beginner’s guide to internet security

go back ↰

# tl;dr
# browser
# extension starter-pack
# search engine
# messaging
# password management
# 2fa and mfa
# other stuff
# why write this at all?

# tl;dr


This is my attempt at a straight-forward guide to how many people can be more secure on the internet without sacrificing much (or really anything) in the utility of the applications they use. I personally switched over to many of these applications in 2021 and have been really happy with the changes. They’re almost all strict improvements and I’ll try and be clear when there might be downsides and what they might be.

For a bit more context, I’m fairly diverse in the devices that I use, but largely stick to “mainstream” devices and operating systems. I have an iPhone, MacBook, and a Windows Desktop, so the recommendations will be compatible across all of those operating systems and (I believe) cover Android as well. Linux users might find this guide less than useful, but I also think most Linux users are outside of the “beginner” target audience.

I also try and stay pragmatic, so while some people might recommend going all out, using a specific Linux OS, deleting all your accounts, exclusively using Tor browsers, etc, many of those solutions come with significant downsides or compatibility issues. I try and be very explicit where there are downsides for what I recommend, and for the most part, I’m looking to suggest application alternatives that have the same functionality as the popular choices.

# browser

By far, the most common browser I see used is Google Chrome, and this was my choice for years. I won’t pretend to be an expert on the various browser choices, so I’ll only give an alternative for Chrome. For Edge, FireFox, Safari, Opera, etc users, I’ll just note that almost all of those browsers can be made safe enough with the proper extensions (see next section) and careful browsing habits, but other than that, I don’t have much to say in this section.

After moving from Chrome to FireFox, I got pretty frustrated that many of my old extensions didn’t work quite right or were buggy. On top of that, some websites just fail to work unless you have a Chrome or Chrome-derived browser. So, I eventually moved on to Brave, which is what I’d recommend to current Chrome users.

The main benefit of this transition is that Brave is built off of the Chrome, so the transition is super easy and Brave as access to the same extensions that Chrome does. The other benefits are that Brave by default comes with lots of security settings turned on to prevent tracking and fingerprinting, which you can compare on the Electronic Frontier Foundation Website. Also, Brave is available on all “mainstream” devices and has a way to sync your bookmarks, history, etc between the browsers.

The worst part of this transition might be seeing the cryptocurrency logo that Brave uses to pay out for looking at ads. But, you can just turn this off in the settings to not see anything that has to do with cryptocurrency. Or, if you feel like becoming a crypto-bro, look at some ads and make a few pennies. Don’t let me stop you.

When installing brave, I’d recommend giving your settings a once-over and consider turning on settings like “aggressive” blocking for trackers and ads and blocking cross-site cookies. I haven’t run into many issues browsing with these settings, though every few months I might use a website that I need to allow exceptions for. Also, double check that “upgrade connections to HTTPS” is on and maybe consider turning off regular HTTP connections altogether. Over regular HTTP, anyone on the internet can observe the data you send from and to you computer, and we know governments like to do this.

# extension starter-pack

These are some of the extensions I used on Brave/Chrome/FireFox. Some might be redundant for Brave, since it already blocks a lot of cross-site cookies and trackers. But, it never hurts to have extra precautions when they don’t cost you anything. And, if you’re reluctant to switch to Brave, I consider some of these must-haves for Chrome.

# search engine

It’s pretty hard to replace everyone’s favorite, and probably the one with the best results, Google. As many people who have tried other privacy preserving search engines know, the results are just worse in general. That being said, if you are only searching on Google, while logged in, then Google gets a lot more data than you have to reasonably give them for the results you need.

Currently, I (by default) use DuckDuckGo or Brave Search, which are easy to set as default in the Brave Browser settings. I’ve found that for almost all my searches, what I’m looking for is very obvious and DuckDuckGo can find that stuff. That being said, when I search for something and it’s not on the front page of DuckDuckGo, I pull up a tab and search what I need on Google. This works pretty well but has the obvious practical cost of typing in “google.com” on the 3-5% of queries that require Google-level results. This probably won’t work for everyone, but I’m willing to pay that minor cost.

I’ll also mention there are some other privacy preserving search engines aside from DuckDuckGo, like Startpage and probably others, but I don’t have enough experience with them to recommend them.

