settings differ from one browser to another, most platforms have settings and functions that are enabled by default.
Want to know more?
For all the latest news, analysis and opinion on security, click here
US-CERT recommends that users set the highest security level possible, only enabling features when they are required, and to disable them again after the user is done with the Web site that required the functions.
What to disable in a Web browser:
- JavaScript: Some sites rely on Web scripts such as JavaScript, to achieve a certain appearance or functionality, but these may potentially be used in an attack.
- Java and ActiveX controls: These programs are used to develop or executive active content, but may also put users at risk.
- Plug-ins: Additional software that extends the functionality of the browser. Before installing them, users should make sure they are necessary and originate from a trustworthy site.
- Cookies: Web sites store cookies on PCs to remember data about the user, so companies can use the information to identify them on subsequent visits to their sites. It is best to disable the cookies and enable them only when visiting a site that requires them.
- Pop-up windows: Blocking pop-up windows will minimise the number of pop-up advertisements received, some of which may be infected with malicious spyware.
All of this would be good advice if it were quick and easy to disable and enable those features. But it is neither. Following these procedures will add way too much work to browsing for almost all users. Browser UIs need to have major changes for these practices to be successful. So many commonly used sites NEED to have things like Javascript and cookies working - all the time.