Privacy and security on the modern web

The modern web is fantastic — it offers super advanced functionality and APIs to the point where Progressive Web Apps are actually plausible replacements for full-blown native programs (although I personally am against them, it’s clear that they satisfy the use cases for the vast majority of users, given their popularity).

But the modern web is also a privacy nightmare. Trackers, analytics, you name it, it’s there. Javascript APIs to sniff location, bluetooth state, battery state — it’s ludicrous. Browser fingerprinting, where the interested party uses attributes of your browser (such as screen size, color depth, operating system, and so on) to track you (possibly without cookies), is more of a concern than ever. All of this on top of the fact that browser makers themselves have access to a wealth of information about the user, something that doesn’t escape the notice of e.g. Google or Microsoft.

So what can we do? What can we, the humble users of these products, do to protect ourselves from all this tracking? Well…as someone who’s been trying to fight this stuff since I learned about it, I’ve come up with a couple of tricks, which seem to work fairly well.

Of course, standard disclaimer: Please take this with a grain of salt! There may be things I’m missing and haven’t thought about. If you’re in a situation where a slip-up may cost you your life, please seek out solutions built for your specific situation — this is more for the general user who cares about privacy but doesn’t face dire consequences should they be unmasked.

  1. Use Firefox. It’s by far the most privacy-respecting browser out there of the mainstream browsers and they’ve been integrating some awesome stuff from Tor (via the “Tor Uplift”) that we’ll cover in later points. Some of the later mitigation techniques rely on Firefox (or a fork which implements those points). See my note about Chromium-based privacy browsers at the end for more information.
  2. Use a VPN. I won’t go into it here (maybe I’ll do that in a future post), but one of the biggest identifiers you will always send is your IP address — it’s how your browser is able to get any websites at all. The problem is that your IP address can easily be tied to a general vicinity (so doing things like disabling the Geolocation API as we do below won’t really help, since they can just look up your IP address). Using a VPN (look for a no-logging VPN) can help by effectively disguising your location. As a bonus, using one that is fairly popular means that your IP address becomes mostly worthless, at least on its own. And since that’s largely the one identifier you have to send, masking it effectively is crucial to a proper privacy routine.
  3. Disable various Javascript APIs. In Firefox, you can disable the following APIs by going to about:config:

    • Beacon API (Set beacon.enabled to false)
    • Battery API (Set dom.battery.enabled to false)
    • Performance API (Set dom.enable_performance to false)
    • Resource Timing API (Set dom.enable_resource_timing to false)
    • Clipboard events API (Set dom.event.clipboardevents.enabled to false)
    • Context menu event (Set dom.event.contextmenu.enabled to false)
    • High resolution timestamp (Set dom.event.hirestimestamp.enabled to false)
    • Asynchronous Clipboard API (Set dom.event.asyncClipboard.enabled to false)
    • FileHandle API (Set dom.event.filehandle.enabled to false)
    • Gamepad API (Set dom.gamepad.enabled, dom.gamepad.extensions.enabled, and dom.gamepad.haptic_feedback.enabled to false)
    • IndexedDB API (Set dom.indexedDB.enabled to false)
    • Pointer Lock API (Set dom.pointer-lock.enabled to false)
    • Service Worker API (Set dom.serviceWorkers.enabled to false)
    • Storage API (Set dom.storage.enabled to false)Leave this one enabled! Disabling it tends to break many websites
    • Vibration API (Set dom.vibrator.enabled to false)
    • Oculus VR API (Set dom.vr.oculus.enabled and dom.vr.oculus.invisible.enabled to false)
    • WebAudio API (Set dom.webaudio.enabled to false)
    • Notifications API (Set dom.webnotifications.enabled to false)
    • Window.event API (Set dom.window.event.enabled to false)
    • Geolocation API (Set geo.enabled to false)
    • Web Speech API (Set media.webspeech.synth.enabled to false)
    • WebGL (Set webgl.disabled and webl.disable-webgl to true)

    There are more preferences for other APIs which I did not include as they are disabled by default, and some of these may break some websites or your particular workflow, so play around with enabling and disabling these APIs until you reach a state that works for you.

