From Mshiltonj wiki

When surfing on the Web, I'm a little paranoid, and I think that's a good thing. It's surprising and a bit scary to know just how much data web sites can collect about a person, just from tracking their casual surfing habits. I've taken a few steps to protect my privacy, security and safety while online. This article discusses some of them.

Contents 1 Why I am concerned 2 Warning 3 Specific steps to take 3.1 Use Firefox 3.2 Change the default cookie settings 3.3 Change the Javascript default settings 3.4 Change the default Clear Private Data rules 3.5 Clear Private Information Often 3.6 Install the Adblock Plus Firefox extension 3.7 Install the Adblock Filterset.G Updater Firefox extension 3.8 Install the NoScript Firefox extension 3.9 Install the FlashBlock Firefox extension 3.10 Install the CookieSafe Firefox extension 3.11 Install the RefControl Firefox extension 3.12 Install the User Agent Switcher Firefox extension 4 Summary 5 Hardcore Browsing Security: Anonymous Proxies

Why I am concerned

Many companies have huge databases that collect and store information about people and their surfing patterns, and with enough data crunching, they can build a pretty clear picture of who they are and what their habits and interests are, even down to specific individual users. With all the mergers and acquisitions in the Web space, more and more of these databases can now talk to each other.

For example, Rupert Murdoch can now know who your favorite bands are on MySpace, which video games you play and who your favorite hot babes are over on Underground Online, whether or not you watch The O'Reilly Factor, and what your favorite sports team is. Many different web sites are often owned by the same company, and they have banks of computers that crunch data to find out as much about people as they can.

Newscorp is just one example. All media and Internet companies of any significant size will do this.

With IP Geo-coding, web site owners can track where people are -- physically. Matching a person's physical location with their behavioral habits can be used to create a very clear picture of who they are.

As a demonstration, put your zip code in this ESRI Community Tapestry form and see just how much information they know about you just by knowing your IP address. This is just the publicly available information. For a few extra dollars, internet companies can get reams of detailed information.

If you've ever entered your home address in an online mapping application to get driving directions, they know where you live. That information can be cross-referenced with other public records to find out exactly who you are, especially if you own your own home.

If you've ever entered your email address to get a news alert, they know how to contact you.

And once businesses have a few relevant bits of information, the rest can be filled in by inference, like completing the last few squares on a suduko puzzle, or the last few pieces of a puzzle.

Warning

I should note that many of these steps require some diligence on my part. I don't get improved privacy and security for nothing. When I first set some of these things up, it took me a few days to a couple weeks of semi-regular configuration, one web site at a time, to get the proper settings and exceptions allowed. For example, I allow cookies be set and javascript to run on Reddit, Bloglines and Google. But I only let cookies be set on Slashdot; I don't permit javascript. Each time I create one of these exceptions, I need modify the settings on one more Firefox extension, to override blanket refusal rules that apply more generally.

My approach is to limit a particular web site in my browser as much as I can, while still being able to use the site. I try to keep its leash short, unable to do things unless I want it to -- that is, unless it benefits me in some way.

It required some patience on my part to get through this stage. But once I got the permissions set up for the sites I regularly visit, it got much easier.

There are, I suppose, only use a few dozen sites on a regular basis: A few technology sites, a few shopping sites, a few news sites, a few game sites, a few niche or community sites, etc. The list is very finite. These are sites I trust.

Now that I've set up my browser to trust my core group of regular sites, I have a virtual wall of protection between me and all the other sites on the internet, and I rarely have to modify my configurations. Now, when I do a Google search and click through on some link, I don't have to worry about spyware, adware, marketers, ads, exposing my browsing habits, identifying myself, or any of the other things that used to happen.

For me, the trade-off is worth it. If I come across some random site and see that it's trying to set fifteen cookies from ten different domains, serve up twenty ads, and run half a dozen scripts, I'm a bit annoyed that they would try to take advantage of me that way. Now, I'm protected.

Specific steps to take

Why provide more information to marketers and data analysts than you have to? Why take the chance that this information might fall into the hands of hackers and thieves? I've compiled some steps I've taken to keep my web surfing as safe and private as possible.

