[clug] Private Browsing?
Mike Carden
mike.carden at gmail.com
Mon Jun 24 04:02:36 UTC 2019
Also, the link to Martin's presentation summary:
https://lca2019.linux.org.au/schedule/presentation/248/
And the YouTube video of his talk:
https://www.youtube.com/watch?v=Zbrg46I4kOA
--
MC
On Mon, Jun 24, 2019 at 1:58 PM Mike Carden <mike.carden at gmail.com> wrote:
>
>>
>>
>> "How we are tracked over the Internet" would be a great topic for
>> CLUG, if anyone had the knowledge.
>>
>>
>>
> Well, those who attended LCA2019 would have had the opportunity to see a
> talk on this subject from Martin Krafft. Here is his follow-up email from
> the talk:
>
> Dear conferencers,
>
> Thanks to those who attended (or will watch the video about) my talk
> on fighting Web trackers, and reducing your footprint while browsing
> the Web.
>
> Here are the browser extensions I introduced, so that you can check
> them out at your leisure. I am using Firefox, but most of these
> should be available for Chrome as well. Most importantly, however,
> these are all maintained and Free, so you can consider this list as
> bootstrapping your due diligence towards a more private browsing
> experience.
>
> Please let me know if you have any comments or additions.
>
> 1. https://github.com/gorhill/uMatrix, comprehensive
> resource/sub-request blocker, which eclipses your standard
> ad-blocker, and can do a whole lot more. By the author of uBlock
> Origin (https://github.com/gorhill/uBlock), but more bare
> bones.
>
> 2. https://decentraleyes.org/, serve commonly used Web 2.0 fabric
> (e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs
> helpfully hosting that stuff.¹
>
> 3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/,
> flexible white-/greylisting, and removes cookies on blacklist
> after a configurable amount of time.
>
> 4. https://github.com/kkapsner/CanvasBlocker/, fuzz two
> commonly used fingerprinting methods to make it harder for the
> remote to profile you.
>
> 5. https://www.eff.org/https-everywhere, ensure you don't leak
> plain text information to snoops on your way.
>
> 6. https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/,
> https://leotindall.com/randomua/ and
> https://github.com/ray-lothian/UserAgent-Switcher, three
> extensions I'm to spoof and fuzz your user-agent. I haven't
> quite made up my mind as to which one is best, yet.
>
> 7. https://addons.mozilla.org/en-US/firefox/addon/block-service-workers/
> ,
> dis-allows those potentially long-running threads that can
> persist way beyond your web site visit from registering.
> Complements uMatrix's control of Web Workers.
>
> 8.
> https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/,
> Handy means to control Firefox's built-in containers, which
> isolate your browsing of certain data-hungry websites from the
> rest of your activity.
>
> 9. https://github.com/mozilla/lightbeam-we, visualise 3rd party
> requests.
>
> 10. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor,
> An introduction to using the network monitor to trace what your
> browser is doing on the wire.
>
> 11. https://browserleaks.com/, a frigthening collection of
> fingerprinting methods you can use to track your progress.
>
> 12. https://panopticlick.eff.org/, EFF's anti-tracking checker.
>
> Finally, Ben asked the question what to use for the less
> technically-inclined. EFF's privacy badger
> (https://www.eff.org/privacybadger) uses machine-learning to figure
> out whom you trust, and while I personally want more control and
> transparency of what's going on, this "privacy-by-default" approach
> is great for people who don't want to configure anything. Privacy
> Possum (https://github.com/cowlicks/privacypossum) is a an attempt
> to improve on that by someone who worked on PrivacyBadger.
>
> Stay safe, keep private,
> Martin
>
> Footnote:
>
> ¹) There are people who use transparent proxies for this, but SSL
> makes that harder and harder. So what about the browser cache.
> It's true that your browser should be able to just indefinitely
> cache these immutable resources. However, I don't trust that, nor
> the companies to set the expiry headers correctly, and apart,
> I believe that caching really only prevents re-transfer, but still
> pings the HTTP host to find out what the current timestamp/eTag is.
>
> For instance, I picked a random static piece of content from
> about:cache: https://assets-cdn.github.com/favicon.ico, which is set
> to expire a year from now. When I load it, there's a genuine
> connection with Github.com/Fastly, including Referer and User-Agent
> and several other bits about me that the other side could use to
> correlate their requests:
>
> >Host: assets-cdn.github.com
> >User-Agent: browza
> >Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >Accept-Language: en-US,en;q=0.5
> >Accept-Encoding: gzip, deflate, br
> >Cookie: logged_in=no
> >Connection: keep-alive
> >Upgrade-Insecure-Requests: 1
> >Referer: https://github.com
> >If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
> >Cache-Control: max-age=0
>
> <HTTP/1.1 304 Not Modified
> <Date: Tue, 21 Jan 2019 09:22:55 GMT
> <Via: 1.1 varnish
> <Cache-Control: max-age=31536000, public
> <Expires: Tue, 20 Jan 2020 19:16:02 GMT
> <Age: 50813
> <Connection: keep-alive
> <X-Served-By: cache-akl1421-AKL
> <X-Cache: HIT
> <X-Cache-Hits: 3353
> <X-Timer: S1534843376.566037,VS0,VE0
> <Vary: Accept-Encoding
> <X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
> <timing-allow-origin: https://github.com
>
> I've had the idea now that we could have an extension that simply
> auto-answers such outbound requests for resources that we determine
> to be valid if present in local cache. For all that matters, this
> could be a list of hashes of those resources, which would be one
> step closer to simply asking your peers around your whether they
> have a certain hash in their caches, so that you can procure it
> completely offline. How awesome would that be??
>
>
More information about the linux
mailing list