[LCA2019 Chat] Resources from my "Fighting Web Trackers" talk
martin f krafft
madduck at madduck.net
Tue Jan 22 12:07:14 AEDT 2019
Dear conferencers,
Thanks to those who attended (or will watch the video about) my talk
on fighting Web trackers, and reducing your footprint while browsing
the Web.
Here are the browser extensions I introduced, so that you can check
them out at your leisure. I am using Firefox, but most of these
should be available for Chrome as well. Most importantly, however,
these are all maintained and Free, so you can consider this list as
bootstrapping your due diligence towards a more private browsing
experience.
Please let me know if you have any comments or additions.
1. https://github.com/gorhill/uMatrix, comprehensive
resource/sub-request blocker, which eclipses your standard
ad-blocker, and can do a whole lot more. By the author of uBlock
Origin (https://github.com/gorhill/uBlock), but more bare
bones.
2. https://decentraleyes.org/, serve commonly used Web 2.0 fabric
(e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs
helpfully hosting that stuff.¹
3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/,
flexible white-/greylisting, and removes cookies on blacklist
after a configurable amount of time.
4. https://github.com/kkapsner/CanvasBlocker/, fuzz two
commonly used fingerprinting methods to make it harder for the
remote to profile you.
5. https://www.eff.org/https-everywhere, ensure you don't leak
plain text information to snoops on your way.
6. https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/,
https://leotindall.com/randomua/ and
https://github.com/ray-lothian/UserAgent-Switcher, three
extensions I'm to spoof and fuzz your user-agent. I haven't
quite made up my mind as to which one is best, yet.
7. https://addons.mozilla.org/en-US/firefox/addon/block-service-workers/,
dis-allows those potentially long-running threads that can
persist way beyond your web site visit from registering.
Complements uMatrix's control of Web Workers.
8. https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/,
Handy means to control Firefox's built-in containers, which
isolate your browsing of certain data-hungry websites from the
rest of your activity.
9. https://github.com/mozilla/lightbeam-we, visualise 3rd party
requests.
10. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor,
An introduction to using the network monitor to trace what your
browser is doing on the wire.
11. https://browserleaks.com/, a frigthening collection of
fingerprinting methods you can use to track your progress.
12. https://panopticlick.eff.org/, EFF's anti-tracking checker.
Finally, Ben asked the question what to use for the less
technically-inclined. EFF's privacy badger
(https://www.eff.org/privacybadger) uses machine-learning to figure
out whom you trust, and while I personally want more control and
transparency of what's going on, this "privacy-by-default" approach
is great for people who don't want to configure anything. Privacy
Possum (https://github.com/cowlicks/privacypossum) is a an attempt
to improve on that by someone who worked on PrivacyBadger.
Stay safe, keep private,
Martin
Footnote:
¹) There are people who use transparent proxies for this, but SSL
makes that harder and harder. So what about the browser cache.
It's true that your browser should be able to just indefinitely
cache these immutable resources. However, I don't trust that, nor
the companies to set the expiry headers correctly, and apart,
I believe that caching really only prevents re-transfer, but still
pings the HTTP host to find out what the current timestamp/eTag is.
For instance, I picked a random static piece of content from
about:cache: https://assets-cdn.github.com/favicon.ico, which is set
to expire a year from now. When I load it, there's a genuine
connection with Github.com/Fastly, including Referer and User-Agent
and several other bits about me that the other side could use to
correlate their requests:
>Host: assets-cdn.github.com
>User-Agent: browza
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate, br
>Cookie: logged_in=no
>Connection: keep-alive
>Upgrade-Insecure-Requests: 1
>Referer: https://github.com
>If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
>Cache-Control: max-age=0
<HTTP/1.1 304 Not Modified
<Date: Tue, 21 Jan 2019 09:22:55 GMT
<Via: 1.1 varnish
<Cache-Control: max-age=31536000, public
<Expires: Tue, 20 Jan 2020 19:16:02 GMT
<Age: 50813
<Connection: keep-alive
<X-Served-By: cache-akl1421-AKL
<X-Cache: HIT
<X-Cache-Hits: 3353
<X-Timer: S1534843376.566037,VS0,VE0
<Vary: Accept-Encoding
<X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
<timing-allow-origin: https://github.com
I've had the idea now that we could have an extension that simply
auto-answers such outbound requests for resources that we determine
to be valid if present in local cache. For all that matters, this
could be a list of hashes of those resources, which would be one
step closer to simply asking your peers around your whether they
have a certain hash in their caches, so that you can procure it
completely offline. How awesome would that be??
--
@martinkrafft | https://riot.im/app/#/room/#madduck:madduck.net
"as if you could kill time without injuring eternity."
-- henry david thoreau
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1118 bytes
Desc: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://lists.lca2019.linux.org.au/pipermail/chat/attachments/20190122/69f72792/attachment.sig>
More information about the Chat
mailing list