Not directly, no. While other computers (and their owners) may attempt to access your computer, web servers (the computers that hold Web sites) in themselves are not designed to look at anything; they just provide web content. If the organization or individual running the Web site that you visit is running just the web server, you should be safe.

Even from a technical standpoint, visiting a web site is a pretty simple process: First, the web browser program running on your computer contacts the web server at the site you want to visit, via the Internet. Then it asks the web server to send the contents of the page or pages you want to see. Finally, the web server sends the pages you requested back to your computer, and your browser displays them on your screen. All of this happens automatically when you type in the name of the site you want to see, or when you click on a link in a page. Nothing in this exchange allows the web site to look at your hard drive.

Furthermore, web pages themselves are quite simple as well, internally: they just contain plain text, plus a few “keywords” to tell your computer how to format the text, and images (pictures). None of this is dangerous to your computer, and certainly none of it allows a web site to look at the hard drive of your computer, or anything else.

All of the above applies to basic web surfing, using a basic browser or a browser with all the bells and whistles turned off. If you are using a fancy browser, however (such as Microsoft Internet Explorer, Firefox, Opera, etc.), there is some potential risk, in certain situations—not really anything as drastic as erasing your hard drive or anything, but still things you should know about. See the next question, below, for details.

[Return to Summary]

The stories you may have heard about “holes” in the security of the web that might allow web sites to trash your computer always involve one of two special circumstances: (1) a bug in a web browser program that allows a web site to somehow request some sort of evil action on your computer when you visit the site, or (2) the use of so-called scripts and active content, which allow a web site to cause your computer to carry out certain actions, exactly as if a computer program were executing on your own machine.

In the first case, a number of bugs have been discovered in various fancy web browsers (mostly Microsoft Internet Explorer and Netscape Navigator) that allow an evil-minded web site to get your computer to do things that it shouldn't, such as deleting files or executing commands on your computer without your knowledge. All of these bugs are corrected as soon as they are discovered, so they don't exist for very long; you can visit the web site of your own browser's manufacturer to see if any security updates for your browser are available to correct bugs. Most of these bugs have never actually been used by the bad guys, either—they are filled only to prevent the bad guys from using them at some point in the future.

The reason these bugs exist is that browser manufacturers (especially the industry leaders) race each other to see who can put the most features into a browser first. The fancier the browser becomes, the more potential there is for various bugs to develop that allow the browser to be misused by a dishonest web site. Simple browsers (such as the old NCSA Mosaic browser, or the text-only Lynx browser, both of which are free) have very few bugs, because (1) they are so simple in construction that they are unlikely to contain security bugs, and (2) they don't have any of the fancy features that open potential security holes, such as active content and scripting. This means that you are theoretically safer with a very primitive browser. The only problem with this is that very primitive browsers are missing many features that make web surfing fun, so you sacrifice a lot in exchange for a little bit of extra safety (I don't think it's worth the sacrifice in functionality, myself).

In the case of the more common, fancy browsers, the risk is in the fact that a web page can contain scripts (programs that the browser executes on your own computer) or active content (tiny programs that are downloaded onto your computer to provide special features, such as moving video and audio). While these features are extremely handy under normal conditions and make the Web-surfing experience more interesting, they can both be abused by unethical Web site operators. There are many safeguards in the fancy browsers that support these features, but the features are so complex that it is difficult to be sure that all the security holes are closed.

Fortunately, most holes are discovered by manufacturers or honest people before the bad guys use them. Furthermore, as stated previously, simple browsers don’t even recognize these fancy features, so they can be used to visit any Web site in relative safety.

If you are truly paranoid, most of the fancier browsers let you selectively turn off any features that you consider too risky. For example, you can disallow the use of scripts in Web sites that you visit if you change the options in your browser. The flip side to this is that it can make some Web sites difficult to view, since many of them depend on these fancy features nowadays. The choice is up to you. I have just about everything turned off in my browsers, but I'm relatively paranoid compared to most people.

[Return to Summary]

Most pages contain Javascript coding that loads the frames on my site (such as the table of contents) if you arrive on the site from a link directly to one of my pages. A handful of other pages also contain scripting (such as my Cool Wallpaper section that contains some scripting to display thumbnail images of wallpaper). The site banner sometimes contains scripting to help me gather global statistics for my site. Other than that, my site contains only pictures, text, and a few sounds. I don't use ActiveX controls, Flash content, or Shockwave content anywhere. You're quite safe here.

