ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
Chrome & Firefox Security Tips You Need to Know
ฝัง
- เผยแพร่เมื่อ 12 ส.ค. 2024
- Protect your browsing with Guardio, plus get a 20% discount every month for a year, with a free 7 day free trial ⇨ guard.io/thiojoe (Sponsored)
• Malverposting article: labs.guard.io/malverposting-w...
• Cloudflare's Test Page: www.cloudflare.com/ssl/encryp...
▼ Time Stamps: ▼
0:00 - Intro
0:21 - Enhanced Protection Modes
2:10 - Getting the ACTUAL Latest Update
3:54 - An Excellent Thing to Watch
5:19 - Always Ask Where to Save
6:14 - Always Use Secure Connection
7:31 - Encrypted DNS
9:01 - Encrypted SNI / Client Hello
11:34 - Review Your Site Permissions
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Considering the video was targeted towards Chrome _and Firefox_ users, it would've been worth mentioning that Guardio is a Chromium-only extension (Chrome, Edge, ...)
same
@@Proferk Same
@@Proferk same
I thought firefox was based on chromium tho
@@dk4kja8 No, it's its own thing, originally technically based on Netscape Navigator
the always ask where downloads go is a really good option to help prevent drive-by downloads and also will help keep you organized
A must have setting! Really improves security
Here's a fun one: you can add --js-flags="--jitless" to any chromium browser to disable the JIT compiler!
As many exploits are JIT compiler issues, disabling it also "fixes" them (this is what Super Duper Secure Mode does in Edge).
(unfortunately, this disables WASM as well, but most people probably wouldn't notice).
@@s3xxxypig6669 Web Assembly, basically programs (like workstation applications, games,etc.) that can run in your browser.
Interesting
@@s3xxxypig6669 WASM is the reason your browser will become your operating system. But give it a few years
How do you add that?
@@s3xxxypig6669 Web Assembly
I was listening to music but this is more important.
Were you listening to:
Tick tock, heavy like a brinks trunk
@@lemonbrosinc.3514 Incorrect.
@@hridhaanjagtap9560 what were you cooking??
@@lemonbrosinc.3514 I am 8 years old, what did you expect? Me cooking?
Me too man
Edge's enhanced security disables JIT to make your browser less vulnerable to exploits. I know you specifically only mentioned what Chrome's setting does (and Firefox's anti-tracking thing is clear enough), so I am adding onto what Edge's setting does. For Firefox, there is also a hidden setting in about:config that can turn on CRLite, which checks for revoked certificates.
@@sgocllewsgoc have you tried --js-flags="-jitless"?
@@sgocllewsgoc I am typing a response but TH-cam keeps removing it.
@@sgocllewsgoc Try creating a shortcut like Joe did for Edge in the video and add the flags there.
I really appreciate you giving tips for FireFox as well. Makes it easier to nudge people towards the better browser when videos like this exist.
No. Just stop 🛑
@@CustardCream22 ???
@@CustardCream22 Google should stop fucking up first. And this is coming from someone who only recently switched from Chrome to Firefox.
@@Sonario648 Mhmm suuuureee
as someone who programs, i prefer chrome way more in terms of performance and keeping up with w3 specs. in that sense, i dont see how firefox is superior
Google: for more security let me check all your browsing history and many more identifiable information...
Amm, well that's not very privacy friendly...
Better than getting malware.
You can't have a perfect world, you have to make compromises.
I use a package manager to get updates while I'm AFK for brief periods.
I also use nextdns on my router. I like that it has advanced filtering and give 300000 free queries per month (which is more than enough for my household of 6 light users).
One of my security tips is to always set Chrome to "ask where to download a file." This also means you can cancel a download by hitting escape or clicking "cancel" and that a malicious site can't just download a file onto my disk... at least not through a normal file download.
The editing that was done for this was very dedicated, thanks for sharing 👍😃
Another useful and informative video. Thanks ThioJoe! 😄
I would consider using Guardio. However, I instantly get suspicious of any company that doesn't show their pricing upfront, but instead just allows a free trial and take my credit card to activate this free trial.
yes i'm too consediring use, anybody knows if it's really reliable? because since the video about extensions and how dengarous can be I dont trust in any extension...
Thanks for this amazing video and thanks for making Google Chrome a better browser! Love your contents keep up the good work!
If only guardio was there for firefox too, i'm still waiting for it!
