Web safety and security

A Web browser is a relatively simple piece of software.  Given a unique World Wide Web address -- formally called a "uniform resource locator" or URL -- it coordinates communication between your computer and the server computer where a particular Web site's content is stored.

When you open your browser and type in a URL, the browser translates the address (using a system called DNS), contacts the particular server, and requests the page you asked for.  When the server sends the page contents, the browser translates the codes for the text, images and other elements (written in a language like HTML or XML), formats all that for your computer screen and displays the result.

Web sites may also offer the opportunity to "stream" audio and video, or download files containing documents, images, software or other content.  This is a great benefit in most cases but a great risk if the content contains harmful elements like viruses or data-harvesting spyware

Web pages may be "static" (the same for everyone) or dynamically created, such as when a search engine constructs a page of results for a particular query.  Powerful "active" elements in a page may be used to enhance the visual experience -- in effect, running small programs on your computer.  Unfortunately, these active elements can also be used for malicious purposes.   If you follow safe practices however, you'll generally be just fine.

Watch where you go

In the physical world, not all locations are equally safe.  The same is true of the virtual world.  The difference in the virtual world is that you are only one click away from a potentially dangerous location -- and the signs of danger will rarely be obvious.

What do we mean by dangerous?  If your Internet browser is not up to date and configured with appropriate security settings, even a short visit at a Web site can result in infestation with malicious software.  (We discuss browser updating and security settings below.)

Be sure you are going where you think you are.   Particularly when you visit a Web site where you'll be exchanging sensitive information -- such as a bank or credit card site --  type the URL into the browser address bar, or use a bookmark you created after typing in the URL.

When you place your cursor over a link, most browsers will display the link's actual URL in the "status bar" at the bottom of your Web browser.  Get in the habit of looking at the address to be sure it matches where you think you're going.

Get URLs from trusted sources.  Rely on a physical (paper) document that you know is authentic, or a Web search engine utility you trust (using a URL for that search utility that you know is authentic).

Do not rely on links in an email message unless you absolutely trust the source.  You could fall victim to a phishing scam that directs you to a phony Web site, where you'll be tricked into disclosing personal information for identity theft.  This is a very common crime, with millions of victims every year.

Note that in most email systems, senders' email addresses can be easily faked.  Just because an email appears to come from someone in your organization, or even someone you know, does not necessarily guarantee authenticity.    

Watch what you do

Use caution whenever you click.  Clicking on the links of a Web page  usually just takes you to a different page.  But links can also initiate downloading/running executable files on your system.   That's fine if you intended to do that, and the site is trustworthy.   (This is another reason to get in the habit of looking at the browser's status bar to check where a link is "really" going to take you.)

Be particularly cautious about clicking on links in pop-up windows and advertisements.

Use even more caution whenever you download.  Downloaded software can also be infected, particularly if it is a less than legal download.  Having up-to-date anti-virus and anti-spyware on your system is an essential protection -- which we provide for free to UM employees and students -- but it doesn't guarantee safty from downloading files. Be sure you're using a trusted source.

Peer-to-peer (P2P) downloads are extremely risky.  Malicious software is endemic to such services.  That's why we prohibit downloading from such sites/services on UM workplace systems. 

Use caution whenever you initiate the execution of a program.   Some Web-based utilities require installation/execution of a (small) program on your system -- such as our Citrix Applications Portal and Secure Gateway VPN.  But unless you are absolutely confident of the file's source, allowing programs to be installed and executed on your computer is very risky. 

Make sure the connection is "secure" (encrypted) whenever you are exchanging sensitive data.  You can identify a secure connection by the "https" at the leftmost part of the site's address (URL) in the browser's address bar, and by a "lock" icon somewhere in the browser's status bar (usually on the right bottom corner).

If a browser window looks legitimate but does not have a secure connection when it is supposed to -- anytime you're asked for sensitive information like user-IDs, passwords, account numbers -- do not enter information into that window.  Browser windows can be faked.  (It's a classic phishing trick to put a fake window in front of a genuine one.)  If the window doesn't have an address bar, so you can see where you are, do not enter any information.

Which browser should you use?

Personal computers come with a Web browser installed -- Internet Explorer (IE) for Windows systems, and Safari for Macs.  Alternative browsers can offer additional features, a different look and feel, and, sometimes, better security.  (Because, IE is the dominant browser for Windows, it tends to be the dominant target for hacker attacks.) 

Popular alternatives to Internet Explorer include Firefox, Chrome, and Opera.  All are free.  Firefox, Chrome and Opera also are available in Max OS, as an alternative to Safari.

Note that some Web services and sites are designed to make use of features found only in Internet Explorer; they will look/behave differently, if they work at all, using other browsers.  Some of the Medical Center's applications only run on Internet Explorer browsers as well.  If you are a Windows user, you can use an alternative to IE for much of your browsing, but probably not all of it.  The full features of  Outlook Web Access (webmail portal), for example, are available only when using IE.

Note that you will need to pick a "default" browser -- that will automatically launch any time you click on a link (such as in an email).  You'll need to start the other, non-default browsers manually.

Use appropriate security settings

Whichever browser you use, it is critical that you use appropriate security settings.  This is much more important than the particular browser you choose.

Security is increased by disabling "active" components that  run programs on your computer.  This can make your browsing much safer, but also less enjoyable and functional.  If you set a high security level, you may have to periodically reduce it (e.g., to download or execute a file from a trusted site).

For Internet Explorer, use the Tools > Internet Options > Security menu.  Set at least a medium level of security for general browsing.  Or set the security level to high, and put regularly-used Web sites in the Trusted Zone.  For other browsers, the Tools menu will have different options and settings.

Keep your software updated

Whichever browser you decide use, It is critical to keep it updated.  This is also more important than the particular browser you choose.  Internet Explorer, Firefox, Chrome, Opera and Safari all can be set to update themselves automatically (without your intervention) or to prompt you when updated versions are available.

It is also critical that you keep the rest of your software updated, including the anti-virus and anti-spyware you use, and, even more critically, your operating system as a whole.  Vulnerabilities in software that is not up to date are always targeted by hackers.

Remember that even the newest software cannot assure 100% security.  If you don't browse safely, using the guidelines above, you're likely to encounter problems sooner or later.  For additional tips, see our guides to computer security at home, at work, and on the move.

Learn more

Cyber Security Tips: Safe browsing (US-CERT)
An excellent series of short articles on various aspects of browsing safety

Improve the safety of your browsing and e-mail activities (Microsoft)
Safety tips for users of Microsoft's Internet Explorer browser