[clug] Private Browsing?
jhock at iinet.net.au
jhock at iinet.net.au
Mon Jun 24 04:17:56 UTC 2019
I wonder how many of these tools are replaced by using ToR browser?
On 24 June 2019 13:58:59 GMT+10:00, Mike Carden via linux <linux at lists.samba.org> wrote:
>>
>>
>>
>>
>> "How we are tracked over the Internet" would be a great topic for
>> CLUG, if anyone had the knowledge.
>>
>>
>>
>Well, those who attended LCA2019 would have had the opportunity to see
>a
>talk on this subject from Martin Krafft. Here is his follow-up email
>from
>the talk:
>
>Dear conferencers,
>
>Thanks to those who attended (or will watch the video about) my talk
>on fighting Web trackers, and reducing your footprint while browsing
>the Web.
>
>Here are the browser extensions I introduced, so that you can check
>them out at your leisure. I am using Firefox, but most of these
>should be available for Chrome as well. Most importantly, however,
>these are all maintained and Free, so you can consider this list as
>bootstrapping your due diligence towards a more private browsing
>experience.
>
>Please let me know if you have any comments or additions.
>
> 1. https://github.com/gorhill/uMatrix, comprehensive
> resource/sub-request blocker, which eclipses your standard
> ad-blocker, and can do a whole lot more. By the author of uBlock
> Origin (https://github.com/gorhill/uBlock), but more bare
> bones.
>
> 2. https://decentraleyes.org/, serve commonly used Web 2.0 fabric
> (e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs
> helpfully hosting that stuff.¹
>
> 3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/,
> flexible white-/greylisting, and removes cookies on blacklist
> after a configurable amount of time.
>
> 4. https://github.com/kkapsner/CanvasBlocker/, fuzz two
> commonly used fingerprinting methods to make it harder for the
> remote to profile you.
>
> 5. https://www.eff.org/https-everywhere, ensure you don't leak
> plain text information to snoops on your way.
>
> 6. https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/,
> https://leotindall.com/randomua/ and
> https://github.com/ray-lothian/UserAgent-Switcher, three
> extensions I'm to spoof and fuzz your user-agent. I haven't
> quite made up my mind as to which one is best, yet.
>
>7.
>https://addons.mozilla.org/en-US/firefox/addon/block-service-workers/,
> dis-allows those potentially long-running threads that can
> persist way beyond your web site visit from registering.
> Complements uMatrix's control of Web Workers.
>
>8.
>https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
>,
> Handy means to control Firefox's built-in containers, which
> isolate your browsing of certain data-hungry websites from the
> rest of your activity.
>
> 9. https://github.com/mozilla/lightbeam-we, visualise 3rd party
> requests.
>
>10. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor,
> An introduction to using the network monitor to trace what your
> browser is doing on the wire.
>
>11. https://browserleaks.com/, a frigthening collection of
> fingerprinting methods you can use to track your progress.
>
>12. https://panopticlick.eff.org/, EFF's anti-tracking checker.
>
>Finally, Ben asked the question what to use for the less
>technically-inclined. EFF's privacy badger
>(https://www.eff.org/privacybadger) uses machine-learning to figure
>out whom you trust, and while I personally want more control and
>transparency of what's going on, this "privacy-by-default" approach
>is great for people who don't want to configure anything. Privacy
>Possum (https://github.com/cowlicks/privacypossum) is a an attempt
>to improve on that by someone who worked on PrivacyBadger.
>
>Stay safe, keep private,
>Martin
>
>Footnote:
>
>¹) There are people who use transparent proxies for this, but SSL
>makes that harder and harder. So what about the browser cache.
>It's true that your browser should be able to just indefinitely
>cache these immutable resources. However, I don't trust that, nor
>the companies to set the expiry headers correctly, and apart,
>I believe that caching really only prevents re-transfer, but still
>pings the HTTP host to find out what the current timestamp/eTag is.
>
>For instance, I picked a random static piece of content from
>about:cache: https://assets-cdn.github.com/favicon.ico, which is set
>to expire a year from now. When I load it, there's a genuine
>connection with Github.com/Fastly, including Referer and User-Agent
>and several other bits about me that the other side could use to
>correlate their requests:
>
> >Host: assets-cdn.github.com
> >User-Agent: browza
>>Accept:
>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> >Accept-Language: en-US,en;q=0.5
> >Accept-Encoding: gzip, deflate, br
> >Cookie: logged_in=no
> >Connection: keep-alive
> >Upgrade-Insecure-Requests: 1
> >Referer: https://github.com
> >If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
> >Cache-Control: max-age=0
>
> <HTTP/1.1 304 Not Modified
> <Date: Tue, 21 Jan 2019 09:22:55 GMT
> <Via: 1.1 varnish
> <Cache-Control: max-age=31536000, public
> <Expires: Tue, 20 Jan 2020 19:16:02 GMT
> <Age: 50813
> <Connection: keep-alive
> <X-Served-By: cache-akl1421-AKL
> <X-Cache: HIT
> <X-Cache-Hits: 3353
> <X-Timer: S1534843376.566037,VS0,VE0
> <Vary: Accept-Encoding
> <X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
> <timing-allow-origin: https://github.com
>
>I've had the idea now that we could have an extension that simply
>auto-answers such outbound requests for resources that we determine
>to be valid if present in local cache. For all that matters, this
>could be a list of hashes of those resources, which would be one
>step closer to simply asking your peers around your whether they
>have a certain hash in their caches, so that you can procure it
>completely offline. How awesome would that be??
More information about the linux
mailing list