[clug] Private Browsing?

jhock at iinet.net.au jhock at iinet.net.au
Mon Jun 24 04:17:56 UTC 2019

I wonder how many of these tools are replaced by using ToR browser? 

On 24 June 2019 13:58:59 GMT+10:00, Mike Carden via linux <linux at lists.samba.org> wrote:
>> "How we are tracked over the Internet" would be a great topic for
>> CLUG, if anyone had the knowledge.
>Well, those who attended LCA2019 would have had the opportunity to see
>talk on this subject from Martin Krafft. Here is his follow-up email
>the talk:
>Dear conferencers,
>Thanks to those who attended (or will watch the video about) my talk
>on fighting Web trackers, and reducing your footprint while browsing
>the Web.
>Here are the browser extensions I introduced, so that you can check
>them out at your leisure. I am using Firefox, but most of these
>should be available for Chrome as well. Most importantly, however,
>these are all maintained and Free, so you can consider this list as
>bootstrapping your due diligence towards a more private browsing
>Please let me know if you have any comments or additions.
> 1. https://github.com/gorhill/uMatrix, comprehensive
>    resource/sub-request blocker, which eclipses your standard
>    ad-blocker, and can do a whole lot more. By the author of uBlock
>    Origin (https://github.com/gorhill/uBlock), but more bare
>    bones.
> 2. https://decentraleyes.org/, serve commonly used Web 2.0 fabric
>    (e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs
>    helpfully hosting that stuff.¹
> 3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/,
>    flexible white-/greylisting, and removes cookies on blacklist
>    after a configurable amount of time.
> 4. https://github.com/kkapsner/CanvasBlocker/, fuzz two
>   commonly used fingerprinting methods to make it harder for the
>   remote to profile you.
> 5. https://www.eff.org/https-everywhere, ensure you don't leak
>    plain text information to snoops on your way.
> 6. https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/,
>    https://leotindall.com/randomua/ and
>    https://github.com/ray-lothian/UserAgent-Switcher, three
>    extensions I'm to spoof and fuzz your user-agent. I haven't
>    quite made up my mind as to which one is best, yet.
>    dis-allows those potentially long-running threads that can
>    persist way beyond your web site visit from registering.
>    Complements uMatrix's control of Web Workers.
>    Handy means to control Firefox's built-in containers, which
>    isolate your browsing of certain data-hungry websites from the
>    rest of your activity.
> 9. https://github.com/mozilla/lightbeam-we, visualise 3rd party
>    requests.
>10. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor,
>    An introduction to using the network monitor to trace what your
>    browser is doing on the wire.
>11. https://browserleaks.com/, a frigthening collection of
>    fingerprinting methods you can use to track your progress.
>12. https://panopticlick.eff.org/, EFF's anti-tracking checker.
>Finally, Ben asked the question what to use for the less
>technically-inclined. EFF's privacy badger
>(https://www.eff.org/privacybadger) uses machine-learning to figure
>out whom you trust, and while I personally want more control and
>transparency of what's going on, this "privacy-by-default" approach
>is great for people who don't want to configure anything. Privacy
>Possum (https://github.com/cowlicks/privacypossum) is a an attempt
>to improve on that by someone who worked on PrivacyBadger.
>Stay safe, keep private,
>¹) There are people who use transparent proxies for this, but SSL
>makes that harder and harder. So what about the browser cache.
>It's true that your browser should be able to just indefinitely
>cache these immutable resources. However, I don't trust that, nor
>the companies to set the expiry headers correctly, and apart,
>I believe that caching really only prevents re-transfer, but still
>pings the HTTP host to find out what the current timestamp/eTag is.
>For instance, I picked a random static piece of content from
>about:cache: https://assets-cdn.github.com/favicon.ico, which is set
>to expire a year from now. When I load it, there's a genuine
>connection with Github.com/Fastly, including Referer and User-Agent
>and several other bits about me that the other side could use to
>correlate their requests:
>  >Host: assets-cdn.github.com
>  >User-Agent: browza
>  >Accept-Language: en-US,en;q=0.5
>  >Accept-Encoding: gzip, deflate, br
>  >Cookie: logged_in=no
>  >Connection: keep-alive
>  >Upgrade-Insecure-Requests: 1
>  >Referer: https://github.com
>  >If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
>  >Cache-Control: max-age=0
>  <HTTP/1.1 304 Not Modified
>  <Date: Tue, 21 Jan 2019 09:22:55 GMT
>  <Via: 1.1 varnish
>  <Cache-Control: max-age=31536000, public
>  <Expires: Tue, 20 Jan 2020 19:16:02 GMT
>  <Age: 50813
>  <Connection: keep-alive
>  <X-Served-By: cache-akl1421-AKL
>  <X-Cache: HIT
>  <X-Cache-Hits: 3353
>  <X-Timer: S1534843376.566037,VS0,VE0
>  <Vary: Accept-Encoding
>  <X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
>  <timing-allow-origin: https://github.com
>I've had the idea now that we could have an extension that simply
>auto-answers such outbound requests for resources that we determine
>to be valid if present in local cache. For all that matters, this
>could be a list of hashes of those resources, which would be one
>step closer to simply asking your peers around your whether they
>have a certain hash in their caches, so that you can procure it
>completely offline. How awesome would that be??

More information about the linux mailing list