Browser Privacy
This section could have been titled Browser Security and Privacy. Security is vital to your web browsing
activities. Most likely, many of the sites you visit are unknown to you and so are their intentions. In this
section I'll show how to protect yourself from attack sites while still leaving your browser usable. If
your a Windows user, then you MUST run an Anti-Virus program. Click
here to see what I recommend.
Privacy is another matter. In this section I'll show how to delete history and take control of cookies,
but keep in mind... every site you visit will have a recored of your IP address as well as your OS, browser
type and language preference which could be used to profile you. Click on the Browser Info tab at the
top of this page to see what I mean. In addition... if you use webmail, your IP address is included in each
email you send which could give away your location.
Earlier I talked about Domain Name lookup and geolocation databases. If you missed it... basically an IP
address can be used to locate your general physical location. This may not be a concern to you, but if you're
being pursued by a resourceful attacker or private eye, then this information could assist in finding you.
Later I'll show how to use SSH port-forwarding to obfuscate your actual location.
Which browser should I use?
OK here it is, I'm just going to say it... the only browser anyone should use is Firefox + NoScript.
I don't want to hear how great IE or Chrome or Safari or Opera or whatever is... it doesn't matter. The issue
here is security and privacy. Currently Firefox along with the NoScript add-on is the most secure
and capable browser available.
Why is Firefox + NoScript the only browser anyone should use? Here are just a few reasons...
Web site compatibility: According to
W3Schools Month by Month Browser Statistics for June 2010 -- Microsoft's browser market share is 31.0%
(15.7% IE8 + 8.1% IE7 + 7.2% IE6) and shrinking while Firefox has a 46.6% browser market. As stated on W3Schools
website: "W3Schools is a website for people with an interest for web technologies. These people are more interested
in using alternative browsers than the average user."
Wikipedia using a cross section
of reporting sites for the month of May 2010, puts Microsoft's median browser market share at 50.53% and shrinking
while the Firefox market share is at 31.26%. Either way, this translates into overwhelming web page compatibility.
It use to be that web developers would only write and test for IE, but not any more. If there's still some old crappy
web site out there that can only be seen with IE... well it's not worth looking at. Platform independence: Unlike IE and Chrome and Safari... Firefox runs on all major platforms; Windows, Mac
OS X and Linux. I can set my security and privacy minded settings uniformly across all platforms. Security: Script and plugin exploitation is a real danger when browsing. Web sites can and do run
malicious scripts using scripting languages like Javascript and VBscript. Plus there are much more dangerous
exploits using plugins like ActiveX controls, Java, Silverlight and Flash. ActiveX controls are especially
dangerous because ActiveX is granted such a high level of control over the Windows operating system. Running
Firefox eliminates the VBscript and ActiveX controls threat... and installing NoScript blocks the others. Privacy: Firefox + NoScript blocks Web Bugs
and the
<a ping...> (HTML5 Draft) feature that is used to track browsing activities. Other vulnerabilities: Firefox + NoScript blocks
Cross-Site Scripting (XSS),
Clickjacking and fixes the JAR protocol
exploit found in older versions of Firefox.
What does the future hold? Well... here is an
eWeek artical that reports on a next-generation browser called OP (Opus Palladianum) from the University of Illinois
at Urbana-Champaign. The browser project is based on the belief that "current browsers are fundamentally flawed
from a security perspective" and that "the idea behind the OP security browser is to partition the browser
into smaller subsystems and make all communication between subsystems simple and explicit". I agree whole
heartedly and I look forward to seeing the fruits of their project.
Google has also developed an open source Windows browser (Mac and Linux beta available) called
Chrome that's growing in marketshare.
W3Schools Month by Month Browser Statistics
for the month of June 2010 puts Chrome's browser market share at 15.9% while
Wikipedia (reporting from multiple
sites) puts the median marketshare for May 2010 at 7.72%. Just like the Google search page, it's uncluttered and very simple to use.
I've tried it out from remote locations and I have to say; I do prefer the use-model over other browsers AND it's very fast.
BUT... there is no protection from malicious scripts and exploits AND I'm not thrilled having yet another Google app
prying into my life. My personal opinion is that Google already knows way too much about me and I don't belive their
"don't be evil" moto. Just a side note... if you are naive enough to belive that Google has your best interest, then you
should read this article by Benjamin Edelman.
With all that said... I'm sticking with my first choice and ONLY recommending Firefox + NoScript.
Browser Installation
Now that the "which browser?" question has been answered... it's on to the installation.
