[clug] Private Browsing?

Mike Carden mike.carden at gmail.com
Mon Jun 24 04:02:36 UTC 2019

Also, the link to Martin's presentation summary:


And the YouTube video of his talk:



On Mon, Jun 24, 2019 at 1:58 PM Mike Carden <mike.carden at gmail.com> wrote:

>> "How we are tracked over the Internet" would be a great topic for
>> CLUG, if anyone had the knowledge.
> Well, those who attended LCA2019 would have had the opportunity to see a
> talk on this subject from Martin Krafft. Here is his follow-up email from
> the talk:
> Dear conferencers,
> Thanks to those who attended (or will watch the video about) my talk
> on fighting Web trackers, and reducing your footprint while browsing
> the Web.
> Here are the browser extensions I introduced, so that you can check
> them out at your leisure. I am using Firefox, but most of these
> should be available for Chrome as well. Most importantly, however,
> these are all maintained and Free, so you can consider this list as
> bootstrapping your due diligence towards a more private browsing
> experience.
> Please let me know if you have any comments or additions.
>  1. https://github.com/gorhill/uMatrix, comprehensive
>     resource/sub-request blocker, which eclipses your standard
>     ad-blocker, and can do a whole lot more. By the author of uBlock
>     Origin (https://github.com/gorhill/uBlock), but more bare
>     bones.
>  2. https://decentraleyes.org/, serve commonly used Web 2.0 fabric
>     (e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs
>     helpfully hosting that stuff.¹
>  3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/,
>     flexible white-/greylisting, and removes cookies on blacklist
>     after a configurable amount of time.
>  4. https://github.com/kkapsner/CanvasBlocker/, fuzz two
>    commonly used fingerprinting methods to make it harder for the
>    remote to profile you.
>  5. https://www.eff.org/https-everywhere, ensure you don't leak
>     plain text information to snoops on your way.
>  6. https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/,
>     https://leotindall.com/randomua/ and
>     https://github.com/ray-lothian/UserAgent-Switcher, three
>     extensions I'm to spoof and fuzz your user-agent. I haven't
>     quite made up my mind as to which one is best, yet.
>  7. https://addons.mozilla.org/en-US/firefox/addon/block-service-workers/
> ,
>     dis-allows those potentially long-running threads that can
>     persist way beyond your web site visit from registering.
>     Complements uMatrix's control of Web Workers.
>  8.
> https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/,
>     Handy means to control Firefox's built-in containers, which
>     isolate your browsing of certain data-hungry websites from the
>     rest of your activity.
>  9. https://github.com/mozilla/lightbeam-we, visualise 3rd party
>     requests.
> 10. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor,
>     An introduction to using the network monitor to trace what your
>     browser is doing on the wire.
> 11. https://browserleaks.com/, a frigthening collection of
>     fingerprinting methods you can use to track your progress.
> 12. https://panopticlick.eff.org/, EFF's anti-tracking checker.
> Finally, Ben asked the question what to use for the less
> technically-inclined. EFF's privacy badger
> (https://www.eff.org/privacybadger) uses machine-learning to figure
> out whom you trust, and while I personally want more control and
> transparency of what's going on, this "privacy-by-default" approach
> is great for people who don't want to configure anything. Privacy
> Possum (https://github.com/cowlicks/privacypossum) is a an attempt
> to improve on that by someone who worked on PrivacyBadger.
> Stay safe, keep private,
> Martin
> Footnote:
> ¹) There are people who use transparent proxies for this, but SSL
> makes that harder and harder. So what about the browser cache.
> It's true that your browser should be able to just indefinitely
> cache these immutable resources. However, I don't trust that, nor
> the companies to set the expiry headers correctly, and apart,
> I believe that caching really only prevents re-transfer, but still
> pings the HTTP host to find out what the current timestamp/eTag is.
> For instance, I picked a random static piece of content from
> about:cache: https://assets-cdn.github.com/favicon.ico, which is set
> to expire a year from now. When I load it, there's a genuine
> connection with Github.com/Fastly, including Referer and User-Agent
> and several other bits about me that the other side could use to
> correlate their requests:
>   >Host: assets-cdn.github.com
>   >User-Agent: browza
>   >Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>   >Accept-Language: en-US,en;q=0.5
>   >Accept-Encoding: gzip, deflate, br
>   >Cookie: logged_in=no
>   >Connection: keep-alive
>   >Upgrade-Insecure-Requests: 1
>   >Referer: https://github.com
>   >If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
>   >Cache-Control: max-age=0
>   <HTTP/1.1 304 Not Modified
>   <Date: Tue, 21 Jan 2019 09:22:55 GMT
>   <Via: 1.1 varnish
>   <Cache-Control: max-age=31536000, public
>   <Expires: Tue, 20 Jan 2020 19:16:02 GMT
>   <Age: 50813
>   <Connection: keep-alive
>   <X-Served-By: cache-akl1421-AKL
>   <X-Cache: HIT
>   <X-Cache-Hits: 3353
>   <X-Timer: S1534843376.566037,VS0,VE0
>   <Vary: Accept-Encoding
>   <X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
>   <timing-allow-origin: https://github.com
> I've had the idea now that we could have an extension that simply
> auto-answers such outbound requests for resources that we determine
> to be valid if present in local cache. For all that matters, this
> could be a list of hashes of those resources, which would be one
> step closer to simply asking your peers around your whether they
> have a certain hash in their caches, so that you can procure it
> completely offline. How awesome would that be??

More information about the linux mailing list