Heyha !
This is probably going to be long take and it’s late here in europe… So for those who bare with me and are ready to read through my broken English, thank you.
I’m personally concerned about how my data and my identity is used against my will while surfing the web or using/hosting services. Self-hoster and networking enthousiast, I have some entry/medium security infrastructure.
Ranging from self-hosted adblocker, dns, router, vlans, containers, server, firewall, wireguard, VPN… you name it ! I was pretty happy to see all my traffic being encrypted through wireshark and having what I consider a solid homelab.
Also having most undesired dns/ads blocked with adguard in firefox with custom configuration, blocking everything, and changing some about:config options:
- privacy.resistFingerprinting
- privacy.trackingprotection.fingerprinting.enabled
- …
I though I had some pretty harden security and safe browsing experience, but oh my I was wrong…
From pixel tracking, to WebRTC leaking your real ip, fonts fingreprinting, canvas fingreprinting, audio fingerprinting, android default keyboard sending samples, ssl certificate with known vulnerabilities…
And most of them are not even some new tracking tech… I mean even firefox 54 was aware of most of these way of fingerprinting the user, and it makes me feel firefox is just another hidden evil-corp hiding with a fancy privacy facade ! Uhhg…
And even if you somehow randomize those fingerprint, user-agent and block most of those things, this makes you stand out of the mass and makes you even easier to track or fingerprint. Yeah something I read recently and it actually make sense… the best way to be somehow invisible is actually to blend into the mass… If you stand out, you are pretty sure to be notices and identified (if that makes sense :/)
This really makes me depressed right now… It feels like a losing battle where my energy is just being wasted to try to have some privacy and anonimity on the web… While fighting against the new laws ringing on our doors and big tech company always having two steps ahead…
I’m really asking myself if it really matters and if it actually make sense to use harden technology or browsers like arkenfox or the tor browser whose end node are mostly intercepted by private institutions and governemental institutions…
I’m probably overthinking and falling into a deep hole… But the more i dig into security and privacy, the more I get the feeling that this is an already lost battle against big tech…
Some recent source:
You must log in or register to comment.
deleted by creator
Do not overthink they want to know about you everything.
That’s true, they probably already have everything they need… It’s not only about my personal data, and my example only points out to the web technology, but everywhere around us are some data hoarding devices that are either used to targeted ads, campaign, profiling, IA dataset feeding… whatever !
It feels like we already lost our right to privacy and how personal data, telemetry is used as a whole in our society…
deleted by creator
In my experience, the key is also using critical thinking and taking things slow. There’s no shame in needing time to get the model right, and so, not rushing to adopt every new tech, and app, helps, too. And using common sense: when the entire infosec industry uses a given software (for example Signal), and it has been audited, even if you can’t understand the audit or the source code, this should mean more to you than simple popularity (for example WhatsApp).
And yes, compromises are key, but one should also be able to identify where compromises are impossible (for example using WhatsApp and retaining privacy. The protocol is great but the app might be leaking your keys regularly, as “backup”, for your “convenience”, etc). And in such case, damage control is essential. Separate devices, opsec, etc.
Last point, they do not care about much. But, to reliably get that 1% they care about, they need to scan 100%. And then why not store that anyway, just in case, since storage is so cheap?
Edit: Crossed out slightly out of date recommendations, see comments.
Do not confuse privacy with anonymity. Your goal is not to defend against governments or other entities with limitless resourced, but against profit oriented companies. By reducing the amount of data you leak and obfuscating what is left, your data becomes progressively worthless as you improve your setup. This is a good thing, because companies will focus their limited resources on areas with a higher profit margin.
Given your description, I think the network side of IT security is pretty much top notch, firmly in the top 0.1% if not 0.01% of users. However most of the tracking happens at the browser level, so it alone does not protect you that much.
Firefox is a solid base, but it is optimized to not break any websites, rather then providing maximum privacy. You can try to tweak settings manually, but I’d rather recommend you to use LibreWolf on PC and Mull on Android. Both are pre-configure, hardened versions of Firefox, that also have proprietary Mozilla features like “Pocket” and some telemetry removed form the source. A standard install has basically no downsides, 99.9% of sites work normally and privacy is quite good.
Librewolf has ublock origin pre-installed and pre-configured with sane defaults. I’d recommend the following additional addons:
- Decentraleyes: Local CDC cache to reduce third party requests. Improves privacy, performance and doesn’t break anything. No configuration needed.