Howto install & setup Firefox
If you already have Firefox 3.6.3 installed, then skip to the
Setup Firefox section. If Firefox 3.6.3 is NOT installed AND you're running a Linux distro that contains a package manager, then install
Firefox per the instructions that came with your distro's package manager. When you're done, come back and go to the
Setup Firefox section. Otherwise... proceed with downloading Firefox.
-
I. Download Firefox:
For the purpose of these instructions, it's assumed that all files will be downloaded to the Desktop.
If that is not the case, then you will need to adjust the instructions to account for the actual file path.
First, go to the
Firefox requirements page and check that you meet the minimum requirements. If you meet the the minimum
requirements, then download one of the builds below, based on your OS.
-
II. Verify MD5 checksum:
Verifying the MD5 checksum will check that the file has not been damaged or tampered with while
downloading. You should always check the validity of any downloaded file before running or installing
it. MD5 checksum, while not infallible, is commonly used to check file integrity. Here are the instructions
for each operating system.
 |
| Linux - Verify MD5 Checksum |
|---|
Create a text file containing the checksum and filename on a single line. It doesn't matter what
you call the text file, but convention is to name it filename.md5 (ex. firefox-3.6.8.tar.bz2.md5).
Use copy-paste when adding the checksum to the file so you don't make a typo.
IMPORTANT: There MUST be exactly (2) spaces between the checksum and filename.
|
| Example: firefox-3.6.8.tar.bz2.md5 |
|
|
|
|
689232baf90592cf237817c34ac29bb2 firefox-3.6.8.tar.bz2 |
|
|
|
|
|
Now open a terminal and run the md5sum program: "md5sum --check filename.md5" (without the quotes).
Example: md5sum --check firefox-3.6.8.tar.bz2.md5
If the checksum passed, you should get a message like this:
firefox-3.6.8.tar.bz2: OK Install Firefox
click here if checksum passes
|
| |
| Mac OS X - Verify MD5 Checksum |
|---|
There are (2) ways to verify MD5 checksum in Mac OS X.
Go to Apple Downloads and download
MD5 Checksum 1.0.
Follow the instructions in the README file, then visually verify that the checksums match. Unfortunately, you
won't be able to verify the MD5 Checksum 1.0 download file. Open a terminal (Finder: Applications/Utilities/Terminal) and enter the following commands:
cd ~/Desktop
md5 filename
Replace filename with the actual name of the downloaded file.
IMPORTANT: You MUST escape any spaces in the filename with a leading backslash.
Example: Firefox\ 3.6.8.dmg
Visually verify that the checksums match.
Install Firefox
click here if checksum passes
|
| |
| Windows - Verify MD5 Checksum |
|---|
There are several programs available that will verify MD5 checksum in Windows. Here are instructions
for (2) of them. One is from Microsoft and runs in a command window. The other is open source and runs in a GUI.
Instructions for Microsoft's command line MD5 checksum utility:
Download the
File Checksum Integrity Verifier utility from the Microsoft Support site. Double-click and extract it to your desktop. Move the file fciv.exe to the C:WINDOWS directory. Open a command window by clicking on the Start button then select Run... Enter cmd and click OK From the command window, enter the following (2) commands:
cd "c:\documents and settings\username\desktop"
fciv "filename"
Replace username with your User Name and filename with the actual name of the downloaded file.
IMPORTANT: You MUST use double-quotes around any path or filename that contains spaces.
Example: cd "c:\documents and settings\Owner\desktop"
fciv "Firefox Setup 3.6.8.exe" Visually verify that the checksums match.
Instructions for GUI based MD5 Sum generator:
Download and install the latest (self extracting) version of
Windows MD5 Sum generator from MD5summer.
Alternatively you could download source and compile it yourself. Source is released under the terms
of the GPL and is available from the same
location. The topic of compilation is beyond the scope of this web site and is not covered. Create a text file containing the checksum and filename on a single line. It doesn't matter what
you call the text file as long as it ends in .md5, convention is to name it filename.md5 (ex.
Firefox Setup 3.6.8.exe.md5). Use copy-paste when adding the checksum to the file so you don't make a
typo. Save the file to the desktop.
IMPORTANT: There MUST be exactly (2) spaces between the checksum and filename.
|
| Example: Firefox Setup 3.6.8.exe.md5 |
|
|
|
|
e22b1d55b4d450a18bd7b9ddc8b395b7 Firefox Setup 3.6.8.exe |
|
|
|
|
|
Start MD5summer by double-clicking the application on the desktop. At the top of the program window it will say Please select the root folder: select
Desktop and click Verify sums. Select the newly created .md5 file (.md5 extension may not show) and click Open. You will get a message about one or more ASCII generated sums. This is normal... click OK
If the checksum passed, you should get a green "OK / Done" indicator.