# messaging

This might be the most clear choice for an alternative application, but unfortunately I’ve found that people are very unwilling to add yet another messaging app to use. Trust me, I understand. But, I’ll try and make a case that Signal is at least worth downloading and trying to get others to move conversations to.

First, let’s consider what most people like to use. In my experience, it seems like most people message using SMS (standard texting protocol), iMessage (Apple-to-Apple device texting protocol), Messenger (Facebook/Meta’s texting app), or WhatsApp (also Facebook/Meta’s other texting app). Other apps like maybe SnapChat are also used, but have similar issues to Messenger but without the opt-in improvement.

So, what’s wrong with these? Well, SMS has pretty well documented vulnerabilities, which are bad enough that it really shouldn’t be used by anyone who doesn’t want their messages recorded by adversaries/governments. Messenger is better, but by default your messages are stored on Meta’s servers and readable to them. It has opt-in end-to-end (E2E) encryption, which they’re expanding, but currently this isn’t a great standard choice unless you put a lot of trust in Meta as a company.

iMessage and WhatsApp are both E2E encrypted by default which is great, and they’re clearly the best of the 4 popular options. But, they both have pretty clear downsides. First, iMessage is not cross-platform, so communication with Android users will default to SMS. Second, messages sent through iMessage are by default stored in iCloud, which is not E2E encrypted (update: there is now an opt-in option to E2E encrypt backups), so that kind of negates the whole point of the E2E iMessages in the first place and gives Apple the ability to read your messages. WhatsApp is better in terms of compatibility and not defeating the purpose of the encryption, but the company collects metadata about who is talking to whom and is driven by profit incentives.

Honestly, WhatsApp is a pretty good choice, but it’s not widely adopted in the US, so I recommend something I think is slightly better. I’ve been using Signal whenever possible. The company is an independent non-profit organization (which you can make tax-deductible donations to) that is stable, cannot be bought by a big tech company, and does not have a profit incentive to collect metadata about users. It has apps on all “mainstream” devices (including computers), is open source, is E2E encrypted, and has all the features I’ve ever used from other messaging apps. Also, your Signal account is tied to your number so it’s easy to move SMS/iMessage conversations into the app.

The hardest part is (like I mentioned) getting other people to download it. Many people in the US already use SMS, Messenger, Snapchat, etc and don’t want another app. But, I think you might as well get it installed, to message with other people that already have it, and if you can convince one or two other people, that just lowers the barrier further for future users.

(Update: I have since found a more detailed and precise messing app comparison at this website. Some of these options are paid though, so I think Signal is still the best free option and maybe the best option in general.)

# password management

The last big application that I’d recommend is some kind of password manager. This isn’t as much of a switch for most people as a consolidation or sometimes a new application altogether. To be honest, I don’t think it matters much which password manager you pick, just as long as it’s compatible with the systems you use. For me, I started using 1Password a little over a year ago and it’s worked well across platforms and in the Brave browser. There are others I know of like BitWarden, LastPass, etc. that I assume perform similarly well. (Update: in light of a recent LastPass breach I probably wouldn’t use LastPass)

The downside of most cross-platform password managers is that they have some subscription fee. I think it’s worth it for the ease of use, but it’s not a cost-free transition like the previous suggestions. If you only use apple products, the iCloud keychain might function well enough. Or, if you only ever log in using a browser, maybe your browser can store passwords for you. However, neither of solutions are particularly robust, so I’ll try and justify the cost of the cross-platform managers.

Definitely, the biggest reasons to get password managers are - To not have to remember passwords (and stop reusing passwords) - To have longer, more secure passwords - To make logging in easier (which pairs well will deleting cookies) - To avoid phishing or scams.

All of these are pretty easy with a password manager once it’s setup. It will auto-generate passwords for you, sync them across devices, and will automatically enter your login information to the relevant website and not into URLs/sites that might look similar (which helps avoid phishing scams). On top of all that, there’s the added benefit of only having to remember 1 password, using it just for you password manager, and never having to think about any other passwords or guess and check which of your handful of passwords you used on some specific website. As an added benefit, my password manager helped me keep track of all the sites I had logins for and delete accounts that I no longer used.