I believe that content is more important than fancy features. Mine is a minority viewpoint, however, judging from what I've seen elsewhere on the Web.

[Return to Summary]

Usually, yes. If you are using a standard version of Microsoft Internet Explorer 6.0, for example, you can look under the Tools | Options | Security menu and disable things like scripts, active content, or whatever you want. You can also select a general security level (from high to low) that automatically sets all the other options appropriately, which is handy because there are many, many options to look at if you set them yourself individually. By default, most of the advanced features are enabled, since most people are more interested in having fun surfing the Web than in security. That is, if you decide to disable these things, your browser will be slightly more secure, but there will also be quite a few Web sites that won't be completely accessible to you, since many of them try to use one of these advanced features.

For other browsers, you'll have to consult the documentation to figure out how to turn these things off. Some browsers don't support these advanced features, so there is nothing to turn off. Others won't let you turn them off (uh-oh!).

Be forewarned that some sites—especially those that expect you to use customized versions of Internet Explorer—depend heavily on active content (especially the very popular Flash animations), and won't work at all if you turn off the advanced features (assuming you can even find a way to turn them off). The Microsoft Network is in this category, for example, as are a number of other major Internet providers.

[Return to Summary]

In most cases, no. However, a few web browsers will give your e-mail address (if they know what it is) to a web site when you visit it. The SPRY Mosaic browser is said to be one of these, for example. Microsoft Internet Explorer and Netscape Navigator (I think) do not reveal your e-mail address to web sites.

I have encountered a few web sites that attempt to secretly send mail from your computer to a specific address whenever you visit the site. They usually do this with some clever web-page coding and scripting. Whether or not this works depends on whether or not your browser can handle scripts, and whether or not your e-mail program can send mail on its own, without telling you.

The browser I use on my own machine (Microsoft Internet Explorer) can handle scripts (although I usually keep scripts turned off), but my e-mail program (Microsoft Outlook Express) won't send e-mail without asking me first, so if a web site tries to scam my e-mail address, it won't work. That's how I discovered that some sites try to do this.

[Return to Summary]

No. Of course, if a web site asks you to fill out a form with your name and address and other personal information, and you do so, obviously the site operator can find out who you are—but that's not your computer's fault, is it? There isn't any way for a web site to find out these things automatically, without asking you explicitly.

Your web browser sends a small amount of information automatically to every site you visit. For example, if you are visiting a site with Internet Explorer 6.0, your browser will give every web site you visit the following information:

• The name and version of the browser you are using.
• The languages your browser supports. This means English, Japanese, or whatever other languages you have installed.
• The kinds of files that your browser can display. This always includes text and images, obviously, but it can also include things like spreadsheets, word-processing documents, and the like, if your computer is set up to be able to display these within your browser. I suppose a site could figure out what kinds of software you have on your computer based on this, but I don't really see that as a big deal. My browser announces that it can handle Word, PowerPoint, and Excel documents, for example, because I have Microsoft Office installed.
• The size of your computer screen (that is, the number of pixels it can display), and the number of colors it can handle. This is useful to allow a web site to adjust the web pages it displays to match your screen, in some cases (although hardly any sites take advantage of that).
• The operating system your computer is running: Windows 95/98, Windows NT, MacOS, Linux, etc.
• The type of computer you have: a PC, a Mac, etc.

None of this is terribly personal information, as you can see. It is intended mainly to help the web server at the other end figure out how best to format web pages for your computer (if it is capable of customizing pages for each user).

More recent versions of web browsers tend to be a bit more conservative in what they send to the web server.

In addition to the above, most web sites keep a log of all visitors to the site, mostly for statistical and security purposes. This log doesn't contain any personal information, but it does contain information from which interesting conclusions can be derived. I cover this in a separate question, below.

It is possible to match your IP address (the number that identifies your computer while you are on the Internet) to yourself personally, if the Web-site administrator can persuade your online service to cooperate, or if your computer is permanently connected to the Internet (one glaring example I once saw was the New Zealand parliament—when someone from their network visits my site, I could actually see the full name of the person visiting in my logs!). However, online services usually don't cooperate with anyone who doesn't have a court order and doesn't work for the government, so the chances of someone casually locating you personally just because you visited his web site are small indeed. If you don't tell him, he won't know.