Privacy Badger: Prevents some interactive features (disqus comment section, embedded youtube player, etc) from loading until explicitly confirmed with a mouse click. Also prevents some tracking in the background, but that might eb covered by ublock already.- Cookie AutoDelete + I still don’t care about cookies: This combo silently suppresses all cookie pop-ups, allows them for the session and cleans up afterwards. This is different then disabling all cookies, and does not brake websites then rely on them while providing all privacy benefits.
- Disable WebRTC: WebRTC can leak your IP address, but disabling it breaks eg. real-time video calls. This plugin is a simple toggle, only turn it on when you need to.
If you are willing to do some fine tuning or accept broken sites, consider also:
- noscript: Most privacy leaks happen because of Javascript, but disabling it basically makes the modern web unusable. noscript offers a middle ground to enable/disable javascript on a domain-by-domain basis. Can be annoying at times, but arguably the best way to defend yourself.
Canvas Blocker: WebGL powers most of the advanced visuals, and can read out a lot of data that is used for fingerprinting. This plugin can randomized requested data to protect you, but it also brakes sites in weird and unexpected ways. It’s powerful, but I rarely use it these days.
And finally consider some obfuscation techniques to throw of the remaining trackers. Right now I only use one, and highly recommend it because of its effectiveness:
- Font Fingerprint Defender: Using javascript, websites can read out the list of installed fonts on your device. Some programs install fonts in the background when opening a document with missing fonts, so this list is highly unique for each user and effective for tracking. The plugin throws is some noise, and causes automatic systems to detect you as a new unique user each time.
All of this throws off the vast majority of trackers, and puts you in the top 0.1% of users. Yes, this also makes you kinda “unique”, because websites may notice the effort you put in to defend yourself. Bad idea if you try to hide from the government, you should be using TOR for that anyway, but great to signal companies that you are not worth the squeeze.
Keep your head up bro. The situation is not as terrible as it may seem, but companies want you to believe that, so that you don’t even try.
Some of your recommendations on extensions are a bit out of date
Thanks for the heads up, my setup is indeed 6-12 months old. My thoughts on the linked list:
- uBlock origin is the #1 recommended plugin, and can make some other plugins redundent, see below
- Decentraleyes only helps only for some scripts/sites and may be fingerprintable. Considering that it targets major CDNs and it’s widespread use, I still think it’s benefits outweigh the possible downside, especially if used in conjunction with a good VPN, so its optional but I’d keep it.
- Privacy Badger used to be unique in that it creates a custom blocking list based on your behavior. There was some security and privacy vulnerability with this method, so it’s no longer done. It depends now solely on a pre-trained list just like uBlock origin, offers no additional features and should be removed.
- Cookie extensions may give you a false sense of privacy as they do nothing for IP tracking or other vectors. However they do patch one area, and are useful if used correctly and together with other methods.
- noscript is technically covered by uBlock origin as well, but the UI is far superior and you’ll be using that a lot.
- Canvas Blocker was an optional plugin to begin with, and starting Firefox 120 the FPP (Fingerprint Protection) can subtly randomize canvas, hopefully with less problems. You should be using this build in feature instead of the plugin.
- Font Fingerprint Defender is the one plugin that broke tracking on fingerprint.com, combined with VPN IP change, despite javascript being enabled. If you care about privacy, and not anonymity, you should still be using this.
Thanks for the summary and edits 🫶
Is this about browsers or about privacy in general?
But your privacy should be tailored to your specific threat model and desires. Or, you can choose to be private as possible while keeping your convenience, and slowly be more private. You should not just be hardcore and right away. This will leave you feeling hopeless.
As far as browsers, i recommend Librewolf or mullvad browser, or Brave for Chromium. You do not need to use TOR for everything. A good quality VPN like mullvad vpn or proton is more than sufficient for most people.
This post was about browsers but my feelings when I wrote It was a more general “conclusion”. I only found out recently about some “hidden” privacy concerns with browsers (WebRTC leaking your real ip, fonts fingreprinting…) But when I found out about android’s default keyboard sending samples, IOT weaknesses, smart devices data hoarding… It really feels like a losing battle while being connected to the world…
yeah the android thing is a huge privacy hole. getting a custom OS like Lineage, Calyx, or Graphene should be in everyone’s top 3 first things to do. it will plug a lot of holes.
dont worry. this step isnt super difficult, definitely not a losing battle. just take it one step at time! i did the same, and i feel like im in a good place now, so it’s definitely doable :)
My mindset is that, if they make me work so hard to be private, I’m gonna do all in my power to make sure they work even harder to get my data.