Use Firefox

Most importantly, I use the Firefox browser (version 1.5) for surfing the Internet.

Using Internet Explorer, the current dominant browser, is asking for trouble from spyware and adware distributors. Do not use it. Even the United States Computer Emergency Readiness Team (US-CERT) recommends using a different web browser and to stop using Internet Explorer.

The Firefox browser is written by developers who do nothing but write an application that makes browsing better for users, and better for web site developers. They are noy trying to promote a proprietary technology, crush a competitor, or push some broader corporate agenda.

Firefox is inherently more secure than MSIE because it doesn't hook into all the operating system internals. It also has a great extension framework that allows others to create of many of the extensions I discuss below.

Even if you do nothing else, switching to Firefox from Internet Explorer is the strongest step you can take to improve your online experience. I highly recommend it.

Change the default cookie settings

• In Firefox, go to your Preferences window. (On Linux, it's on the Edit > Preferences menu option)
• Click on the 'Privacy' icon.
• Click on the 'Cookies' tab.
• Here, set the following options:
  • Checked: Allow sites to set cookies
  • Checked: For the originating site only
  • Checked: Unless I have removed cookies set by the site
  • Keep Cookies: until I close Firefox.

This is the strongest cookie restriction setting I've found I could live with without being too irritated, and I admit I've wavered for periods of time. This lets sites create cookies to track various things, but doesn't let third party cookies get created. It also doesn't let cookies live permanently on your computer.

For example, if you go to the famous Drudge Report web site with no cookie restrictions, it will create 10 cookies from 4 separate third parties, one of which is atdmt.com, a company that "provides agencies, marketers, and publishers with the technology and services they need to execute fully integrated online marketing campaigns." Reload the page a couple more times and you get more cookies from more vendors, from places like fastclick.com, doubleclick.com and advertising.com.

Many web sites use the same third party advertising service to handle their ads. These companies can know just as much about people as the web sites themselves, if not more. It is possible for a single advertising company that you've never heard of to have a detailed history of people's web traffic, even if many of the individual web sites they visit have no relationship with each other -- other than the fact that they use the same third-party advertising company.

The advertising company is the common denominator, and even though individuals have no direct relationship with them, they will know a lot about people. To better sell ads.

All because people didn't stop these sites from putting a cookie on their computer.

The above cookie settings put a stop to much of that. The preferences also allow me to create exceptions on a case-by-case basis, putting the control in my hands. Some sites I go to won't work without third-party cookies, and I have to decide (by clicking the "Exceptions..." button on that Preferences window) to let the cookies be set, if I think the site or service is worth it.

This puts a lot of power in my hands. It also puts some responsibility in my hands as well.

Change the Javascript default settings

Go to your preferences page.

• Click on the "Content" icon.
• Next the "Enable Javascript" checkbox, click on the "Advanced..." button.
• On the "Advance Javascript Settings" dialog, make sure all the options are UNchecked.
  • Uncheck: Move or resize existing windows
  • Uncheck: Raise or lower windows
  • Uncheck: Disable or replace context menus
  • Uncheck: Hide the status bar
  • Uncheck: Change the status bar text

I've never seen any of these options be used in a useful way, and I've seen them be used to mislead users many times.

Specifically, malicious web sites can make it look like I'm are going to GoodSiteA if I click on a link, but clicking on it will actually take me to BadSiteB.

Without these settings, you cannot trust what your status bar is telling you.

Change the default Clear Private Data rules

• Go the Preferences window.
• Click the "Settings..." button at the bottom of the tab where it mentions the "Clear Private Data tool"
• On the "Clear Private Data" Dialog, check all checkboxes except "Clean private data when closing Firefox"
  • Check: Browsing History
  • Check: Saved Form Information
  • Check: Download History
  • Check: Cookies
  • Check: Cache
  • Check: Authenticated Sessions
  • UNCheck: Clear private data when closing Firefox
  • Grayed: Ask me before clearing private data

By setting the tool like this, all of my private information is completely purged from the computer when I decide to clear it, except my bookmarks. Not changing the default settings will still leave personal data in the browser.

I probably should check the "Clear private data when closing Firefox," but I don't feel that paranoid. Yet.