One additional minor downside of password managers is spending a day moving all your accounts into it when you set it up, but that’s a pretty simple upfront cost.

# 2fa and mfa

Arguably I should be putting this before even suggesting a password manager, because some might say it’s even more important than having long and random looking passwords. 2-Factor Authentication (or Multi-Factor Authentication more generally) is a really important feature applications have to prevent your accounts from getting hacked. The annoying emails or texts that send you one-time codes when you log-in do a lot of work to prevent hackers from just guessing your password and getting access to your account.

2FA can prevent a lot of hacks even when you have weak passwords, as long as your email/phone are secure. But, I put this section under Password Manager, because many password managers (at least 1Password) can function as a 2FA authentication app and check which of your accounts do not have 2FA enabled. I know people who specifically don’t use 2FA because they find it annoying to retrieve the code from their phone or email, but an additional benefit of a password manager is lowering this cost. Many services (e.g. Twitter and GitHub) allow you to set up a 2FA with an authentication app instead of a text/email, which gives you the same security but more convenience if you combine your password manager doubles as an authentication app.

There isn’t much of a recommendation for an alternative or a new application in this section, but I wanted to emphasize the importance of 2FA at some point in this post, and it was one of the benefits I noticed after I got a password manager.

# other stuff

work environment (for people like me)

Now we start getting into what I’d consider less important switches that most people don’t really have control over. But, I want to mention how nice my move from Slack and GitHub to Keybase has been for my work (as a CS PhD student).

Keybase is an application that has chat, storage, teams, and git repositories all using E2E encryption, and authentication. It’s free to use and provides a lot of the same functionality as something like Slack + Git for a team that is writing papers (in git) or doing software development. I won’t go into details because it’s a pretty big change that most people don’t have control over, and some of the benefits only apply to people who do similar work to me.

Also, unfortunately, the Keybase team was acquired by Zoom in 2020. Zoom hasn’t since changed the application much, but some of current users are a bit scared Zoom will ruin it somehow. For 2 years so far though, it’s remained mostly the same. I’m a little optimistic and hope that the team will get to improve it after they finish a lot of their work improving Zoom’s main product.

secure storage

I used to use Dropbox and Google Drive for most things, but I’ve started trying to move to E2E encrypted alternatives. For example Keybase provides 10 GB of storage right now, but it’s not expandable. Also, Signal allows you to send files to yourself (so between devices), but it’s not as user-friendly as something like Dropbox. Even 1Password can do it some extent, but it’s not an easy transition, which is kind of the point of this post. Storage is definitely an area that I want to find new solutions to though, so I’ll likely come back to edit this section if I find something really good.

Update: I’ve started also using iCloud, since Apple introduced opt-in Advanced Data Protection.

# why write this at all?

Among many of my peers (specifically millennials and younger), I’ve found that there’s little concern for privacy and security. I don’t know all the reasons behind this sentiment, but it’s one I shared for a long time (before I learned about tracking on the internet by companies, adversaries, and governments and how insecure most people’s passwords are). For me, it started with at least admitting that if I have two identical applications except that one tracks/records some of my activity, then I’d prefer the one that doesn’t do that. I realize people have a lot of inertia in the applications they use and are hesitant to change, but I’ve tried to lower the activation energy (if I can mix metaphors) with this post by putting clearly laying out alternatives with relevant links and simple explanations to motivate the changes.

Another small reason I wrote this was to have something to point to if someone is curious about me using Brave/Signal/etc. I wanted to take the time to lay out my own thought process and how I decided to use what I use. Most people definitely prioritize utility over privacy/security, myself included. However, a lot of people don’t know that they’re actually sacrificing much more privacy/security than is needed for the utility they want. Ideally, everyone would be more aware of the threats on the internet, but since that level of education isn’t really feasible, I figure the simplest thing I can do is advertise the tools that do what people want and protect them little bit better.

I’ll also mention here at the end that I’m always looking for better solutions. In the future, I might update this with more easy switches people can make, but for now, that’s all I have to recommend. If anyone else knows of other easy switches, feel free to let me know about them. I always like making my life easier and more secure! My highest priority right now is to try and find a good Discord alternative, so definitely let me know you know about one of those.


Written: 2022-10

Last updated: 2023-01