I always set the download to _”ask where to save”_ option, mainly because I don’t like being forced to save thing where they tell me….*I* want to choose where to save a file.
I also manually check for browser updates every time I turn on my pc, but I don’t know why I do that….probably some past experience I forgot about. 🤷♀️
You should also mention the Random User Agent extension which randomizes your user-agent session (that's what the server receives : browser (firefox, chrome, safari, etc.) At random (yet reasonable) intervals. Also setting up the DNS to your network on your operating system as well.
We must encourage everyone to start verifying the checksum of the files they are downloading. This would reduce risks of downloading something from an untrusted source which might have been compromised in the past or even still be compromised up to this day. Also, why don't we have a button or an option to manually report suspicious and broken websites to Google and other Web Browsing Safety services this way we can all make the Web a better place?
Don't get me wrong but I believe we should use the word "Internet" more carefully because it technically means "connection to the online digital world" and not "Website browsing".
Not just checksums, but checksum SHOULD accompany signatures as even checksums can be tampered with at the site level.
Extensions that (try to) spoof your user agent aren’t that good of an idea for privacy. They might actually make your fingerprint more unique, and they’re not difficult at all to bypass from websites that actually try to find out what you’re using.
The problem is, there are not good tools around which let you check the checksum and signature easily.
Thank you very much I wasn't aware about encrypted SNI 🤓
Gonna say it here since you couldn't say it in the video without being demonetized: ADBLOCKERS SHOULD BE TREATED AS SECURITY PLUGINS, THEY ARE THAT ESSENTIAL. Especially considering how shitty of a job Google does in screening AdSense uploads, plus allowing arbitrary javascript so any ad can, merely by existing on a page, download and auto-launch any program they want (even bypassing the "always ask where to save" prompt).
At this point get a Pi-Hole for your network for the ads.
@@sebastiendube9487 Some companies are already trying to incorporate ads into the same connection stream as the legitimate connections, thus defeating adblock (aka if you Pi-Hole that, bye-bye content as well).
@@sebastiendube9487 Pi-Hole and other DNS-based content blockers are nice, but there are a lot of ads which can only be blocked by browser-based content blockers.
Thanks for all the useful tips man
I set my downloads folder to always ask but the default save dir is the temp folder, so every time I reboot the file is gone, not cluttering my drive. useful for installers and junk files.
Clever
also I should add that if you have a ton of ram, then it will save directly to the ram, making saving faster, and if not, it goes to your page file, which to me seems very intuitive way of doing to to me.
Wait damn that's so smart
Good idea. I'm so old I keep my downloaded install files in case 1) I forgot where I got them from lol, and 2) out of an old habit of living in a dialup world. PTSD from losing big files and then spending 20 hours downloading again hah
wow thats seem nice idea can you give me path of the themp folder please
Hi! Thank you for the video! Love your vids (miss the fake guides though :) )! Could you please make such exact video about securing Safari on Mac and iOS?
I generally prefer adguard for my dns, because I feel like I might as well be blocking ads on dns level while I'm at it. Also, I like to disable third party cookies by default and only enable the ones that absolutely needed it.
Encrypted DNS doesn't really provide more privacy though. You're just switching your trust from your ISP to somebody else (usually Cloudflare). You could setup a Pihole and have it block scam-websites and Ads while also having a nice front-end to enforce DNSSEC.
Pihole doesn't work with DoT or DoH out of the box though, but the security or privacy improvement is not that big to begin with.
I have close to zero understanding of what you're saying but i find it really cool...are you a computer scientist by any chance so i can feel less shittier😄
@@simplycomplicated810 TL;DR: The encrypted DNS all comes down to who and what you trust. If you use someone like Cloudflare, they might still track you and keep records of what sites you browse.
@@cldream wow here's another cool guy. Thank you. So there's no way to achieve privacy whether it's just my ISP or cloudfare huh?..i was told DoT provides more privacy thru an encryption but...guess not
Correct me if i'm wrong but i think ISP can tell what site you are connecting to just by IP, encrypted DNS or not. Can't they? So it's not a switch of trust but more sharing it maybe.
@@konurbilak I mean... You're changing to who you share your Internet habits with, implying that you trust them. By default most "automatic" configurations will use unencrypted DNS to your ISP, which is open to a third-party that wishes to either spy on you, or tamper with it (aka a man-in-the-middle attack, by replacing the response to the DNS query to a malicious one).