Clear Private Information Often

Firefox can do a lot of work for me: Saving passwords, auto-filling forms, completing web addresses, etc. It's terribly seductive and convenient, but it also means the browser also stores a lot of information about my browsing habits -- probably more than I would like.

This information is kept locally, meaning it is not transmitted to web sites I visit. However, if my computer is ever compromised by spyware or adware or some computer virus, then this information can be harvested for malicious use. Also, unless I am absolutely the only person who uses the computer, any competent person using the system can get at most of my browser information. Why leave it sitting around for prying eyes, like a roommate?

I make use of these browser conveniences, but I don't depend on them. About once a month, I make sure to clear out all of my private information. I delete my browser history and cache, and delete all my cookies. (Even with all these safeguards, I'm still surprised at how many cookies get set.) On Linux, Firefox will clear all private data through the Tools > Clear Private Data menu option or the Ctrl+Shift+Del keyboard shortcut.

Install the Adblock Plus Firefox extension

Adblock Plus is a Firefox extension that allows me to block ads on web sites. It's very easy to use and is incredible useful. It works by creating special filters that tells Firefox not to download certain types of files from the internet.

Install the Adblock Filterset.G Updater Firefox extension

The Adblock Plus extension (above), as incredibly powerful as it is, is still meant to be maintained by the user. This means that I would have to create all those ad-blocking filters myself, by right-clicking on ads or the Adblock tabs attached to specific media and setting the filter. It was tough to get used to, but after a while the ads started to go away. There are some tricks you can learn to make better filters.

The Filterset.G Updater removed that work from the picture. It downloads a special set of pre-built, well-crafted ad filters, maintained by folks who really care about blocking ads. This extension keeps my ad blocking filters up to date with the central copy.

When I started using this, I breathed a sigh of relief. Once I surfed for a few days with these two extensions, I was amazed at how I ever used the internet without them. I've gone go over to visit a friend that was using Internet Explorer. I would use their computer and be almost offended at how many ads I saw, and how irritating some web sites are. These extensions gave me an entirely different Internet experience.

Install the NoScript Firefox extension

I don't want just any javascript running in your browser. The NoScript extension puts stop to it. It prevents any javascript from running in my browser unless I let it, on a domain-by-domain basis. I found it best to block all javascript as a rule, and allow javascript only on sites that I visit.

Using this extension, I was surprised by three things.

• The number of sites that used javascript. Almost all sites do now.
• The number of sites that work just fine without javascript enabled. I've blocked javascript of many sites I visit regularly, and my experience is not be degraded in any way. If it is, I only have to click a couple times to turn it on for a specific site.
• The number of "behind the scenes" javascripts that are floating around out there. I would go to a page and be notified by the extension that scripts are "partially allowed," meaning that some javascript ran and some didn't. This happens because the page loads javascript from several different sites -- some I have allowed and others I haven't. When I click on the icon to see which scripts on the page have javascript blocked, I'm often amazed at the number of third-party javascripts the page is trying to load, mostly from advertising or tracking sites.

Eventually, I grew to just ignore the noscript notifications (because there will be lots of them, but don't worry, they are easy to ignore) and only allow javascript for a site if I get noticeable errors. Some sites actually tell me, "This site only works with javascript-enabled browsers."

GMail and many other Google tools rely heavily on javascript, so I let google.com run javascript. A few other sites I frequent also will not work with javascript turned off. Fine. I click the NoScript icon in my status bar, select the "Allow " option and continue on with my surfing. For sites I visit infrequently, I will "temporarily" allows the scripts to run -- another NoScript feature.

Install the FlashBlock Firefox extension

As cookie-blocking habits and techniques have become more sophisticated, companies have found a way to step up the arms race, tracking users with Flash. Instead of using cookies to track users, marketers are resorting to using a Flash features called Local Shared Objects (LSOs) to store data on the user's machine. 98% of the computers on the internet have Flash installed, and very few people know about LSOs.

The FlashBlock extension prevents all Flash from playing by default. Instead, the box is drawn and there's a little play button to start the file. If I go to some site often (like YouTube), I can right click on the play button and select "Allow Flash from this site" and they will automatically play from that point on.