  4. Enable Contextual Identities (Containers). In order to prevent various methods of client-side tracking (think: cookies, local storage, etc), enable and use Firefox Containers. It is basically a generalization of Private Browsing mode, where each container has its own set of cookies, local storage, and so on. Containers are built-in to more recent versions of Firefox, but to enable them and use them effectively, you should install Multi-Account Containers. Using that extension, you can create new containers, open a tab in a specific container, and so on. A great companion extension is Temporary Containers, which can be set up to automatically create and delete containers based on certain rules. For maxmium privacy, enable “Deletes History” Temporary Containers (in “Advanced”) and tell the extension to isolate subdomains. Warning: This will break logins on several webpages, so either be prepared to create exceptions for certain websites or have a separate profile for logging into sites.
  5. Enable First-Party Isolation. First-Party isolation automates (to some extent) the segregation provided by Containers and can act as another layer of defense, especially in the case that you don’t use Temporary Containers or another extension like it to automate the segregation. Imagine that sites A and B both have a Facebook tracker embedded. When Facebook stores a cookie through site A, the cookie will be called A.facebook.com. When Facebook stores a cookie through site B, the cookie will be called B.facebook.com. This is a very simplistic explanation, but it hopefully helps get the point across of the value of First-Party Isolation — it helps ensure that common third parties (read: Facebook, Google, Amazon) cannot easily track you across sites — even if they’re all loaded in the same container. To enable First-Party Isolation, go to about:config and set privacy.firstparty.isolate to true.
  6. Enable fingerprinting resistance. This preference helps ensure that your computer looks “the same” as any other computer using this preference. That is, it tries to help foil the browser fingerprinting techniques discussed in the opening of this post. Keep in mind that this may cause issues with certain websites, and unfortunately there is no easy way to disable the preference on a specific site. That being said, I personally have not run into too many issues when browsing with this preference enabled. To enable fingerprinting resistance, go to about:config and set privacy.resistFingerprinting to true. If you want to be notified of websites attempting to read your canvas data (the HTML5 Canvas is yet another fingerprinting mechanism, so fingerprinting resistance obfuscates your canvas data), you should also set privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts to false — this can help if something like WhatsApp Web (which generates a QR code) silently fails.

    Note: This preference can break some things. Most notably, it may prevent you from installing certain extensions the usual way (e.g. by clicking on the “Add to Firefox” button on addons.mozilla.org. You can get around this two ways:

    • Temporarily disable the preference, install the extension, and toggle it back.
    • Right click on the “Add to Firefox” button and click “Inspect Element”. Copy the href attribute and paste it — this will bypass the user agent check that addons.mozilla.org does and allow you to install the extension.

    That being said, most extensions (in my experience) install just fine even when fingerprinting resistance is enabled.

  7. Enable built-in tracking protection. It’s useful to have a decent content blocker enabled as a fallback to when you need to disable some of the extensions below (e.g. uBlock Origin or uMatrix) because they’re too aggressive (it happens rarely, but it does happen). To enable this, go to about:preferences and select the Privacy tab. You should enable Firefox’s built-in tracking protection using the strict list in all windows (select “Custom” and tick the appropriate boxes). You can also tell Firefox to reject all third-party cookies as well to at least get some additional privacy if you’re not going to use Cookie AutoDelete. If you’re using Cookie AutoDelete, you can go ahead and uncheck the Cookie box entirely, since having multiple places cookies are handled can get a bit confusing and hard to manage.
  8. Change your search engine. All of this is useless if you’re still using Google as your search engine! I recommend either Startpage or DuckDuckGo. In Firefox, you can do this by going to about:preferences and clicking on the Search tab.
  9. Install privacy-enhancing extensions. While the last few tricks only worked on Firefox (now you can see why I recommend it), this tip should work on both Chromium-based and Firefox-based browsers. The list of extensions I use as well as what they do is given below:

