How I (try to) Maintain Privacy on the Web
Apr 10, 2017 12:00
Introduction
Maintaining your privacy on the internet is a lot like trying to hit a moving target; there are new threats against it each day.
Let’s look at some of the privacy threats that I care most about and the tools I use and/or measures I take to address them.
JavaScript
JavaScript is pretty fancy stuff. It enables your browser to do some really neat things. It’s also a scary S.O.B. JavaScript can make your browser do things you may not desire and/or give away information you didn’t intend to. The thing that scares me most though is JavaScript sent in plaintext. This might allow my ISP, for example, to rewrite a JavaScript payload sent by my favorite site for watching cat videos. Perhaps in place of code which causes a video to load, my ISP inserts a snippet to load an advertisement, or worse, take a screenshot of my desktop.
JavaScript can also be used to un-mask VPN users thanks to WebRTC.
I deal with the JavaScript problem using two Firefox addons: NoScript which lets me pick & choose which sources I want to load JavaScript from - if any AND "Disable WebRTC" which, as the name implies, disables the WebRTC protocol. Many people rag on NoScript for different reasons. Some say it’s useless because it breaks the functionality or usability of some sites on the web. In my opinion, this says more about the major dependence on JavaScript than it says about the NoScript addon. In many instances, the same task can be accomplished equally well in CSS but everyone uses JavaScript anyway.
It’s worth mentioning here that there’s no known solution to the WebRTC problem in Chrome. You’re probably better off switching to an open source browser such as Firefox.
Analytics, tracking & finger-printing
If you start using the NoScript addon (and don’t trust JS from places like analytics.google.com
in the addon) you get a reasonable level of protection from these threats as a freebie.
Another interesting solution is the usage of the hosts file to prevent your browser from talking to analytics services. A DNS lookup is one of the first things a browser does when it wants to go somewhere on the web. It can’t get there if the IP address is 0.0.0.0
. Some kind citizen on the web maintains a list of analytics services in easy to consume formats (hosts file, iptables, unbound, etc.). Pro tip: use 0.0.0.0
, it’s faster than using 127.0.0.1
.
You may also want to look into the "Random Agent Spoofer" addon for Firefox which, with some minor tweaks, can modify your User-Agent at random (or regular) time invervals to disguise information about your OS, OS version, browser and browser version. One small piece of advice with this addon is that you should probably avoid telling sites that you’re using Chrome when you’re actually on Firefox. In my experience, when I must enable JavaScript on a site, it almost never works out well if I masquerade as a Chrome user. Luckily, the User Agents that the addon switches between are configurable.
In addition to the aforementioned, it would be wise to use a VPN service to mask your true location on the planet. I won’t go so far as to recommend any partiular provider. Instead I’ll point you to this site which will let you compare many different providers side-by-side.
Other Thoughts
Taking all of the measures above on a desktop running inside of a VM can be a real differentiator as far as privacy is concerned.
I know that most all of the tools I mentioned here are Firefox specific. With the exception of the "Disable WebRTC" addon, I’m pretty sure there are analogs for Chrome if that’s your browser of choice.