Tuesday, April 27, 2010

Plugging privacy leaks with CsFire

In my last post, I detailed a number of firefox add-ons which serve to keep your web activities as private as possible without going through the hassle of using anonymizers. I mentioned that a major hole in the assembly of tools I outlined there was the lack of 3rd-party cookie blockers. That means that, as you browse to example.com, for example, google can track you there if example.com has links to google embedded in its pages. Ad-block plus doesn't help us there because google isn't identified as an advertiser - only its Adsense servers are. This goes for facebook, nytimes, and any other sites not specifically targeted as advertisers, and for whom we have allowed cookies to operate.

This is the new, real threat to privacy - corporations whose services we would like to use to some extent, but whose prying eyes know no limits: I couldn't get by without google these days, but I certainly don't want them tracking me all over the place.

The only answer I've found so far for this issue is Philippe De Ryck's add-on called CsFire [addons.mozilla.org]. CsFire blocks 3rd-party cookies, and more. It's pretty complex, but it will work out of the box, without modification, for most users (though it allows requests to google and facebook by default - you can change that by implementing "local" policies) . With CsFire, you can: block 3rd-party cookies; block 3rd-party HTTP authentication (with the newest versions of firefox); block 3rd-party content from loading; customize behavior on a origin-destination site pair basis; and more.

If you're concerned about corporate invasions of your privacy like I am, I highly recommend using this add-on - it goes a long way to protecting what is being put at risk by ubiquitous services such as google, and social networks such as facebook. Unless you configure it to completely block 3rd party content (I'm considering doing this for facebook and google), these corporations may still be able to track you to an extent via your IP address, but it will be hard for them if you're behind a NAT with lots of other computers. Even if you're not behind a NAT, this add-on will still complicate their tracking tasks *greatly*, and will go a long way towards protecting your privacy.

Saturday, April 10, 2010

Evading big brother online

More than security from hackers while browsing the web, I am concerned about being tracked by big brother corporations. These guys put little tracking bugs in various partner websites, and on their own, to keep track of what you’re doing, and where. I’m sharing my setup for firefox below in the hopes that y’all will benefit from my experience, and will help keep privacy a reality in the 21st century. This setup will incidentally help you with hacker security as well (though the main add-on for that is Noscript, mentioned below).

The main rule in setting these applications up is that you want a “Global Deny” policy, with a user-defined “whitelist” of trusted sites. The whitelist gets built up as you move around the web and slowly add sites to your list. That is, you don’t have to spend time creating these lists before you start, or before you’ll be secure. The point is that it’s easy. Having said that, this setup probably ain’t for granny. But if you have just a modicum of savvy, or the desire, this should work for you just fine.

Here are the add-ons I’ve installed in Firefox (and sometimes my email client, Thunderbird, too):

Ad-Block Plus

When you install this, you can also install a number of “filters”. I use EasyList, EasyPrivacy and fanboy-adblock. Don’t install a bunch of filters – it will be redundant, and will slow down your browser.

This add-on is not only good to block tracking sites, but it will block advertisements as well. I didn’t care about the latter initially, but there wasn’t a good way to just block tracking sites, so I installed the full set of filters. And boy – how much nicer the web became! Not only are ads generally annoying and intrusive (and we already see enough of them every day), they take up your bandwidth! For the bandwidth-limited, this add-on will improve your web experience even further by speeding things up.

CS Lite

This add-on controls what sites can put cookies on your browser.
You should set the preferences to “Deny cookies globally”. Whenever you come across a site that you trust, and that doesn’t seem to be working for you, click on the CS Lite icon in the status bar and set the site to either “allow cookies”, “allow cookies for session”, or “temporarily allow cookies”. I set up most of my cookies for the session (which deletes them after a time, so you have to log in again later).


This keeps your browser from telling sites where you came from. This is important because you can be tracked by these referrer strings. Let’s say you’re on your account page for a site, and there’s an ad from doubleclick on that page. Normally, even if you’re blocked cookies from doubleclick, they will see the site you came from when you see their advertisement. If there is identifiable information in the web address where you are (for example, an account number embedded in the URL), doubleclick could track you even without cookies (theoretically). Regardless, in general, it’s not a great idea to be sending around such information to sites that log your visits.

If you have problems with a site, right-click on the ref-control icon in the status bar, go to options, and add the site to your exceptions list (just like the cookies).

My settings:
Default set to Block


Flash can set cookies also, but they’re different from normal cookies, so you need a different add-on to control them.

My settings:
Set to delete cookies without asking upon shutdown

Other interesting plugins:

Noscript – starting to use this myself. Again, deny globally, with a user-defined whitelist.

Ghostery – show web bugs and other thingys that ad-block doesn’t catch.

Trackmenot – sends random searches to search engines in order to muddy their characterization of your web behavior.

A Note:

One problem with this setup is that I need to allow some sites to track me, such as Google, in order to take advantage of their functionality. Google is the ultimate big brother. What we can do in this case, however, is to block “3rd party cookies”.

What that means is that, if you go see the google advertisements to the right of this blog post, google knows that *you* are browsing my blog (if you have google cookies). But those cookies don’t belong to blogspot.com – they belong to google.com. Hence, they are a “3rd party”. By blocking these 3rd party cookies, google and other sites you’ve allowed cookies for will only be able to track you, for the most part, when you’re on their respective pages (such as google.com), but not when you’re on other pages (such as nytimes.com). Unfortunately, CS Lite doesn’t have an option to block 3rd party cookies yet (I submitted a query about it – we’ll see if it gets addressed).

Regardless, even if we manage to block 3rd party cookies at some point, Google will still know the IP address from whence the request is coming. So if they’re smart (and they’re pretty smart), they’ll still probably be able to track you with your IP if you’ve visited google.com recently (which you probably have). One answer to the IP-tracking problem is to block ad in the first place, and that’s where Ad-block Plus comes in. By blocking your browser from getting the ads from google’s (or others’) ad-servers in the first place, google will have no way of knowing you’ve gone to pages where their ads are shown. Another option is to use a TOR (http://www.torproject.org/) proxy setup which changes your apparent IP address every so often, but that’s getting a bit beyond the scope of things here. Feel free to look it up online.