Iniciar sesión

Fine-Tuning Firefox for Privacy

When you browse the Web, you're not alone on the wire: advertisers and corporations track you, and maybe someone--or something, is snooping your connection for passwords or to turn your browser into a zombie.

1. Use HTTPS

The last couple of years saw a lot of attacks on the Secure Socket Layer (SSL), from obsolete encryption algorithms to full-blown SSL certificate forgery that makes it to the browser's list of trusted Certificate Authorities (CA). [1][2][3]

One of the recent developments in SSL vulnerabilities was the demonstration of the possibility to transparently take over a supposed secure session when it's not initiated from HTTPS: you type a hostname in the location bar of your browser, and it defaults to the HTTP protocol, which transmits everything over the Internet in clear; at this point, an attacker can "upgrade" your insecure session to HTTPS, and from there make you believe--and your browser, that you're safe. The EFF released a protection add-on for that purpose, that translates plain HTTP links to Transport Layer Security (or TLS, the name of post-version-3 of SSL) when possible, before the actual connection occurs. Your traffic is thus encrypted by default, which provides another layer of security.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409
[2] http://www.insideofiran.org/en/categoryblog/536-iranian-hacker-claims-responsibility-for-fake-ssl-certificates.html
[3] http://www.kb.cert.org/vuls/id/120541

2. Restrict Javascript

With the Web2.0, chances are the page you load comes from many different sources: mashups, aggregated feeds, widgets, and of course advertising. While browsers use a "Same Origin Policy" to prevent third parties from injecting arbitrary code into the page you're reading, "social services" multiply the ways to allow it, from their own "trusted" sources, whose trust is usually measured in some national currency. NoScript allows you to restrict who can run Javascript on the pages you visit, and offers extra protection against cross-site scripting (XSS)

3. Remove Trackers

Local Shared Objects (LSO) provide persistent storage for websites. Unlike cookies, which are limited to 4KB, LSO can store up to 100KB without the user noticing.  Another type of tracker comes from social networking sites: when you're logged in, they can track you they propose you to "Like", "follow", or "+1", etc. contents or people: simply by loading the page, you reveal your current viewing to the service.  Not very subtle, and potentially invasive: Priv3 solves this by neutralizing the code unless you interact with the said button.

4. Blur Your Identity

The browser identifies itself with an User-Agent (UA) string. It's often used by websites to customize (or fix) the website to work with your browser. Chances are that if you're not an Internet Explorer user running Windows, you're part of a tiny community where your UA can play an important role in identifying your browser uniquely. You can check out what kind of marketing profile you have in your browser.

Note on DO NOT TRACK: "the industry" is currently promoting an opt-out system, dubbed NAI for Network Advertising Initiative, to allow users to chose not to be tracked. Incidentally, opting-in for this opt-out will mark your browser as ad-hostile population, which translates into "privacy-concerned citizen" (AKA the enemy.) Privacy advocates warn that the NAI doesn't clearly defines what "opt-out" means, and a recent research demonstrated that it goes from "delete" to "acquire less data", depending on the company.

The best opt-out in not to participate, and keep your browser free from third party cookies, as well as LSO. But as your browsing session is lasting longer, your fresh profile sharpens. Some years ago, when cookies were the True Evil(TM), there was a cookie exchange program. Forging entire marketing profile would rather be helpful, as an empty or thin profile can identify you as wary of advertising, and single your connection out from the masses. That's a two-edged blade.

5. Using Proxies

Proxies are great to access regionally-restricted contents: if you want to watch the latest South Park episode or access a scientific paper on ACM, using a proxy that makes you appear as a genuine American connection, or originating from an authorized university, is the way to go.

Using proxies in combination with other methods (e.g., blocking cookies) also allows to confuse some trackers, as your IP may change for every connection you make to the website. As Tor comes with a full proxy stack, I'll skip that one and proceed to it.

6. Using Tor

The Onion Router (TOR, "gate" in German) provides a way to make your connection anonymous by passing it through the Tor network, so that the final destination won't see your own IP address, but the one of an "exit node".