Special considerations apply if you have a permanent connection to the Internet, such as via a cable or DSL modem. In that case, your permanent connection to the mighty Net makes you more vulnerable, so you should be more careful.

[Return to Summary]

Just about all web servers automatically log every visit to the site. These logs are stored for examination by system administrators, or by statistical or accounting programs. Typically, the information logged by web servers includes the following:

• Your IP address. I explain the IP address in a separate question, below.
• Any identifying information your browser sent to the web site. This would include a user account name, for example. Browsers don't normally send information like this to a web site unless access to the site requires some sort of account name or password (the account name is logged in that case, although the password isn't, for security reasons).
• The date and time.
• The exact web page you accessed.
• Whether or not your request for the page was successfully satisifed.
• The amount of data transferred when sending you the page.
• The “referrer URL.” This is the URL (i.e., the name) of the page you were on when you clicked towards the page on this server. For example, if you were on Jane's page and reached the current page by clicking on a link in her page, the referrer URL will point to Jane's page. This allows a site administrator to figure out how people are reaching his site. If you type a URL directly into your browser to reach a page, the referrer URL in the web server's logs will be blank (you just “came from nowhere” in that case).
• The type of browser you are using.

Most of the data above is just dry technical information, and you can see that it is the sort of information that is very useful for compiling general statistics. However, you can reach other interesting conclusions by examining it carefully.

Let me provide an example. I know, based on the logs kept on my own site, that someone visited my site on July 29, 1997, at 14:28 GMT (probably 8:28 AM local time, based on the visitor's location, but I can't be sure), using the PC in his or her office at a large New York-based financial-services company. This person had found my site by doing a search at http://www.excite.com for web pages containing the words “Eiffel Tower.” One of the links from his or her search led to the pictures of the Eiffel Tower that I have in my Photo Gallery. The visitor spent about a minute and a half looking at the pictures of the Tower that I have on my site, then he or she left. This person was using Netscape Navigator 3.0 Gold, and was running a PC using Windows NT. I know what the person looked at while he or she was here, and at what time, and from what location (roughly), but I don't actually know who the person was. In short, I know that someone looked for pictures of the Eiffel Tower on the Web using his office PC, found my pictures, spent a minute or two looking at them, and then left. This is the kind of information that I can obtain from logs.

It was on the basis of my logs that I originally started to add more pictures of Paris to my site. I noticed that a lot of people were visiting specifically to see the pictures.

[Return to Summary]

An IP address (IP stands for Internet Protocol) is the Internet equivalent of a telephone number.

Every computer connected to the Internet has an IP address, and no two computers on the Internet have the same IP address. This is very much like the telephone system, in which every telephone in the world has its own, unique telephone number. Anyway, when your computer wants to talk to another computer, it contacts the other computer using its IP address; at the same time, your computer provides its own IP address to the other computer, so that the other computer knows which computer is waiting for an answer. This latter function is similar to the Caller ID feature found in many modern telephone systems that displays a caller's telephone number, except that, on the Internet, this feature is required, not optional (it's the only way for two computers to set up a two-way conversation).

If your computer is permanently connected to the Internet (at the office, for example, or via a cable or DSL connection from home), it probably has a fixed IP address. The address is assigned by your ISP and never changes. In addition, your computer in this case will often be given a name (called a hostname) so that other computers on the Internet can identify you by name, instead of only by IP address.

If you connect your computer to the Internet by dialing through a modem, chances are that the online service that is providing you with access to the Internet gives you a temporary IP address (chosen from a pool of available addresses) at the time you connect, and then frees this address for use by someone else when you disconnect. Your IP address in this case is relatively unpredictable, and it changes from one connection to another (although it stays the same for the duration of a single connection). Since no IP address is permanently associated with your computer (and since you are not connected 24 hours a day), your computer doesn't have a hostname. The practice of assigning IP addresses on the fly like this is called dynamic addressing. Not only is this used by online services, but it is also used by many corporate networks to limit and control connections from the company's internal network to the outside Internet, for security reasons.