Privacy is a personal thing. Everyone does it for their own reasons. For me, I’m just sick of wading through adverts, targeted outrage and my details being sold to every company under the sun for profit so I cut down on every opportunity for those companies to harvest that stuff.
As far as governments go, I’m not sure anything I say or do is remotely of interest to them so it matters less to me on a personal level, but I also appreciate that people like whistle-blowers, activists, abuse survivors and journalists do care about those things so I fully support any measures that help support them.
From pixel tracking, to WebRTC leaking your real ip, fonts fingreprinting, canvas fingreprinting, audio fingerprinting, android default keyboard sending samples, ssl certificate with known vulnerabilities
All those things have ways of being tackled to some degree or other. Depending on your browser, WebRTC leakage for example is either a setting or an extension away.
Don’t lose sleep over privacy. Just set goals and try to meet them.
I’ve kind of come full circle on all this to where I no longer care. The slippery slope arguments are largely hypothetical imo…Google knows some stuff about me and attempts to show me ads, the vast majority of which I block, so what?
I pay taxes, have a social security number, my bank and credit card companies know my purchase history, the credit bureaus know my mortgage payment and lender, etc…
The myth of an off the grid life is exactly that, a myth. And what does it achieve for you other than some vague sense of idealistic pride?
Google provides tremendous utility to the world essentially for free; its search engine, maps, mail client apps, browser, etc. are tools billions of people use every day. How do they maintain a global network of data centers and localize their products to hundreds of languages…none of that is free. If big companies want to give them money in an attempt at to get me to pay attention to them then so be it, let them finance it. Imagine if only those who could afford to pay could use these tools.
It doesn’t have to be black and white. As many comments have already mentioned, it all depends on your threat model. Sure, it’s literally impossible to be completely private or anonymous unless you never go online and live like a hermit, but that doesn’t mean you can’t take steps to minimize what personal information companies get from you. You can still care about your private data while at the same time not sacrificing convenience.
I’ve kind of come full circle on all this to where I no longer care.
I’m at a similar point. I saw how people who don’t think about privacy handle the world and realized its not so bad.
In the end its all datamining for targeted ads, which only works if I can see the ads they’re trying to target me with.
It also helped that I had a job directly working with the kind of data I worked so hard to block and saw both how unreliable the data was, and how much companies struggle to actually put that data to use
Haha yes! People assume data brokers “know” a lot about a person, but really it’s fuzzy signals. It is far from a crystal ball or a perfect record of every website you’ve ever visited, etc…
Kind of agree. Trying to get total privacy is exhausting. I used to be so deep into getting extensions, sorting out my browser profile, getting private email blah blah the list goes on. I now do the bare minimum I possibly can because I just can’t be arsed with it all. I have more important shit going on than to constantly worry about some one looking at my data. Yes, there’s definitely things I want to be private, and I do limit using stuff like cloud storage etc, but the rest just seems overkill right now.
Google provides tremendous utility to the world essentially for free; its search engine, maps, mail client apps, browser, etc. are tools billions of people use every day. How do they maintain a global network of data centers and localize their products to hundreds of languages…none of that is free.
👢👅
🙄
Yeah, so what ?
Do you know how Gnu / Linux makes money ?
At some point it is not about individuals but big corporations that need their services, and they buy them.
They should have built their business model as per their financial requirements from the outset then, if that was the problem for them.
But that should not justify or excuse them for doing things that are immoral and unethical.
Sounds more like a greedy approach than anything.
If I was an ethical and moral CEO of Google, and sought it costly to maintain such a huge infrastructure for millions of people around the world that are using their services freely, I would have made measures to shut them down or close them, instead of maliciously inserting things and harvesting stuff from them.
Then if they have such data, then they should be held accountable and responsible in the future for any damages as a result of their work processes, and that happened many times historically speaking. And any crime that happens, they either offer evidence or be complicit to hiding fugitives. Which alone is a process that will cost them alot, just having to do it, and cooperate w them any governmental party.
If I get in trouble in the future, I sure would love to have Google assist me in proving that I was innocent, by providing evidence through data that it has. But would they be willing to do so?
This is very interesting in a way to think about, as it shows where their weakness lies in their business model, and where they are strong.
