Browser finger-printing, privacy leakage.. some tips
I’m not turning into RMS, but it’s becoming more and more sensible to be concerned about ‘Big Brother’ and the apparent abuse of privacy or free speech on the internet, particularly in the western world, where normal parts of life now require internet access.
It was mostly tracking from advertisers that people were concerned about a few years back, but now it’s turned into a much darker and sinister form of tracking, and it’s not from advertisers, whether you know about Edward Snowden’s chilling revelations, and whether you believe him or not, the info should not be dismissed, and, if you do care, it is a very good thing ™ to cut down your attack surface, or at very least, take some sort of control as to what info can easily be leaked from your web browser, which, for most users, is the primary interface for the Internet.
Innocuous as they seemingly are, even TV sets are often connected to the internet, the interface is of course pretty closed and basic, and offer little (or no) privacy controls, there’s not too much you can tweak, after all, they *do* want your data, mentioning no names (but a particular S.Korean manufacturer does spring to mind) yet they, and almost all other set-top boxes now report back to base for updates and ‘fixes’ but also with varying degrees of snoopingness, and so it is with the ‘Internet of Things’ and ‘big data’ it’s not just an American thing either, here in old Blighty it’s welcomed by the people collecting it, and most people (users) dont know or care. It’s getting worse too.
A computer is different however, ‘browser finger-printing’ as it is known, is something we need to be aware of, as we have much more control of what data can be leeched from us in the operating system, so here we will discuss a few of those simple tips for at least keeping the worst of it all somewhat at bay, and bear in mind, while you can not really be anonymous on the internets, you can limit the info leaked from your browser, of course it’s a sliding scale between web functionality and privacy, and you will need to find the compromise that works for you, it’s a huge subject and not one i even aim to skim the surface of here, but most people can quite safely tighten up their browser settings without too much inconvenience. The trade off between functionality and security and privacy is ON !
Browsers: Forget Internet Explorer, or Cordona (or core_dump or whatever it’s called nowadays) I won’t get into the why’s and why not’s, you can search that for yourself, forget Windows 10 even if you’re a ‘power user’ and you install the OS with all the crap apparently switched off, i believe it still phones home and it can even remove software you might have installed, and it does. There are numerous reasons not to use Win 10, the Internet is full of reasons why not, so I won’t waste your time or mine recanting them here.
Google Chrome isn’t privacy respecting, Google Chromium neither, as Google and friends all make money from adverts, Opera isn’t open source, so cannot be trusted either. Safari, nope, for similar reasons. Obviously ‘social media’ sites are huge sources of info, and of course are being constantly hoovered up by almost all agencies who want your data, there are many (true) scary stories about this, and the apparent Federal ‘Govt official’ who popped his head ’round the corner into Zuckerbergs office, whilst someone was doing an interview with Mark Zuckerberg.. i believe the Fed had a neighbouring office at Facebook HQ there and was maybe just popping in for a neighbourly ‘borrow a cup of sugar’
Firefox is where you might want to start then. Apart from being open-source, Firefox has developed a huge eco-system around itself, and for good reason too, (and because the web needs it) This does not stop Mozilla from screwing the thing up, they screwed the GUI then added crapware like ‘Pocket’ and stuff, but many eyes are watching, so you can get rid and disable crap you don’t want or need. It’s a good place to be in this case, and for privacy enhancements, there are many plugins which will help us.
You can use a ‘web Proxy‘ with all browsers, i won’t go into how, the link is clickable and will whisk you off to Wiki if you need to know more. Your ISP probably uses some kind of proxy, maybe a transparent one, but you can install your own, in days gone by we used to use ‘squid’ but a nice easy cross-platform one is called ‘Privoxy’ give it a look.
Windows obviously has backdoors (some would say it has front doors too, with carpeted steps, marble hallways and fountains welcoming you to the lobby) Later versions of Mac OS X phone home, though this is easier to stamp out, and Linux seems the best of the bunch in privacy terms, but even Ubuntu and derivatives have had a little flack for certain little blips in the past) though Linus Torvalds wasn’t pulling too many punches when he was asked to install backdoors in Linux
Really really forget Adobe Flash Plugin. apart from being an outdated CPU hog and full of crap code, it’s a rich bed of exploits for virus’ and all kinds of nasties, flash cookies and much more horror, uninstall it and don’t look back, html5 is here, i never miss it, i won’t pollute my OS with Adobe crapware, and i am glad Omniture is gone too, and the other crap it brings.
Have a look at this website www.privacytools.io which explains much more, and recommends you install some goodies.
TOR is somewhat compromised, it can be de-anonymised quite reliably, (questions were asked about those that originally devised it) and planned talks at ‘Blackhat’ on TOR de-anonymisation didn’t go ahead.
Ublock Origin is a low CPU/ RAM adblocker and HTML firewall. like many adblockers it kills Youtube pre-rolls too which is nice in the Ublock Origin settings, enable all the blocklists too. It also adds element hiding functionality.
Once again, like with almost all software, check all of default options and whitelists, as it’s up to you to tweak the tools once you have them installed and enabled, as supplying the software with overly restrictive defaults or whitelists can cause support headaches, and are usually not offering nearly as much protection as they can, instead, preferring users to wind up the security as they progress, and learn what they need as they go along. I delete all whitelists myself on newly installed extensions, as i don’t trust someone elses’ idea of what domains are acceptable.. see Steve Gibson’s excellent site (and podcast) at GRC.com mentioning the tyranny of the default..
Taking the steps outlined on www.privacytools.io and doing the about:config tweaks will take care of most of the main privacy leakage, and Ublock origin cleans up most of the adverts and trackers and annoyances.
For hardened Firefox tweakers there’s ‘Configuration Mania’ which has a few more tweaks, some (not all) of which are available in browser spoofing agent.. for example DOM storage and certain browser APIs.. they dont need to know that stuff.
With most of these extensions and plugins, do check the defaults, like with modern operating systems, much more functionality is enabled by default than you need, they ship default settings that don’t restrict much, and by definition, don’t work as much as they can, so check all default settings, don’t blindly accept them, experiment and reduce your CPU, battery drain, memory consumption, and increase your security, privacy and safety.
There are so many things to understand with this one, but really check these websites and get familiar with the these plugins and extensions, maybe you will leak a little info about yourself and increase your browser security a bit and understand more how our privacy is under threat, and how much crap is not needed on the web to get your stuff done, and even improves your surfing experience.. indeed how much crap and bloatware in being included in almost all popular operating systems is another rant i won’t got onto, i would run out of server space.. but Dear Microsoft and Apple.. yes, and even Linux distro vendors, take note. stop filling the OS full of crapware, desktop search / web integration, social media integration etc etc.. but i fear Apple & Microsoft are already lost causes, as software vendors also often ‘dumb down’ the functionality and hide features and configuration tools from users, as is the fashion nowadays, and most users just accept the default settings and carry on, but with many agencies around the web collecting all your info, it really is time to wise up to all the dumbing down that’s going on, and as Radio Amateurs, we’re still (mostly) a technically savvy bunch, it isn’t beyond the realms of most of us to take these steps.. it’s a jungle out there…
sites with a little more reading or listening and geek appeal, some are quite deep and involved.
Paul Security Weekly a slightly more heavyweight but funnier / more drunk uber geek security podcast & more
Infosec podcast from Sans Internet Storm Center –
All work, text and images © GB7MB