Install Firefox
click here if checksum passes
|
-
III. Install Firefox:
If Firefox 3.6.3 is NOT installed AND you're running a Linux distro that contains a package manager, then install
Firefox per the instructions that came with your distro. When you're done, come back and go to the
Setup Firefox section.
Otherwise... follow the installation instructions specific to your Operating System:
|
| Linux - Install Firefox |
|---|
Go to
Installing outside of a package manager and follow the instructions for installing Firefox. Since you have already
downloaded Firefox and verified the MD5 checksum, you should start with the extract contents of the download step. Setup Firefox
click here when done |
| |
| Mac OS X - Install Firefox |
|---|
Go to
Installing Firefox on Mac and follow the instructions. Since you have already downloaded Firefox and verified the
MD5 checksum, you should start with the Once the download has completed step. Setup Firefox
click here when done |
| |
| Windows - Install Firefox |
|---|
Go to
Installing Firefox on Windows and follow the instructions for installing Firefox. Since you have already downloaded
Firefox and verified the MD5 checksum, you should start with the Double-click the file to start
the Firefox install wizard step. Setup Firefox
click here when done |
-
IV. Setup Firefox:
| All Operating Systems |
|---|
These settings are designed to maximize your security and privacy while still allowing the
browser to be usable. Please note... the Firefox setup is identical for all operating systems. The only
difference is how you bring up the menu.
Start by opening the Preferences/Options menu for your OS:
Linux: Invoke Firefox and select the Edit / Preferences menu. Mac OS X: Invoke Firefox and select the Firefox / Preferences... menu. Windows: Invoke Firefox and select the Tools / Options... menu.
Select the Content tab...
Check Block pop-up windows. This should be the default. Check Load images automatically. This should be the default. Check Enable JavaScript. NoScript will automatically disable JavaScript. But by
checking this, you'll still have the option to enable JavaScript for sites you trust. Enable Java. For some unknown reason Firefox 3.6.3 buried enable/disable Java under
Tools / Add-ons / Plugins. Either way, Java should be enabled in Firefox so that NoScript can
automatically disable Java. Sounds confusing, but by enabling Java in Firefox, you allow NoScript to
automatically disable it while still having the option to enable it for sites you trust. |
|
 |
| |
Select the Privacy tab...
Uncheck ALL History settings. This is to prevent anyone who has access to your computer
from spying on your browser activity. Check Accept cookies from sites.
Uncheck Accept third-party cookies.
Third-party cookies are tracking cookies used to gather marketing data and target advertising
based on your browsing habits. Select Keep until: I close Firefox. This will allow cookies while (for example)
you're visiting a shopping site, but delete them once you close Firefox. Check Clear history when Firefox closes.
You can optionally check Automatically start Firefox in a private browsing session. This will
effectively do all of the above with the caveat that site cookies are deleted when closing a tab. So if you're logged
into a site that pops open a new tab, closing that tab will automatically log you out. |
|
 |
| |
Select the Security tab...
Check Warn me when sites try to install add-ons. This should be the default. Check Block reported attack sites. This should be the default. Check Block reported web forgeries. This should be the default. Uncheck ALL Password settings. Don't rely on any application to store your passwords.
Memorize the passwords you use the most and store all passwords on a USB flash that's been encrypted with
Truecrypt. |
|
 |
| |
Save and close your settings...
Linux: Click the Close button. Mac OS X: Click the Red X close icon. Windows: Click the OK button. Before you do anything else... download and
install NoScript.
Howto install, setup & use NoScript
There are two legitimate sites for downloading NoScript. One is the originating site
(noscript.net) and the other is the official Firefox Add-ons site
(addons.mozilla.org). While noscript.net
is probably a day or two ahead in providing updates, it doesn't offer either encryption or a checksum to verify
the validity of the download. Although the chances of a Man-In-The-Middle exploit are EXTREAMLY small... I do offer a safe,
alternate method that uses MD5 checksum.
-
I. Download & Install NoScript:
| All Operating Systems |
|---|
First method... download and install NoScript from the originating site:
Launch Firefox. Go to the NoScript download site. Drag-and-drop direct download link for NoScript x.x.x up to the address bar. A Software Installation window will automatically open. Click the Install Now button. Click the Restart Firefox button when the installation is done.
Alternate method... download and install NoScript from Firefox Add-ons site:
Download the NoScript add-on to your Desktop.
