The browser privacy handbook
Last updated: September 18, 2017
This document is intended to help users configure their computers to protect their privacy while browsing the web. Easy stuff is at the beginning, and harder stuff is toward the end. This howto guide is intended for a general audience, so wording is necessarily simplified.
For the greatest benefit, use as many tools/methods as you can, in combination.
Table of contents
- Ad Blocking
- Cookie management
- Private browsing mode
- Do Not Track
- Pro-privacy search engines
- BetterPrivacy addon
- HTTPS Everywhere
- Disable the Java browser plugin
- Compartmentation: Different browsers for different functions
- Useragent spoofing
- Encrypted DNS
- Google services tightening
- Social Networking
- MVPS hosts file
- Additional hosts entries
- SSH Tunnels
For IE there is Adblock Plus.
In addition to giving users a cleaner and faster browsing experience, ad blocking reduces malware infections since advertising networks are infested with malware.
Cookies are just the tip of the iceberg, but still pose a real privacy danger. The "sweet spot" between privacy and functionality is to:
- Enable cookies, but
- Disable 3rd-party cookies, and
- Delete all cookies when the browser closes
In Firefox: Preferences, Privacy. Select options to match above behavior.
In Chrome: Preferences, Privacy, Content Settings, Cookies:
- "Keep local data only until you quit your browser"
- "Block third-party cookies and site data"
Alternatively, with compartmentation, use a browser with all cookies disabled for normal browsing, and a different browser for sites that require cookies.
Private browsing mode is misleading — it mostly applies to privacy when using shared computers and provides minimal protection against web tracking.
In Firefox: Edit, Preferences, Privacy.
In Chrome: Menu bar, New Incognito Window
Benefit: probably harmful to you, if anything
Do Not Track is a stupid idea. If you wanted to protect your home from robbers, would you:
- Put a note on your front door asking people not to rob you, or
- Install a solid hard wood or metal front door with long screws in the door frame and good locks
Best policy for Do Not Track: keep your web browser's default setting.
The kind of people you have to worry about don't care if you don't want to be tracked, and there's no legal incentive not to track you even if you say pretty please. Numerous companies have announced publicly that they won't respect Do Not Track, and again, the worst ones won't bother letting you know.
Sending a non-default Do Not Track request only makes your browser more unique and therefore more identifiable/trackable. Furthermore, the false sense of security can limit your motivation to implement real privacy controls.
Bottom line: don't ask your attackers for protection.
Two come to mind: DuckDuckGo and ixquick. Privacy-respecting search is crucial when some companies, such as Google, offer search, webmail, and ubiquitous web tracking via Google Analytics and doubleclick.net. Tie it all together and you have just about everything. A privacy service once asked: Who knows more about its citizens: Google, or North Korea?
Flash cookies are super creepy, and are not the same as normal cookies. Fortunately there's a Firefox addon called BetterPrivacy which deletes Flash cookies from your computer.
The Internet's most loved freedom & privacy organization, The Electronic Frontier Foundation (EFF), has an addon for Firefox and Chrome called HTTPS Everywhere. Its goal is to automatically encrypt communication with websites known to support TLS. Once installed, it requires no configuration or upkeep. It works quietly in the background to protect you. In addition to the privacy benefit of increased encryption, it can also protect against some browser history attacks. It's a great tool!
(Security benefit: high)
Java can be used to compromise your privacy, and it isn't used by legitimate websites anymore. Disable it in the browser, and if you don't use it at all, uninstall it from your computer.
Using multiple browsers is helpful because each one has its own "fingerprint." The idea is to use one browser (e.g. Firefox) for general browsing, and another (e.g. Chrome) for any sites that strongly identify you (webmail, social networking, merchant sites). From a privacy standpoint, Chrome is best for sites you identify yourself to because it's the hardest to make privacy-aware. The point is to disassociate your general browsing from your identity (compartmentalization).
Your web browser tells every website you visit unique details about it that can be used for tracking purposes. Here are some real useragents from my webserver logs:
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html
- Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3
- Mozilla/5.0 (Linux; Android 4.4.2; LG-D802 Build/KOT49I.D80220b) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.76 Mobile Safari/537.36
- Mozilla/5.0 (Maemo; Linux; U; Jolla; Sailfish; like Android 4.3) AppleWebKit/538.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/538.1
- Wget/1.16.3 (openbsd5.8)
- Mozilla/5.0 (compatible; pycurl)
Which useragent tells trackers the least about itself? Clearly the second to last, as it gives no operating system, browser, or other software version information.
Trackers can combine the useragent with other connection details to strengthen tracking. Some people promote useragent spoofing (i.e. pretending Firefox is Chrome), while IANIX promotes sending an empty useragent. This reduces the number of identifying bits as seen in the Panopticlick tool at the bottom of this page.