    • Cookie AutoDelete: Automatically delete cookies once they’re no longer needed. Firefox
    • Decentraleyes: Intercept and serve scripts and stylesheets from popular content delivery networks (CDNs), thereby ensuring you never connect to them. Firefox
    • firewall: Allow editing of user agent, headers, etc. Firefox
    • HTTPS Everywhere: Easily disable all unencrypted connections (prevents eavesdropping, man-in-the-middle-style attacks). Firefox
    • Privacy Possum: Obfuscates data commonly used by trackers (mainly a fallback mechanism if everything else fails). Firefox
    • Request Control: Remove tracking parameters from URLs, disable certain classes of resources from loading. Firefox
    • Skip Redirect: Automatically skip to the final request (useful when you have a tracking URL that redirects to the actual website after logging that you’re visiting it — see: Google Search). Firefox
    • uBlock Origin: Flexible content blocker (blocks ads, malware, etc). Firefox
    • uMatrix: More advanced content blocker (you can block or allow certain requests from certain domains on certain domains — for example, you can allow facebook to load, but only on facebook.com (and block it everywhere else)). Firefox

There are probably things I missed — stuff I did long ago that I set once and completely forgot about. Let me know if I missed something — if there are additional APIs I should be disabling or additional extensions I should be using.

I’ll also try to keep this updated as additional APIs (and methods to disable them) crop up or as additional privacy-enhancing extensions appear.

Note: Many of the mitigation techniques I describe here (for example, First-Party Isolation, fingerprinting resistance, and containers) are only available on Firefox. While you can obtain some measure of protection through the extensions listed at the end (which exist on Firefox-based and Chromium-based browsers) and while there are some fingerprinting mitigations available in e.g. ungoogled-chromium, I have come to the conclusion that if you want privacy, you need to use something Firefox-based (whether Firefox or a fork/derivative that keeps up with the latest features privacy-wise). There is simply no match for the depth and breadth of features and options available to Firefox users to lock down the browser.

7 thoughts on “Privacy and security on the modern web”

  1. Hi, Chiraag. Thanks for this article!

    It’s also important to use private search. Two possibilities are Startpage.com and DuckDuckGo.

    Startpage delivers mainly Google search results in privacy, DuckDuckGo mainly Yahoo /Bing results in privacy.

    You might want to try the Startpage.com Anonymous View feature when you want to protect against fingerprinting. Many people find the fingerprint protection strategies you recommend to be very helpful, but your info may still leak. You may test this at EFF’s Panopticlick: https://panopticlick.eff.org/

    1. How could I forget?! Of course! I added a note about changing your search engine, thanks for that!

        1. Interesting stuff! It does bother me that they keep treating “proxy” and “VPN” as interchangeable terms, when they’re very clearly not (the main way a VPN bypass happens is if there’s a DNS leak, and that’s usually a misconfiguration that can easily be fixed, whereas proxies are incredibly easy to bypass, for example).

          What I presume happens (correct me if I’m wrong) is that they effectively have a server (or multiple?) running whose only job is to request pages for the proxy and the website injects the downloaded page into an iframe. Because the source is another startpage domain, it effectively protects against your ISP snooping. Clever! But I wonder why they wouldn’t just say that…they make it sound a lot more complicated than it actually is, technically speaking, right?

    2. I think the key thing about fingerprinting is that proactive measures are better than reactive measures, right? So, for example, it’s better to block Javascript from executing at all than to try to spoof the values it will read. Indeed, the people behind Panopticlick make the same point:

      Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters.

      For example, after all of these mitigation techniques, the biggest identification vector (in my personal setup) is the font list. For most people (i.e. before these techniques), it will be their canvas hash or their user agent or something else like that, which provides far more data (especially canvas hash, resolution + color depth, etc).

      I guess my point is that these mitigation techniques, employed properly, can help cut down on the number of domains even able to fingerprint you while also increasing the amount of uncertainty in the fingerprint.

      One thing I forgot to mention (which I will add now) is that a VPN is extremely helpful in this effort, if properly chosen.

      1. A VPN is very helpful, and I agree that proactive mitigation is better if it works and the user is savvy, like you. Stringent restrictions 24/7 can break sites and make surfing a chore.

        1. I guess it’s all about finding that balance! For sites I visit frequently, I take the time to figure out the exact uMatrix rules that won’t break it and save them, which means going back afterwards is painless.

          But you’re right that sometimes, things can break (especially with my stringent Temporary Containers configuration), in which case I have a failsafe profile with no extensions but most of the config options here and on permanent private browsing mode. Not perfect, but better than a stock profile as a fallback!

Leave a Reply

Your email address will not be published. Required fields are marked *

62 − 57 =