Linux: right-click on the link below and select "Save Link As...". Mac OS X: control-click or right-click on the link below and select "Download Linked File". Windows: right-click on the link below and select "Save Target As...".
Verify the MD5 checksum. Go to Verify
MD5 checksum section if you need help. Invoke Firefox and go to the File / Open File... menu. Select the .xpi file from the Desktop and click Open. You may have to view
All Files in order to see it. A Software Installation window will automatically open. Click the Install Now button. Click the Restart Firefox button when the installation is done.
-
II. Setup NoScript:
| All Operating Systems |
|---|
The default NoScript settings are actually very good. There's only a few changes that I whould recommend.
Invoke Firefox, click on the 
NoScript icon (bottom-right of the browser window) and select Options... Select the General tab...
Uncheck Left clicking on NoScript toolbar toggles permissions for current top-level site.
Checking this makes it too easy to accidentally grant permissions. |
|
 |
| |
Select the Appearance tab...
Uncheck Allow Scripts Globally. This is real dangerous option and I don't want to see
it in the menu. |
|
 |
| |
Select the Notifications tab...
Uncheck Show message about blocked scripts. Checking this displays some extra information
that doesn't mean much and takes up valuable screen space. |
|
 |
Click the OK button to save the settings. -
III. Using NoScript
Using NoScript is real easy... By default, all potentionally dangerous scripts are blocked. When you visit a
trusted site that uses (for example) JavaScript or Flash, you can... temporarily grant permissions or whitelist
the site by clicking on the NoScript icon and selecting the appropriate action.
Additional Firefox add-ons
-
I. Adobe Flash Player
Although the Adobe Flash Player has been shown to be
susceptible to exploits, there are many legitimate Flash sites that require Flash Player. My recommendation
is to install Flash Player and let NoScript automatically disable it. You can then temporarily enable or
whitelist sites you trust.
It's unfortunate that Adobe does not provide a method to check the validity of their downloads. However... there is a
way to safely
download and install Flash Player using SSL (https://). By using SSL, you insure that the
download has not been tampered with since a MITM attack would also have to fake Adobe's SSL Certificate... which is
highly unlikely.
If this is too much for you to worry about... then when you get to step where you enter https://, just
click the Agree and install now button...
|
| Linux - Install Adobe Flash |
|---|
Go to Install Adobe Flash Player Click on the
NoScript icon (bottom-right of the browser window) and select Temporarily allow adobe.com Click on Select version to download... and choose .tar.gz for Linux. Place the cursor over the Agree and install now button. Look at the status bar (bottom of the browser window)
and enter the path in the address bar, replacing http:// with https://
Hint: Right-click on the Agree and install now button and goto Properties. You can then copy-paste the
URL into the address bar. Don't forget to replace http:// with https:// A dialog box will automatically open... check Save File and click the OK button. Close Firefox and open a terminal. Now run the following commands:
cd ~/Desktop
ls
Look for the install_flash_player_xxx.tar.gz file and note the exact filename. Now find where the
firefox executable is by using the which command.
which firefox
Note the path to the firefox executable. In my case, the firefox executable path is /usr/local/bin/firefox.
Now grep the file and look for the value of moz_libdir.
grep moz_libdir /usr/local/bin/firefox
Note the value of moz_libdir. In my case, the value is /usr/local/lib/firefox-3.6.3. Run the following commands using the
values of install_flash_player_xxx and moz_libdir that were previously noted.
Hint: If you have Firefox 3.5 installed, then grep for LIBDIR instead of moz_libdir.
tar xzf install_flash_player_xxx.tar.gz
cd install_flash_player_xxx
sudo ./flashplayer-installer
Hint: Use your normal login password when using sudo.
Enter the moz_libdir value when prompted Please enter the installation path of the Mozilla, Netscape, or Opera browser.