But something that is often overlooked by the less technical Tor users is that the Tor network is not a rainbow island with lots of friendly people cooperating for protecting their privacy, but a hostile environment where some nodes actually spy on the traffic to discover gems left by unsuspecting users: that is why the default configurations prevent Flash and other plugins from working, to protect you from common attacks using these vectors. [1][2]

Tor users must be aware that using non-encrypted protocols over the Tor network can lead to information disclosure to hostile third parties. When browsing through Tor, or any third party proxy for that matter, you cannot trust the intermediate nodes, and you should be wary of transmitting anything sensitive that is not properly encrypted.

Please take the time to read the two or three pages of instructions for installing and using Tor, it will save you a lot of trouble.

7. Multiple Profiles, Multiple Browsers

Firefox supports defining different profiles with their own history, add-ons, and their private cookie store. But you cannot run one instance of Firefox with two different profiles at the same time. Instead, you need to run different browsers, or run it with different users, which can be cumbersome. One solution could be to maintain a browser for a specific service, e.g., to access your bank account. In practice, this is hardly ever the case, but it's still worth mentioning.

8. You're never secure

Security is a compromise. It's a trade-off between the cost of protecting your data vs. the cost of stealing it. When the data is worth it, there's no way you can prevent clever people from crafting a successful attack. As I was researching links for this article, I bumped into a new kind of phishing attack, dubbed "tabnabbing". That one even works when you have NoScript loaded with all scripts disabled (this has been fixed in NoScript Go figure.

I don't want to play the pessimist paranoid freak, but I want to raise your attention on the fact that sooner or later, you'll be confronted with that kind of dangers. My recommendation: use peer-reviewed free software, keep your system up-to-date, and be vigilant when you're dealing with your credentials.

You can also test your browser's security at Browserscope.org.

9. Conclusion

A lot of effort is made to track users on the Web. Most Web2.0 companies are selling, and capitalizing on, user data. There is a strong incentive of the "market" to keep your data accessible in one way or another to advertisers: using cookies of course, but also LSO, Javascript code that's loaded from a central location, as well as patterns that make your browser more unique than you suspect.

In Wonderland, it wouldn't be too much of a problem. But where people's brains are at stake, every bit of information can make your brain more valuable. Guess what: you won't see a dime from your valuable online activity.

The model is simple: if you use a service, you're free to do whatever you want with your data. But the service too, and there's no way for you to prevent it from doing it. So, what's the problem? After all, they use the data to improve the service, right? Well, consider it from another point of view: by using the service, you-and-many-others provide a unique work that you're not paid for. Yes, but you don't pay for the service, do you? That's the catch: the service is provided free, so that many will use it, and it will get better, and its users' marketing profile will become more accurate.

What happens when we're forced to go encrypted, e.g., to counter stupid government policies that want to restrict our freedom or threaten our lives? Isn't the whole "free service" model going to hit a paradoxical wall? As long as encryption remains marginal, the general advertising model will hold. But when encryption tools become the norm, who is going to pay for the "free services"?

I'm eager to hear from you, about this issue, or your own tips and tricks to protect your and others' privacy online. If you think you have nothing to hide, please upload a naked picture of yourself, that might interest someone else.

See also https://www.eff.org/wp/six-tips-protect-your-search-privacy



    • caedes

      nice one! thx a lot for the article.

      • hellekin

        Sweet.  I didn't mention the plethora of add-ons to change the User-Agent, because I didn't review them.  Search AMO for "User Agent" and see for yourself. (And come back with answers :))

        • sem

          Interesting article. I'm getting interest about security topics, and I want to learn more about xxs and tor.

          • hellekin


            • Added Certificate Patrol, your protection against SSL Man In The Middle attacks, by our good friends at PSYC.  Once considered a paranoid solution, it's now a recommended practice by W3C to check the certificate chain and watch out for fake SSL certificates.  CP is to SSL MITM attacks what SSH keys are to SSH MITM: when something's wrong, it tells you by exposing the certificate chain.  Read the full explanation at http://patrol.psyced.org/.
            • Did you know that social networking sites like Facebook, Google+, and Twitter can track your visits to any web page that uses the familiar "Like", "Follow", or "+1" buttons, even if you do not actually click these buttons?

              The Priv3 Firefox extension lets you remain logged in to the social networking sites you use and still browse the web, knowing that those third-party sites only learn where you go on the web when you want them to. All this happens transparently, without the need to maintain any filters. Priv3 is free to use for anyone.