And yes, if ISPs are inclined to do so, they CAN basically analyze and do a guess (some sites you go to can be more indicative of what you're doing than others) at your activity through what IP addresses are being connected to even without having direct access to DNS queries (since after all, your traffic still goes through their network).
Encrypted DNS is not available in chromium based browsers if the organization deactivates this. Firefox still works tho
I switched back to Firefox, I used to use it way back in the mid 00s but switched to Chrome, I decided to go back to Firefox because I don't like how Google is attempting to shut down ad blockers, plus you can use an ad blocker on Firefox for android, something the Chrome version refused to let you do.
I would like to say it was totally successful, but SADLY I am forced to KEEP USING Chrome for some online software I need to use for work. It will load in Firefox, but is somewhat unreliable and on occasion will have issues so bad I am actually forced to use Chrome to load it, so now I just load it in Chrome every time. I know this is the company that makes the software/website's fault, but dang am I annoyed I can't permanently cut ties...
Yep, they often intentionally target Chrome. It's very frustrating when it's often not even necessary, and I've found that when it's an easy fix, as in they use a function to recognize the browser and just nope out on FireFox, fixing that singular point makes the whole thing usable and just enrages me towards that website.
At work they installed some expensive firewall thing and ever since then firefox would not work properly which is annoying. Having to rely on crapy chrome to do any internet searches which feels less secure.
Thanks for the info
Guardio is shady hiding it pricing while pushing the free trial. You have to click on 3 pages to find monthly & annual prices. Its not cheap at $60 a year when my AVAM does the same for less than a 1/3 of the price.
True and it feels like a scam so I would be careful whenever I hear about "virus checking addon/extension".
@@sebastiendube9487 Well I use uBlock Origin & that does a very good job + Quad DNS.
I am always suspicious of websites/Companies that are not open about their prices & cancellation policy plus the auto renew BS by default.
Guardio isn't a "browser extension" in general, it's only a "Chrome extension", as I've never found it on any other browser and they say on their site "Add to chrome", even when accessing the page with another browser.
This was very helpful thanks thio
So the staged release thing, that's also something we do at work. It means that if a dev merges in a change that breaks something, hopefully you can catch it and easily roll back when only 1%, 5%, 25% of your users are using the broken version, rather than breaking 100% of people's days
Fair enough, for feature updates. However, I believe that security updates, especially for zero-days, should not be in cohorts.
@@iannicolson Eh, it depends, especially if you're considering a) the severity of a breach and b) if the vuln is being actively exploited in the wold or not. Still, you'd defs still want to condense your rollout scredule to like a couple of days or something, maybe going 1% -> 5% -> 50% -> 100% and skipping the levels in between
You should make a video on 'Your browser is being managed by your organization.' in the browsers
I mean... That's nothing more to it. This just means most likely it is or was a work computer and it is set to be managed by the company/organization's IT department.
@@cldream Actually it's my personal PC. Still don't know how it is managed by org/comp
@@Eben_Haezer you are probably using some software that sets organization level restrictions on your browser, perhaps an antivirus?
@@mega_gamer93 it might be the reason too
I use a browser extension to reduce browser fingerprint called Canvas Blocker Fingerprint Protect.
And Privacy Badger
ThioJoe is the best youtuber to watch at 7am in the morning.
I woke up early in the morning and found this video.
Would have liked to see Brave included in this video.
Excellent information Thio so thank you soo much!
It has it own pros and cons for group update. One reason I think of is the server lag that need bandwidth to handle download speed. Example in youtube days they were overload with bandwidths that they need to add servers which cost money for them. Guess it same with the windows os update.
A slow rollout sounds stupid until you have a fast rollout of a critical bug break your application for the entire user base, swamping your support team with so many requests from angry users, they quit, and in turn recalling your programmers from vacation so that they can figure out what got broken and whether a rollback or another rushed fix to the entire user base is called for.
It's not a browser thing per-se, but always enable showing the file extension in Explorer.
You almost have 3 million subscribers!
While I'm sure this is fine working from home, I have to wonder how many of these settings interfere with filtering that may be found on public/semi-public WiFi systems. I know of at least one that uses Cisco equipment that requires you to use their DNS and block other DNS. Presumably, the filtering is going on at the DNS level.
For me Firefox has always been more secure, I use it with security options enabled and extensions.
Yup, I always manually update Chrome.