You can launch Firefox after the installation has compleated. |
| |
| Mac OS X - Install Adobe Flash |
|---|
Go to Install Adobe Flash Player Click on the
NoScript icon (bottom-right of the browser window) and select Temporarily allow adobe.com Click on Select version to download... and choose either Intel-based Macs or PowerPC-based Macs Place the cursor over the Agree and install now button. Look at the status bar (bottom of the browser window)
and enter the path in the address bar, replacing http:// with https://
Hint: Control-click or right-click on the Agree and install now button and goto Properties. You can then
copy-paste the URL into the address bar. Don't forget to replace http:// with https:// A dialog box will automatically open... check Save File and click the OK button. Close Firefox and double-click install_flash_player icon on the Desktop. A Install Flash Player application will appear in the Finder. Double-click it to install Flash Player. You can launch Firefox after the installation has compleated. |
| |
| Windows - Install Adobe Flash |
|---|
Go to Install Adobe Flash Player Place the cursor over the Agree and install now button. Look at the status bar (bottom of the browser window)
and enter the path in the address bar, replacing http:// with https://
Hint: Right-click on the Agree and install now button and goto Properties. You can then copy-paste the
URL into the address bar. Don't forget to replace http:// with https:// A dialog box will automatically open... click the Save File button. Close Firefox and double-click install_flash_player icon on the Desktop. You can launch Firefox after the installation has compleated. |
II. No-Referer by Dor
Whenever you click on a link, the URL of the refering page is sent to the new target page. So as an example... if you do
a google search and then click on one of the resulting links. The HTTP referer information containing YOUR search string is sent
to the link target. This is a violation of your privacy... No one needs to know what things you are searching for.
Suppose you're doing research about some social disease and the page your viewing contains an unrelated but interesting link.
Do you really want the target site to know where you've been?
No-Referer by Dor is a great little add-on that adds an entry to the right-click context menu, allowing you to open a specific
link without sending the HTTP referer information. To the target site, it appears as though you entered the URL directly in the address bar.
| Install - All Operating Systems |
|---|
Invoke Firefox and select the Tools / Add-ons menu. Goto the Get Add-ons tab and click on Browse All Add-ons. A page will open taking you to the secure (SSL) Mozilla Firefox Add-ons site. Enter no-referer in the search
text box and click the arrow to the right. Scroll down to the No-Referer by Dor add-on and click Download Now.
Note: The button will say Add to Firefox if you allow NoScript for mozilla.org A new install window will now appear. Click the Install Now button and then the Restart Firefox
button when finished.
Important Note:
If you are attempting to install No-Referer on Firefox 3.6.3 -OR- are upgrading to Firefox 3.6.3 and already have No-Referer installed...
you may discover that it either doesn't show up when searching Mozilla Add-ons or it won't let you install it due to an "Incompatible
Extension" error. This is because many add-on developers have day jobs and can't or don't find the time to keep up with new releases.
You can tell which installed add-ons have failed extension check by going to the Tools / Add-ons menu and looking for
 a red dot with an
exclamation point. These will be the add-ons that fail extension check.
Many add-ons such as No-Referer work just fine with Firefox 3.6.3 if you can get past the extension check. But... Mozilla
(for good reason) takes the fail-safe approch and disables any add-on that was not specifically written for the new release.
I've tried No-Referer on Firefox 3.6.3 (Linux, Mac OS X, and Windows) and I'm confident it works. So... if you want to do the
same, then here are two ways to load No-Referer.
Download an updated version from the developer (preferred method):
The developer has changed maxVersion to 3.7 in install.rdf and posted a new .xpi file on his website. This new version
will now work with FireFox 3.6.3 (and the yet-to-be-released 3.7).
Click on this link and save
the .xpi file to your Desktop. Invoke Firefox 3.6.3 and go to the File / Open File... menu. Select the .xpi file from the Desktop and click Open. You may have to view All Files in order to see it. A Software Installation window will automatically open. Click the Install Now button. Click the Restart Firefox button when the installation is done. Disable extension checking (alternate method):
IMPORTANT If you have any installed add-ons that fail extension check, then it's up to you to test each one and manually
disable any that don't work correctly.
Invoke Firefox 3.6.3 and in the address bar type about:config You'll be greeted with a "This might void your warranty" nag screen. Click I'll be careful, I promise!
and continue on. You should now see a whole bunch of settings. In the Filter bar type extensions.checkCompatibility.3.6 and see if
the setting has already been created. If extensions.checkCompatibility.3.6 already exist, then double-clicking on it will toggle
the value to false. If extensions.checkCompatibility.3.6 does not exist, then right-click in the main window and select
New / Boolean. Enter extensions.checkCompatibility.3.6 and click OK. A new window will pop-up... select false
and click OK. You must restart Firefox for the new setting to take affect. Now you can proceed with installing No-Referer. Be sure to test
everything when your done. If you want to enable extension checking... just go to about:config and double-click on extensions.checkCompatibility.3.6.
This will toggle the value to true. You must restart Firefox for the new setting to take affect. If extension checking is enabled,
then any add-on that fails will automatically be disabled.
NOTE If you are running Firefox 3.5 (or less), the boolean is called extensions.checkCompatibility
|