DIY Cyber Audit: #3 Browsers
Continued from part 2
You may be reading this in a browser. As you likely are aware, a web browser is a powerful program that displays & runs web pages and web applications. For many, it’s their primary gateway to the world wide web as well as the internet as a whole. Being complacent about what browser(s) you’re using is a surefire way to put your information in the hands of questionable external forces.
Understanding the Web
A good place to start is to refresh your understanding of what the web actually is. Like many things in our technological landscape, it wasn’t built in a day, or even by a single person. It’s an amalgamation of the work of many different people, institutions, and even governments over time. I’m very passionate about people choosing to take an active role in shaping cyberspace. Collectively, we do have a real impact on the future of the World Wide Web.
To begin, we have to start with the simplest of web pages. These are static web sites that display a set amount of text, images, or media.
Far from being mere hypertext, the web now includes multimedia applications. Web 2.0 was when web sites became dynamic. Forums, Wikis, and even the first social media sites were dynamic because user interaction fed into a database that was used to generate web content. The earliest of these could work without many (if any) scripts at all, and were processed by the web site’s back-end software.
A web page can load real-time data from an online service, and/or stream audio and video. Because of this, the browser is the primary tool in many people’s digital life. Like anything else, this includes a variety of risks and trade-offs. The addition of more content and features to the web has made browsers themselves increase in complexity significantly. In theory, a browser would only need to support downloading the page, and displaying the text on it. As the web has evolved, browsers now support all kinds of multi-media, interactivity, and online gaming.
While this isn’t necessarily news to you, what is worth understanding is that all of these additional features have meaningful trade-offs when it comes to privacy & security. There are those who yearn for a return of the days of just clean pure hypertext. If that sounds like something you’re interested in, gemini is right up your alley. For the rest of us who would like to enjoy a wide variety of modern enhancements to the web, there is much to account for.
This guide is a work in progress.
Any questions, comments, or support you can offer goes a long way!
Surveillance
In many ways, it helps to think of much of the Web as a street filled with surveillance cameras. Without making significant effort, it’s trivial for those watching to keep track of where you go on a regular basis. In addition to this, the places you visit themselves may also be spying on you in exchange for a pithy sum.
Cookies & Storage
It’s pretty useful to be able to log-in to a website. It’s also very handy for the server to save some additional information on your end so when you return you can continue as normal. Using sessions is how servers keep track of who they’re talking to. Naturally, if you divulge more information about yourself to a particular service, the more that information can be corroborated with other data points. Without saving cookies, log-ins and site settings would be lost immediately, but that doesn’t mean you need to hold onto them forever.
Scripts
Either scripts from the site itself, or remote scripts pulled in from other services can do a wide range of things to try to uniquely identify you. On the other hand, many sites will not work at all and refuse to display something as simple as an article. Many tracking blockers will block all external scripts, but others will make exceptions that keep certain mainstream sites working.
The best practice would be to block any unnecessary scripts. There are many add-ons that can make this easier. “Unnecessary” can be a very broad categorization however, in some cases you may consider it worth blocking any and all scripts everywhere. This is the recommended setup when using the Tor Browser, because scripts can do many things to de-anonymize a visitor.
Sadly many of these invasive scripts have been thrust on the public without much alternative. As a web developer, it may be tempting (or even good for your resume) to develop using the latest fancy script frameworks, it’s important to remember that you can maintain all the advantages of dynamic web sites without it. When security and privacy of your users is paramount, it’s something worth considering.
Fingerprinting
Now that you’ve put in the effort to properly mitigate unwanted data leakage. There’s still another nasty problem. If you require perfect anonymity online, it’s worth understanding that your browser fingerprint can be used to uniquely identify you online. This is a problem, but it’s one not worth working on at the expense of protecting important information.
Choosing a Browser
DigDeeper.club has an excellent if troubling post on browsers. Unfortunately the major take-away is that the situation is very dire:
The only reasonable choice is Pale Moon. Or, just try wean yourself off the modern web by sticking to websites such as the ones on Neocities, wiby.me, etc. which are functional in NetSurf or terminal browsers. I hate to kill the positivity of yet another summary, but if reality forces me to - what can I do?