The IP address itself looks like four numbers, separated by periods. The IP address of the computer you are using now, for example, is 38.103.63.59. Any computer on the Internet can contact your computer simply by connecting to this IP address—and in fact that's exactly what the computer holding my Web site is doing right now (in order to send you this page). My computer knows the IP address of your computer because your computer provided it when you visited my site (this is mandatory—without your IP address, my computer can't send you the Web pages you request).

Of course, you probably reached here by typing something like atkielski.com. The name atkielski.com is the hostname (also called a fully-qualified domain name or FQDN) of my web server.

When you type a hostname or a domain name, various computers on the Internet called nameservers examine the name and look it up in a worldwide directory of IP addresses. When you type atkielski.com, for example, the nameservers look this up and return the IP address for that name, which is the IP address of my web server. Your computer then uses this IP address to connect to my web site.

This whole domain name system (DNS) works very much like a printed telephone directory works for the telephone system, except that the Internet automatically looks up a name and matches it to an IP address—you don't have to do this yourself. DNS makes it hugely easier for human beings to locate computers on the Internet, because it allows them to specify easily-remembered names instead of numbers.

If your computer is connected only temporarily to the Internet, via a modem and a telephone line, you don't have a fixed IP address, and so you don't have a permanent hostname or domain name; instead, you have a temporary IP address, and probably a temporary hostname as well—but the hostname is just the name that is assigned to your temporary IP address, and it is usually something weird, like 38.103.63.59. If your computer is permanently connected to the Internet via a cable or DSL connection, you may have a permanent (or nearly permanent) IP address, and you do have a hostname—but the hostname is likely to be just as weird as the temporary hostnames given to dial-up connections (although some companies will actually put part of your name in the hostname, to make it easier to identify your line).

It is impossible for IP addresses to be concealed. Whenever two computers communicate over the Internet, they both know each other's IP address. As a result, you're never completely anonymous on the Internet, although tracking down an IP address can be extremely difficult, especially in the case of computers that are only temporarily connected via a modem (because they never have the same IP address twice, and they often don’t have a domain name that you can look up).

[Return to Summary]

Normally, everything that passes between a Web site and your browser is “in the clear”; that is, anyone monitoring the traffic over the Internet between you and the Web site can see what you are doing. If you happen to be transmitting a credit-card number or something, such a person could obtain that by watching the exchange between you and the Web site. However, even though this type of eavesdropping is entirely possible technically (and routinely conducted by some government agencies), the likelihood of a bad guy actually doing this just in the hope of getting personal information from you is extremely low. For what it's worth, I don't know of any cases of this actually happening. So, buying things online isn't significantly less secure than ordering them by telephone. In fact, it may be considerably more secure, because online purchases often do not involve human beings (and thus reduce the opportunities for fraud), whereas telephone and mail purchases require human intervention at some point.

If you are paranoid (like me), however, there are ways to increase the security of a transaction on the Web. The easiest way is to use a “secure connection” between you and the Web site; many sites that offer online purchase of goods and services use this type of connection. It looks just like a normal visit to a Web site—you don't see anything different (except perhaps a tiny padlock icon on your browser's status bar, in some browsers)—but all the information between your computer and the Web site is encrypted, making it unintelligible to anyone who might be monitoring the traffic between you and the site. This makes any attempt to obtain confidential information by eavesdropping billions of times harder (literally!), so it is pretty secure. It's not 100% secure, of course, but unless you are carrying out transactions worth billions of dollars or something, it would not be worth any crook's time to try to break into the connection and uncover the information you're exchanging with the Web site.

I consider secure connections to be sufficient for most purposes. With a secure connection, you're more likely to be shafted by the business running the Web site than by any eavesdropping on the connection, so there's little point in worrying about the latter. In fact, I feel more comfortable buying things online than purchasing by telephone or by mail—with online purchases, there are often no human eyes looking at my credit-card information.

[Return to Summary]

“Cookies” are small blobs of information that are stored on your computer when you visit some web sites. Essentially, the web site asks your browser to save a small amount of information on your computer. The next time you visit the same web site, your browser sends this saved information back to the site. The web site can also ask to update the information on your computer, if necessary. That's about it.