But it goes to show how monopolistic they are, and, if anything, neglectful to basic human rights. Where I’m from, privacy is a human right. So there are many dimensions to take into consideration here - but ultimately they are only a small aspect of this whole complex dimension to boot.
Ultimately, it is their fault for not setting up their business model to meet up with their own financial requirements. And not ours.
Pretty much this. I get the “you don’t know what the bad guys will criminalize next” argument, but I have a hard time seeing it, when it comes to my browsing patterns.
My model is more about the ability to surf the web without SPAM coming at me from all possible sides and avoiding services like Google Drive, iCloud etc not much because of the data privacy aspect but more because I don’t to become hostage of one of those companies because they’ll decide to charge more and/or lock me out of my account without any way to get back to it.
Doing things like self-hosting, using ungoogled chromium, LibreWolf and a bunch of the extensions listed by others fixes the “SPAM and hostage issue” with the added bonus of some privacy.
Don’t get stuck into https://en.wikipedia.org/wiki/Learned_helplessness or perfectionism! So :
- every step counts
- even if you are not entirely private in anything you do, you can still be more or less exposed
- you are not alone in that struggle, we ALL are, from CEOs to politicians to random folks, we are all threatened and must help each other
- alternatives DO exist (as a personal example, I don’t use Google, WhatsApp, TikTok, etc) and enjoyable
- it’s not just technical but also psychological. If you focus on the technology it can be daunting, if you focus on usage it gets easier, ideally you combine both while insuring you don’t burn out.
You can do it, WE can do it! :D
Glad you asked.
South Carolina is offering free genetic profiling that does a full sequence and gives you health information and ancestry. My wife shared it to me and waited for me to go off about handing that information over to the government.
I didn’t even blink before saying let’s do it. Privacy is an illusion. Anyone that wants my DNA can get it by grabbing a discarded cigarette butt. The police do need warrants because they can just buy whatever information they want on you.
In the open source software movement “information wants to be free”. That applies to personal private information too.
Does that mean that in general you don’t try to protect your privacy because you feel it’s pointless?
That’s kind of how I interpreted your reply, and if that’s true what are you getting out of your participation in this community?
You’re psychotic and have quire possibly screwed any children you have out of health insurance in the near future. Congratulations.
When I went to the doctor about getting vasectomy they asked “Are you sure you don’t want to have any children?” “I decided at 13 that I should never have children. I knew that a 18 no doctor would touch me. I’m now 40 and you can’t argue with me.”
My wife made the same choice when she was 24. There will be no children. We have covered that on both ends.
Well, you pretty much screwed your siblings and their children, too.
Well thats good at least.
That applies to personal private information too.
And that’s where you and I disagree. Just like there’s a difference between public and private property, there’s a difference between public and private information.
Anyone that wants my DNA can get it by grabbing a discarded cigarette butt.
Stop smoking, that is bad for your health no matter what your DNA profile says
If you don’t protect yourself they will easily find you because of the information you leave everywhere, if you go full privacy mode you will stick out like a sore thumb and they will find you too but at least they don’t have much info.
- Use DoT
- Use Librewolf
- TOR has been compromised, use it sparingly.
Understand the fight. We have three major pipelines for leakage of inferences/data on the internet:
- IP
- Metadata
- Content we produce
How has tor been compromised? I know windows defender was throwing a false-positive for a trojan after an update back in September but that’s all I’ve heard
The NSA has always had multiple 0-days for TOR, but that’s beside the point. The current rumour is that the NSA controls more than half of the traffic on the TOR network, courtesy of them owning a massive number of high-performance nodes.
I’m going to read more on how i2p works, but if I see more NSA involvement I’m bucking out of that too
deleted by creator
whats DoT?
DNS over TLS
The more widespread variant is DoH which is DNS over HTTPS. e.g. the Android “Private DNS” feature is DoH or firefox has this also bultin as a feature.
But currently both are relatively useless, as there is no encrypted client hello in TLS. https://blog.cloudflare.com/announcing-encrypted-client-hello
The only benefit of using DoH/DoT is, it’s more unlikely that the Network Operator will serve you different DNS records.
Meh, IP is overrated. You have to pay extra to get a static IP. Just reset your router frequently, automate it if possible and you’re set. Doesn’t do anything about the ISP, of course.
deleted by creator
Here is a well-written summary of why it is important to keep things about you hidden to other entities.
No, you have something to hide
The text ist written is in Dutch. You can translate the website via Firefox to English.
It’s important to care, it’s important to make other people aware of it, it’s important to fight unnecessary data collection.