To set an empty useragent in Firefox, go to the URL about:config and create a new string called general.useragent.override without giving it a value.
To instead use a useragent spoofer, there is Random Agent Spoofer for Firefox.
Please note that a small percentage of websites will refuse service if your web browser sends an empty useragent. This is actually a good way to identify either aggressive tracker sites, sites with inexperienced sysadmins, or both. If this is a problem, simply delete the general.useragent.override string in about:config and consider trying the useragent spoofer above instead.
Normally your ISP, and/or anyone nearby (if you're using open wifi), can easily compile your entire browsing history.
Currently, the best way to protect your DNS queries, both in terms of security and privacy, is to use DNSCrypt from OpenDNS.
It's best not to use Google services, if possible. However, if you do, it's best to:
- Log in only via a VPN or SSH tunnel, which is not used for general browsing, while
- using a different browser configured just for that purpose, and
Remember: If you don't pay for the product, YOU are the product.
Social networking may be the single biggest source of tracking on the web. Most of the big sites have one or more "like" or "share" buttons which notify social networking trackers in real time of your browsing activity. For social networking, compartmentalize: Have one web browser (Chrome) that's just used for social networking, webmail, and merchant sites. Use another browser (Firefox) for all other browsing.
When your web browser downloads an image or webpage, it tells the remote webserver where it "heard about" that image or page. This is a big problem for web browsing since the great majority of websites put trackers on their webpages. The result is that tracking companies receive your almost complete browsing history.
Using Firefox as an example, there are generally three options in web browsers for referrals:
- Never send referral information
- Only send referral information to the current site/same FQDN (best)
- Always send referral information (default)
Option 1 (same FQDN) means, only send referral information to a site that hosts both the referral and the webpage or object that instructed your browser to download it. For example, with this setting, if the ianix.com website contains an image that is hosted on the ianix.com website itself, a referral would be sent. But if the ianix.com site contains an image hosted on user-tracking.example.com, your browser would NOT tell user-tracking.example.com what webpage your're currently browsing.
In Firefox, type into the URL bar and hit return:
You may see a joke (and it's only a joke) about voiding the warranty. Hit OK. Type into the search box:
Double-click on that option under "Preference name" and change the value to 1. Close the configuration page. Congratulations, now you're not sending your near-complete browsing history to tracking companies.
A hosts file is just a text file that tells your computer where on the Internet to connect to certain hosts. The most common usage is to redirect unwanted sites to a sort of blackhole, so your computer won't actually talk to them. Kind of like a restraining order.
The best hosts file for such protection is the MVPS hosts file. The organization that hosts it has instructions on how to "install" the file. Use it!
IANIX has a small but potent list for inclusion in your operating system's hosts file. The following items can be added to the same file modified by the MVPS hosts file, described above.
127.0.0.1 connect.facebook.net 127.0.0.1 connect.facebook.com 127.0.0.1 google-analytics.com 127.0.0.1 ssl.google-analytics.com 127.0.0.1 www.google-analytics.com
Tor stands for The Onion Router. It's an anonymity network run by volunteers. The traffic of Tor users is routed through three hosts in addition to their own: an entry node, a relay, and an exit node. The entry node only knows the user (you) and the relay, but not the exit node or site you're connecting to; the relay only knows the entry node and exit node, but not you, or the site you're connecting to; and the exit node only knows the relay node and destination, but not the entry node or the person connecting to the destination site. The Tor website, linked above, has pictures of the network that may make this more clear.
It is recommended to use the Tor browser when browsing the web with Tor. This will help prevent information leakage.
VPN stands for Virtual Private Network. In the case of web browsing anonymity, a VPN is used like an SSH tunnel (below), except that all of the user's network traffic passes over the VPN. Many companies provide VPN access at reasonable rates.
An SSH tunnel can be used to provide security and anonymity, depending on how used. Since SSH is encrypted, it provides secrecy over the local network, and some level of security because its traffic cannot be modified by an attacker without the user's knowledge.
The more common usage, though, is to provide a channel that essentially "hides" the user's IP address from remote web servers. Such servers only see the SSH server, and not the user making the connection. Like VPNs, lots of SSH Tunnel services are available, and are typically cheaper than VPNs.
NB: To prevent DNS leakage you should tunnel your DNS queries, unless you're using DNSCrypt, which will provide DNS security and privacy. Go to about:config and type:
Then change the value from false to true.
Benefit: high, as an educational tool.
Panopticlick is a resource hosted by the EFF. It shows you your browser fingerprint and estimates how easy it is to identify you among all web users. Its function is to educate users, with the intention of helping them make informed decisions that protect their privacy.