The dangers of cookies are dramatically exaggerated. Cookies are used by web sites to save information between your visits to the sites, in order to save time. For example, if you visit a large site with many different pages, the site may send your computer a cookie with the names of the pages you visited most. The next time you visit the site, it will use this cookie (sent back automatically by your browser) to immediately send you to the pages you were visiting last time, so that you don't have to navigate through the entire site again. This is what cookies were designed for.

Cookies do not carry viruses, they do not damage your machine, and they do not give web sites any personal information about you that they did not already have. They are pretty harmless. Even I don't worry about cookies, and I have a reputation for paranoia.

If you are really worried about cookies, some browsers (such as Microsoft Internet Explorer) give you the option of refusing to accept them. If you do this, though, some sites might not work correctly when you visit them, since they might expect to receive cookies from you from a previous visit. I just leave cookies enabled on my own browser.

[Return to Summary]

The Internet is an extremely safe place, overall. However, there are sites that some parents might not wish their children to see: adult sites, sites espousing unacceptable religious or political views, sites featuring graphic depictions of Bad Things, or whatever. There are a number of ways in which you, as a parent, can restrict what your children see on the Web.

The most obvious and best way to control what your children see is to surf with them. Not only do you thus have a say in what they see, but you can explain things to them and help them find sites that interest them (there are many sites that are designed especially for children on the Internet).

If you are unwilling or unable to spend time surfing with your child, you can use site ratings to control what they see, if your browser supports it. Site ratings are like movie ratings, except that an appropriate browser (such as Microsoft Internet Explorer) will actually refuse to let a child visit sites with inappropriate ratings (or without any ratings at all). My own site is rated with two rating services: ICRA, which is the industry leader in Web ratings, and SafeSurf, an organization run primarily by parents. These organizations allow sites to rate themselves. Both of these organizations use the PICS rating system, which is built into Microsoft Internet Explorer; I think the latest versions of Netscape support it, too.

Another method of controlling access is to install software that examines every Internet reference a child makes from the PC and censors inappropriate access. For example, a software product can check the domain name of a Web site and grant or deny access on the PC side. CyberPatrol is one of the oldest and best-known of these products.

No solution, short of actually spending time surfing with your child, can completely prevent him or her from reaching Internet sites that you might find objectionable. However, the techniques and products mentioned above do a pretty good job. A very computer-literate teenager might be able to get around them to a limited extent, but smaller children and toddlers should be adequately protected (unless they are computer prodigies or something).

[Return to Summary]

Some online services allow their subscribers to publish their own, personal web sites. If you subscribe to such a service, you may have considered publishing a site of your own, and you may have wondered how “safe” doing so might be.

In general, it's as safe as you choose to make it. The only information people can obtain from your web site is the information that you choose to publish on the site. Keep in mind that anyone in the world can visit your web site, so don't publish anything that you would not want to see on the front page of the New York Times. It's probably best to avoid publishing your address or telephone number; most people limit this type of information to their names and e-mail addresses.

If your site is linked to any other site, there is a good chance that it will be “sniffed out” by search engines on the Web, and that it will soon be indexed by services such as Alta Vista. People will be able to look up pages on your site by searching with appropriate keywords. As a result, be sure that you publish only things that you don't mind communicating to strangers.

Keep in mind that any e-mail addresses you publish on your site may be sniffed out by robots and added to junk-mail address lists.

If you allow your children to publish their own web pages, it is probably best to especially avoid providing any identifying information on those pages (full name, address, telephone, etc.).

Many people put pictures of themselves on their web pages. I'm one of a paranoid minority that prefers not to include photographs on a site. However, there probably isn't very much risk in it, and it's pretty much a matter of personal preference.

Remember also that nothing prevents anyone from downloading anything you put on your web site. You should include appropriate copyright notices for any material you publish on the site (including your own material). Nevertheless, you should realize that information on your site can be easily stolen for use by others, with or without a copyright. A picture of you on the site, for example, could be downloaded by someone and distributed in a magazine without your approval. Once something has been distributed in this way, there is no way to call it back. Information you provide on your Web site may still be available on the Internet, somewhere, even years after you take down the site itself. It's something to keep in mind.

[Return to Summary]

Ordinary web pages cannot transmit computer viruses, so you have little to fear, as a general rule. If your browser cannot handle scripting or other active content, you have nothing to fear.

