Many concerns comes to us when a new space, full of risks, as well of opportunities arises and get into our journey 🏄
Welcome to web3! the era of:
- New content distribution protocol: IPFS hosting
- New authentication protocol: Wallets
- New concept of value: Tokens
Changes are great but sometimes the friction is so high that we forget to take the correspondent security considerations to keep our safety measures on the necessary levels.
This "tutorial" is about my personal recommendations for everyone that is willing to enjoy a safe web journey while mixing personal, professional and social activities in the same device (computer).
The problem starts when you are using the same web browser for your email, your social networks, your web3 activity, your banking, your chats, etc, since it makes it extremely easy for an attacker hack you just sending a fake email, showing up in your social feed, or sending a DM.
To avoid the 99% of this attacks without much effort, we should start sorting out our way to consume each one of this different activities using separated web browsers for each "kind of" activity. Almost every computer made since 2018 will let you do this without performance issues.
Also, this will bring an extra advantage, since there is different capabilities and optimized performance of each web browser to perform special tasks, so, after many years of doing this, here is my 2 cents. I hope you can enjoy it and helps to make your web journey a little safer.
For last, but not least, don't forget to always activate the 2FA (2 factor authentication) methods if they are available for each of your login sites, always using a private and not public phone number of your property (in case is SMS) or a well back-upded App like Authy.
Social Activities
This means Twitter/X, Discord, Facebook, Instagram. This is the big DMZ (demilitarized zone) so anything that comes from here (links, renders, code, bugs, etc) should remain just there and put at risk only, in a worst scenario, that accounts.
As is very similar for an attacker to take control of any of the social accounts listed above, so we can assume, except for special cases, that any of them are a similar attack vector and there is no preference from one to other, except for your reputation at risk on each one.
Mostly all the social engineering attacks comes in this format, be careful with the fake identities and the links or things that they invite us to do.
So, for this activities you should have one specific browser. I personally use Chrome since has a good performance and nice general compatibility with all social platforms and new web standards.
Personal Activities
This is personal everything related to your personal email, personal research and specific book/articles lectures. This should be a very safe and calm area, were any malicious link will have the sole threat to take control of the email (not good anyway), so if we are conscient that we have to write our email password in the email login page and nowhere else, this is not likely to happen.
The worst scenario is to get infected by a virus by download a malicious attachment or an email including a 0day exploit (this is special and impossible to prevent hack). So to avoid these:
- Don't download anything that comes as an invitation and we are not expecting.
- Never open a suspicious email (curiosity is not your fren here!)
Never! Also we must remember that there is no free things or money that will come from some remote Kingdom asking for our help. For this I use Firefox.
Financial Activities
When the e-Banking, Crypto Exchanges and other financial related activity comes to our schedule, we need to understand that this is one of the biggest targets of hackers, our passwords or in some cases (not common lately) stole our sessions with some browser vulnerability.
For this, we should clearly write in the navigation bar the address of the site we want to access every time we want to access it, and then complete the authentication steps without expecting any surprise. If something new comes to our view or feelings, check again the website URL or even better, close the tab and re-open it!
As we will not have acceded the site using a link, we are not under a fake site (unless we installed a virus), and there should be not phishing or XSS risk neither, where 99% of the financial attacks comes from.
Finally, we need to avoid the storage of any kind of log of our activity in this platforms and even worst, any opened sessions. This is because in the case we loose or get our physical device stolen, the "new user" will be able to access our accounts or at least to check our activities with no restriction. For this I use the Private Mode of Firefox.
Chat Activity
This is a high risk vector and also a very big privacy concern. Here we'll receive links, messages and exploits (virus or 0days) trying to take the control of the chat accounts, but also we'll receive fake links to try to hack our Social, Financial, Web3 and Personal accounts!
So, if this is isolated in a special browser, we make it almost impossible to happen, since even if we click the malicious links, something not recommended at all!, our Social, Financial, Web3 and Personal accounts are in other browsers and we'll know that this is a trap. Anyway remember that here still at risk the "chat" accounts: WhatsApp, Telegram, Discord, etc, so don't click any suspicious link or open an unrequested PDF/anyfile.
In the other hand, as same happens with the Financial Services, in the case of a lost device someone will take control of our Chats and this means they will be able to pretend to be us and cause a lot of problems: e.g. extorsion, money requests, non-desired "jokes", etc. For this I use Chrome Incognito Mode.
Web3 Activity
Finally, the juicy and most expected space... blockchain surfing! Here we should ALSO take in consideration a very important thing: Compatibility, this means Brave Browser.
In the web3 journey we'll be targeted all the time by Social and Chat channels, that for our safety are isolated in different browsers, to connect our wallet and then, of course, empty it for good. This also means that when we want to connect to a dApp with out wallet we should write (or copy+paste) with a double check into Brave and then access and operate on it in a safe way.
This isolation is very important and is manly made to avoid the same kind of hacks that comes for Financial Activity, no less, but yes a little more, since in the web3 space everything changes so fast and is very new, wallets are full of bugs and sometimes is difficult to disguise a real from a fake site. Double check everything!
In the other hand, many web3 extensions are designed for Brave that is natively designed to access web3 dApps, a different way to consume and authenticate to the web.
Finally, many links and web3 site are on IPFS, so if we don't want to access them using a web2 proxy service, Brave let us explore IPFS nodes without the need of more intermediaries.
Other Activity
For anything else such a new activities that might arise or something that you do and I'm not considering here, you can user other browsers like Opera, Edge, Lynx, etc...
Conclusion
This is not a story or an hypothesis, this is my real and personal behavior that helps but not guarantees to avoid being an easy target. Always remember that mostly all the hacks occurs by "a simple distraction" and this will make you loose all your assets, some email account or social access, with just one click/action!
And now the very last advise, ALWAYS DYOR (do you own research), and this will start rn with you looking for the download links in each browser project official site 😎
Have a Safe & Enjoyable web3 Surfing journey!
I hope you enjoyed this trip, I'm ariutokintumi the CEO of Roll a Mate 🧉 we are a token transfer protocol that lets anyone send ETH without paying gas on L1 Ethereym Mainnet! and enjoy being part of this community.