Lesson 6 — Device, browser, and network hygiene
The boring layer that matters most: separate browser profile, extension discipline, OS hygiene, and the public Wi-Fi rules that actually apply.
Most security writing focuses on cryptography. Most real-world compromises happen at a layer below that — the OS, the browser, the extension ecosystem, the network. This lesson is the boring layer, which is exactly why it pays the highest return per hour invested.
Use a separate browser profile (or a separate browser entirely) for anything that signs transactions. Your everyday browser is full of cookies, cached credentials, autofill data, and extensions you installed once and forgot about. Any of those can be compromised by a malicious extension update or a vulnerable site you visited. A separate profile means your signing wallet runs in a clean context — no extensions other than the wallet itself, no browsing history, no third-party cookies. The setup takes ten minutes; you keep two icons in your taskbar (everyday and signing); you only open the signing browser when you are deliberately interacting with a dApp or exchange.
Audit your extensions. Every browser extension can read every page you visit and inject JavaScript into every page you visit. That is what extensions do by design. A compromised extension — through a malicious update, a sold-out developer, or an extension that was malicious from the start — can replace addresses in your wallet UI, swap clipboard contents during paste, or read your screen in real time. The rule is short: remove every extension that is not actively in use this week. For extensions you do need, prefer well-known ones with public source code and large user bases (which makes silent malicious updates less viable). Re-audit quarterly.
Operating system hygiene is the floor. Run a supported OS that gets security patches (currently means recent macOS, Windows 11, mainstream Linux distributions, or actively maintained iOS/Android). Enable full-disk encryption — FileVault on macOS, BitLocker on Windows, LUKS on Linux. Apply OS updates promptly; the security industry tracks active exploitation of known bugs, and the gap between patch release and active exploitation is often days or hours. Never run pirated software or activation crackers on a device that has a crypto wallet — these are a routine malware delivery vector.
Public Wi-Fi rules, with some nuance. Modern transport security (TLS) means that a passive attacker on a coffee-shop Wi-Fi network cannot read your traffic to most modern sites. The historical advice 'never use public Wi-Fi for banking' is overstated for read-only browsing. However: do not sign transactions on public Wi-Fi unless you are also on a VPN you trust, because the cost of getting it wrong is total and the cost of waiting until you are on a network you control is zero. Captive portals (the 'connect to the network' login pages at hotels and airports) are particularly suspect — they often want to install root certificates that would let them decrypt your traffic.
Pick a trustworthy DNS resolver and use it everywhere. Your ISP's default DNS sees every domain you look up and historically has been used for tracking, content blocking, and outright advertising injection in some jurisdictions. Cloudflare's 1.1.1.1, Google's 8.8.8.8, or a privacy-focused option like NextDNS or Quad9 are all reasonable choices. Set the resolver at the OS level so every app uses it. This is a small change with a meaningful downstream effect: if a phishing domain is taken down by registrars, DNS resolvers with abuse feeds (Cloudflare, Quad9, NextDNS) will fail to resolve it for you — a backstop you do not have to think about.
Example
In 2023, a popular Chrome extension with several hundred thousand users was sold by its original developer to a new buyer who pushed a malicious update silently in line with Chrome's auto-update mechanism. The update injected JavaScript into pages that included wallet-connect flows and swapped recipient addresses in DeFi UI before the user clicked Sign. The extension itself was not nominally a 'crypto extension' — it was a popular utility unrelated to crypto. Users with a clean separate browser profile that contained only their wallet extension were unaffected; users running it alongside their everyday browser with dozens of extensions installed lost funds.
Common mistakes
- Running 30+ browser extensions in your signing browser. Each one is a keylogger vector.
- Treating 'I have not used this extension in a year' as a reason to keep it installed. The opposite — uninstall it.
- Skipping full-disk encryption because 'I have nothing valuable' on the device. Your authenticated browser sessions, your wallet files, and your saved passwords are all on that disk.
- Using a wallet on a device that runs cracked software. Cracked software ships malware roughly half the time per various AV-vendor surveys; on a device with crypto, that is your loss.
- Connecting your hardware wallet to a public terminal (hotel business centre, library computer). The hardware wallet itself is secure, but the connecting device may inject malicious data into transactions you sign.
Check your understanding
Why is a separate browser profile (or browser) for signing crypto transactions worth the setup time?
Key terms covered
Sources & further reading
- PrimaryNSA — Cybersecurity Information for Personal Devices
US National Security Agency public hardening guides; not crypto-specific but applicable.
- PrimaryMozilla — extension security model
Authoritative documentation on browser extension permissions and threat surface.
- SecondaryCloudflare — 1.1.1.1 DNS resolver
Reference for DNS resolver options and the case for switching from ISP defaults.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.