If you have a more advanced browser, such as Microsoft Internet Explorer or Netscape Navigator, there is a small risk. Browsers like these allow you to accept “active content” from web sites. What this essentially means is that you can automatically download actual programs from web sites and execute them on your PC. If such a program is infected with a virus, your computer may catch it. This is something you might wish to be careful about.

In the same way, you can catch viruses from software you download from free software sites, just as you can catch viruses from infected diskettes. Here again, caution is in order.

In general, you should avoid downloading anything from a site you do not or cannot trust. If a site tries to download active components (Internet Explorer will normally warn you of this and ask if you wish to proceed if it happens, usually displaying a kind of certificate with the name of the company that publishes the component), don't accept the download unless you trust the company that published the component.

Overall, though, virus infections from visits to web sites are virtually unknown, so the risk is there, but not high enough to worry a great deal about.

[Return to Summary]

Yes—if they know, or can obtain, your IP address.

If you are connected directly to the Internet with a fixed IP address and a domain name (using a cable or DSL connection, for example), anyone can attempt to access your computer, by sending a message to its IP address. This is how web servers and other computers permanently set up to answer connections from other computers are configured.

If you are accessing the Internet through a dial-up connection and an ordinary modem, however, you don't have a permanent IP address. As a result, the only way that another computer (and the person behind it) can access your computer is if the other computer finds out your IP address, which is pretty much impossible unless you talk to the other computer first (in which case it will see your IP address in your messages). Thus, while a random attack against your computer is theoretically possible, in practice the chances of it happening are insignificant, since it's too hard for another computer to discover your IP address during the relatively short period of a single connection.

In both cases, the situation changes once you connect to another computer. When you establish the connection with the other computer, your computer will tell it your IP address, so that the other computer can answer you. From that point onward (at least until you hang up the telephone and close the connection), it knows your IP address and can send unsolicited messages to you.

The risk here depends on how your computer is set up. If another computer sends your computer a request to see the web pages on your site, your computer will typically just ignore the request, because your computer isn't a web server. If another computer tries to send you a request to transfer files, your computer will ignore that, too, because it isn't set up to work as a file server. In fact, your computer will ignore just about any incoming connection that it isn't expecting, which means that, even if another computer discovers your IP address, it won't necessarily be able to do anything with it.

There are a few exceptions to the above. If you have “shared” folders or printers on your computer (if you don't know what this means, you probably haven't done it), it's possible for other computers on the Internet to attempt to access your shares directly, under certain conditions, so beware. Similarly, if you are running a fancy operating system like Windows NT Server, there are lots of services that other computers can request from your computer over the Internet. However, if you were running a fancy operating system like that on your computer, you'd already be aware of all this, and so you probably wouldn't be reading this FAQ.

In summary, yes, other computers on the Internet can theoretically access your computer while you are connected to the Internet, but it's not easy, and it's not very likely to happen, unless you have a permanent connection to the network (see below).

[Return to Summary]

There's nothing inherently dangerous about a cable or DSL connection to the Internet, if you are careful. There is a greater potential risk to these connections, however, because they keep you connected to the Internet all the time, with a fixed IP address, and this makes it much easier for bad guys on the Net to attack your machine. If you are using a connection of this kind, your computer will be scanned by bad guys sooner or later—it's just a matter of time. It's important to be prepared for that inevitability.

The main precaution to take with a permanent connection to the Internet is to make sure that you leave no “open doors” on your computer. On a Windows computer, the most common and obvious of these is file and printer sharing. If you are using file and printer sharing, turn it off, or protect all shared folders and printers with passwords.

There are many other potential holes in security that your machine might have, although most of them exist only if you have put them there yourself explicitly. The range of risk items and corrective actions is too great to cover here—whole sites are devoted to the subject. However, if you turn off file and printer sharing, and if you aren't doing anything unusual on your computer (such as running a personal web server), you should be okay.

If you are running a computer with a server operating system such as Windows NT Server or UNIX, there are many potential holes that you must carefully plug or avoid. If you're reading this, though, you probably aren't running one of these fancy operating systems.

A very easy way to secure your computer on the Internet is to install a personal firewall, such as BlackICE Defender. I recommend this for any computer that is permanently connected to the Internet via a DSL or cable connection.

[Return to Summary]