If you worry about a browser exploit being able to access your local files, another thing you can do is to set up an extra user account on your computer and use sudo or runas to run your browser (and maybe other programs) as that user, who won't have access to all your private user data in your primary user account. You probably want to have a common area that both user accounts can read/write to, like the 2nd account's Downloads folder.
This is the first time I have seen someone recommend this and it is a great advice.
But let me add to your paranoia: websites on Windows can still read all windows and the desktop screen without asking permission!
To safeguard against this, you have to also create a new desktop and lock the main one (the desktop object in the kernel, not the one from File Explorer)
Still disappointed that you haven’t mained Firefox for it’s built in privacy
For the people in the comments mentioning Brave and Opera GX, remember that those both are Chromium-based, you're basically using a reskinned Chrome
except with their own added features, of course.
@@kr6to409 Well sure, but in terms of privacy/security, you're no better off
can you make a video about optimizing chrome, since i like the layout and features. but it takes up to many ram and is to laggy
Thank you will use these tips will make browsing more safe
SCCM and other stuff will stagger updates, you don't just want everyone downloading the update at once to avoid network bandwidth issues.
the experimental services can save you { time and more } if you are having an issue you cant quite figure it out and need time to research subject
Encrypted SNI - I had no idea! This is extremely cool.
Another one (though more "extreme") is to disable Javascript. Type-confusion attacks seem to be popular nowadays, and JIT compilation makes JS more unsafe.
The good news is that Chromium browsers have a per-domain JS permission, so we don't have to disable JS for all sites. For Firefox, there's NoScript
3 million celebration yay!!!
Thanks for the informative video, I definitely learned how to harden my browsers!
I have everything hidden and locked. Even if you get through the lock. You have to do a 2FA to unlock. After that is a fingerprint. In every software, there is the most strict settings
I use Firefox 100% of the time my brother told me that Google Chrome is a RAM eater, and I'm not kidding he just told me about Chrome, but I always keep Firefox up to date Mozilla always releases new updates every month so I let Firefox check for updates automatically so I don't have to do it manually on my laptop but one security feature you didn't mention was passkeys on both Chrome and Firefox for some reason Chrome has passkey support but Firefox doesn't so I hope Mozilla will have passkey support in the newest Firefox update
Great video!
Question: How do I set SNI in Firefox in the Android version on a smartphone?
Trying to set encrypted DNS, Chrome claims that "This setting is disabled on managed browsers". I've noticed that some other settings can't be changed for the same reason. Trouble is it's my home PC, I built it. I own it, I installed all the software, I'm not part of any "organisation" so how has this come about and how can I change it? Maybe something for a future video?
Thing is, if you change it just for your browser it only applies for that browser. There are ways to get it done system-wide.
@@cldream OK, but can you point me to system-wide solution please?
Chrome can auto-update itself, but if you see online that an update is available, you should go manually update your browser
But the ISP might still know what website you’re accessing if they do a reverse DNS lookup, right?
Thio, I'm looking for a way to clean MOST of my cookies but I'd like to keep some of the essential ones. I couldn't find any easy way to do that on chrome. Do you have any recommendations on how to accomplish that?
Thanks for your sharing
Wonder if you can make a script to setup these settings? I only care about Firefox but imagine all types would be wanted.
Interesting video ever from thiojoe
Hi thio, on my laptop I keep seeing "Managed by your organization" for my chrome browser. I don't use my pc for any organization and its 90% of the time at home. Should I be worried about this?
It may be something like AV software that adjusts browser settings but that needn't be the case.
I just cannot accept that Chrome does not allow to clean cookies+cache+session on window close. That is something I really love from Firefox. It is even worse to see that Chromium-based browsers like new Edge do allow this feature so it is a problem of Google, not the browser
Could you provide a link for your desktop wallpaper?
The SNI thing didn’t work for me in Edge even after I followed the steps in the video. It still doesn’t show me the ClientHello option. And in Firefox I couldn’t pass the Cloudflare test after setting everything up either. Just weird.
Same for me in both browsers. Edge has a nasty habit to reset security settings to default after a major update, i.e. removing custom DNS
After enabling the ECH settings in Firefox, the Cloudflare test still says failed for Secure SNI in my testing. Is this actually working for anyone else?
Thumps up
If you are in a "Google Chrome web browser" critical environment, like many work places where ITs will install one, and only one, web-browser, it makes sens to delay updates to the masses. Not for weeks of course, but just enough to be sure the update does not break anything major. Of course, Google could let the user tweak this parameter and still not make it default tough I'm encline to think this is not a bad thing. It's just yet another "not well implemented" feature, as it often goes with google's lab/staff innovations.
