When you click on link to open a web page you are inviting the server on the
other end of the connection to make queries of your machine and executing code
on your machine. While it is true that not every web page makes queries about
your machine or downloads code to your machine the potential is always there.

Nearly every month there are new revelations about security flaws in browsers,
or browser plugins, that a new method of compromising a machine by getting a
user to visit a malicious web page has been found. Often the public
announcement comes at the same time that a security patch or update is
available. But sometimes the public announcement comes before a patch is
available, sometimes with the caution that exploits are already being observed
on the Internet. And of course, we all have to worry about what hasn’t been
announced yet.

As recently as June 10, 2014 there were announcements from both Microsoft and
Adobe about recently discovered flaws that could lead to attackers being able
to remotely execute code when a user opens a malicious web page or opens a
file sent to the user. The flaws appeared in Adobe Flash, Adobe Air, Internet
Explorer, Windows, and Microsoft Office including Word. Some of the Adobe
issue affect Macintosh, Android, and Linux as well.

Every time a user visits a web page an agent string is sent by the user’s
browser to the web server. An example user agent string is “User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0.”
This reveals to the web server information about the operating system being
used, the web browser, and the versions.

The browser will also tell the web server what types of content and encoding
it will accept, for example:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate

If the browser allows Javascript to run, and most configurations allow this by
default, the web server can also learn about installed plugins, installed
fonts, the screen resolution, color depth, and timezone. This information may
enable a web site to determine what code it could send to your browser that
would lead to a successful exploit. You may not think that a list of installed
fonts reveals much, but in some cases a combination of installed fonts might
reveal that a specific application has previously been installed on the
system.

The EFF Panopticlick web site <https://panopticlick.eff.org/> focuses on the
issues privacy and how web sites can identify users and track them even if the
user has limited or disabled cookies. Links provided on the provide some
information about what information the site gathers and the techniques it
uses.

Keeping your system up to date with all of the most recent security patches is
a good practice. However, keep in mind that your system is still susceptible
to vulnerabilities that vendors have not yet patched, or may not even be aware
of yet.