(emphasis mine)
If you require using the modern web (ie. most “normal” websites) I recommend reading through the guide carefully and choosing what strikes the right balance for you.
Reading through the browser guide leaves the impression that a serious web & browser renewal is something people from all walks of life should strongly consider.
The root of the problem is two-fold:
Additional features on modern web sites introduce additional privacy risks
To support these features, browsers themselves become more complicated to support, maintain, and validate
I intend to follow-up on this particular section, and I think it’s important to think-through how things should be done. This is one of the many reasons I emphasize more people to getting involved, rather than let governments and corporations dictate it for us.
The More the Merrier
Because browsers are tools, it doesn’t often make sense to entirely limit yourself to a single one. There are some advantages to using different browsers for different “spheres” of your life. Above all, it’s best to understand why you’re using a particular browser for a certain task. If you’re really in love with a particular browser, you may be able to use multiple profiles with different settings in mind for different uses. Even something as simple as having separate bookmarks for each profile would make it easy to stay consistent.
In all cases you’ll likely want to alternate browsers for different tasks, with at least one clearing cookies/logins/history on reload. You may also want to search for a hardening guide for whatever browser you choose, depending on your particular needs. It can help to have a hardened browser for most of your basic web tasks, with exceptions made for sites/services you need/trust and alternate ones for other things. Compartmentalization can go a long way especially with many browsers offering built-in VPNs.
More on VPNs later
Hardening
Here is an excellent firefox hardening guide for firefox.
Hardening is the process of changing settings for particular privacy and security. Sometimes these changes include disabling tracking from the program itself! A good place to start is opt-ing out of any telemetry or analytics reporting. Then I would generally recommend taking the most extreme settings you can bear day-to-day, and consider increasing as you adapt. Some more ‘extreme’ changes would be disabling WebRTC to protect your IP at the cost of some real-time applications breaking.
Many of these changes will either be in your browsers settings panel or additionally about:config on firefox based browsers. On desktop Firefox Arkenfox’s user.js file is a highly-recommended change for getting the most optimal settings. This alone may be a good reason to pick a firefox or its derivatives over google chrome and it’s derivatives.
If you’re using brave shields you have an intuitive interface for being as strict as possible. It also has the advantage of being built into the browser for additional performance gains. On other browsers uMatrix is the go-to add-on for having complete control over what resources sites can access. Learning how to use these tools can do a great deal of good.
Browser Add-ons
A browser can feel very limiting without many essential add-ons. Ad-blocking is de-facto necessary for browsing a great deal of the web to salvage some of your time and attention.
I’ve personally used:
It’s great to have full control over requests on a site-by-site basis. It takes a bit of learning, but is a very powerful tool that I’d love to see built-in to new FOSS browsers. By blocking specific kinds of remote requests across the board, you can disable all third-party ads.
A very useful tool for redirecting all kinds of mainstream social media links to dedicated (somtimes self-hosted!) web proxies.
See Account Security
If you’re going to allow remote scripts, it can be handy to proactively cache them, so that you’re not constantly being tracked by loading them on each visit to separate sites.
Note: You may have noticed this post is entirely focused on desktop browsers. This is deliberate because without much more effort, all mobile browsers are a significant downgrade. They tend to lack support for add-ons which can be a deal-breaker for many. I will be following up to specifically tackle mobile security.
I orignally created this infographic, but I think it was too dense, and split it up into the 4 above.
For those who feel at home in the apple ecosystem and might get the impression that it doesn’t leave them the freedom to choose from the whole palette of the exotic, fancy, “private” browsers that are listed in that link; try Orion to end your search. https://browser.kagi.com
I came across this post rather late, but thanks again for all the great information. I've been using Brave for a year or so, and it was a bit shocking to read the digdeeper assessment. One reason why I liked using Brave was that the bookmark sync worked across desktop and Android versions of the browser.
The digdeeper article did seem to have a positive assessment of ungoogled-chromium, so I'm trying that now. The xBrowserSync project solves the bookmark sync problem, and its Android app actually works fairly well. Now I'm looking at implementing an xBrowserSync API server in Crystal so I can self-host it on my own site (I found the official API server to be a bit overwhelming with its huge pile of Javascript code and dependencies).