@ThioJoe Can you sahre the link of that wallpaper in background computer screen
Has Opera patched the latest Chrome exploit? Seems that the browser updated but the Chromium version is still 113.0.5672.127
Thio, why does my pc always disk check on startup? Even though I'm shutting down the pc the right way.
Plz make a similar video on Brave browser
Can someone pls tell how to enable encrypted sni/client hello in brave browser?
sni didnt work for me. enabled n relaunched. still fails the test (chrome)
There are plenty of browsers based on Chromium. Why not Brave or Vivaldi? They are safe and private.
Brave IS Chromium-based.
If you prefer a Chromium based browser, make sure to use privacy focused browser like Brave instead of Chrome itself, which effectively acts as glorified spyware.
I don't remember my account password , but I do have the recovery key , how do I use it to get my settings , saved passwords and bookmarks back ? Please need urgent help have to fill college admission form.(Firefox)
3:14 should I consider saving this as a bookmark?
set it as the new tab page and move your pinned or saved pages to bookmarks
edit: i continued watching it
Will this allow me to disappear from Fortinet DNS network?
Do they do the staged update cohorts thing even for security updates?
Edge is the Fastest atm for browser updates
Got any security tips for Opera GX?
opera GX is based on chrome so it might have some of the security stuff from chrome
Tip #1: Don't use Opera GX
How about MS Edge?
tried the --enable-features=EncryptedClientHello procedure in my Edge browser and cloudflare is showing secure SNI is not active. also got question mark for secure DNS
got DNS working when switched DNS service provider to cloudflare
@Sgoc Llewsgoc One needs the other, but the other doesn't.
@@sgocllewsgoc and a really dumb one as well, someone spying on you can just see the IP address of the website you are trying to connect to figure out what website you are visiting
@@sgocllewsgoc the ISP CAN see what IP addresses you are connecting to, in fact, they are the ones who connect to that IP for you
I knew half of them, but never went in-depth into Chrome, I am good off with Brave, anyway, interesting video!
Brave is Chromium-based though?
@@kylehennkens9578 Yes, but I trust it more
A more secure DNS is always ask the authoritative nameserver, but then depending on the nameserver, that's will be so slow lmao
browsing is easy , its the forced push to re-route to an alternate site that causes the problem
Nice, I already had enhanced protection and I also have where to save also so it asks me before saving.
@@sgocllewsgoc dont brag, and I dont like encrypted DNS, I used nothing else than I already had.
@@sgocllewsgoc ok, lol, did u know that a kid is a young goat, its only americans that made it mean Child, I also say kid sometimes, I just like telling people the joke, every single time someone says kid, meaning Child, I correct them, kid is young goat, u can see if u search on google, the first answer will be Child, but thats cuz google is american, the original meaning for kid is young goat, one of the answers in google will be a young goat. lol.
All my browers are on the beta versions. And use them all for different reasons.
Wait what about opera gx?
I'm not using a VPN anymore, by the way, because I think it's a complete waste of money and free VPNs significantly reduce internet speeds, which, again, you're paying for so what's the point? For instance, I can't access my online banking services because my bank won't allow me to log in while a VPN is active. The whole point of a VPN is to provide added security, right?, so what's the point if you can't use a VPN to access the one thing on the internet you need to be the most secure?
I can’t use a VPN anyway. It is out of the question. GPT life, IYKYK.
The captions have a problem, sometimes i see " for no reason
oops the subtitles should be fixed now
"Seacuriatych, I remember this one this is uhhhhhhhhhh and amd" - Asian
"Use da Aaaaaaaaaaa, Canaraech" - Another ... Asian
@ThioJoe
Why in the world would you want to send back your Browsing History to Google.......???????
Top15s style
Number 15: Don't use Microshaft Edge 👍
I swear everytime I actually hit the get help button in file explorer, I feel like I'm computer has just downloaded a piece of malware
Microshaft
@@tzarg might want to run a virus scan. Windows defender is good enough if you don't have any antivirus.
Just make sure to do a full scan
@@tzarg Lol, ya windows has fallen far from the XP and 7 days
@@NutScrewGamer his comment was a joke like edge is a malware
I don't trust guardio, I just use ublock origin filters
For optimal security, you can shutdown all circuit breakers in your home and place your phone in the toilet.