This extension prevents those "behind the scenes" flash files from setting the LSOs without me knowing about it.

As a side benefit, my browsing experience was greatly improved because I wasn't loading up a bunch of useless Flash files, especially ads. I was surprised at how much flash is out there, and how much of a waste it all is. Flash files are very resource intensive, eating up a lot of CPU time. And for what? Most of the time, nothing useful.

Install the CookieSafe Firefox extension

The CookieSafe extension does for cookies what the NoScript extentions does for javascripts. It makes managing cookie permissions easier, and more granular. Instead of having to manage cookie permissions by going through the Preferences interface, this extension lets me easily permit or restrict per-domain cookie permissions from the status bar.

It also allows me to temporarily allow cookies from a particular domain, so I don't have to permanently allow the domain to write cookies on my computer even if I only use the particular site once in a while.

Install the RefControl Firefox extension

When I click on a link on a page of SiteOne (let's say) that links to a page on Site Two, that information is tracked through what's called a "referer." SiteTwo knows I came to their site from SiteOne. It seems innocent enough, but now a marketer knows two sites I've been to, their own and someone else's. But I don't have to give them this information. According to the specification, this is an optional piece of information. (See Security Considerations - Encoding Sensitive Information in URI's)

The RefControl extension give me the ability to control the referer information that gets sent when I click on a link. I can suppress referer information entirely, so I won't reveal sites I've been to just by clicking on a link.

Unfortunately, some sites assume the referer information will be sent, and some won't even let you view its pages unless the refering information is sent with the request, or unless the right refering information is sent (See Hot linking). The RefControl extension gives you the ability to create the refering information so that every request for a page on SiteOne will appear to have been from clicking a link on the home page of SiteOne, even though you clicked on a link on a page on SiteTwo.

There may be a bit of controversy over this practice, because hot linking can be abused by nefarious web sites to hog the bandwidth of other web sites. This is one of the reasons web sites started restricting access based on referer information in the first place.

RefControl will completely thwart attempts at blocking hot link abuse by web sites because the browser is no longer sending refering information. But users' privacy will be preserved.

This extension requires a little configuring to get full protection:

In the status bar, right-click on the RefControl icon. It looks like to small 'document' icons, connected by a line.

• Select 'RefControl Options...'
• At the botom, where the default behavior his, click the 'Edit' button
• On the RefControl Site Properties dialog
  • Site: <Default>
  • Action: Forge - send the root of this site
  • Check: 3rd Party requests only

Install the User Agent Switcher Firefox extension

I haven't really used this for security reasons yet, but I can see it coming.

A User Agent is the piece of information that the browser sends to the web site that identifies itself. For example, my User Agent right now is "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060523 Ubuntu/dapper Firefox/1.5.0.3" This reveals what browser and browser version I'm using, and what operating system and what OS version I'm using. These are very useful pieces of information to marketers.

User Agent Switcher lets me edit my User Agent, or create custom User Agent identifiers of my own.

However, I do not currently block or change my User Agent except in just a few cases. Some web sites will deny me access with a screen that says, "Sorry, this web sites does not support your browser." This happens on rich-media (video) sites and financial sites more than others. However, most of the time, it turns out to be completely incorrect and arbitrary. I can change the User Agent and make the site think I'm using MSIE on Windows XP and the site works just fine. They just don't want me to use any browser other than MSIE.

Why? It could be any number of reasons. One of which could be a study showing that Internet Explorer users are at least four times as likely to click on Web ads than Firefox users. Firefox users have such control over their browsing experience that in addition to using these techniques that protect privacy and security, users are also able to suppress most web site ads. (Odd that there is such a strong correlation between the two, eh?)

Marketers may simpley decide (or have decided?) that Firefox users can not be 'monetized' and will try to block their access to the site. The time may come when I need to pretend to be using Internet Explorer, just so I can still use web sites while protecting my privacy with Firefox and its extensions.

However, I don't change my user agent (yet) unless I have to. I want web sites to know that I'm using Firefox. I want web sites to know that a significant part of their web traffic is coming from people who aren't using Internet Explorer (or Windows for that matter.) The more Firefox traffic web site operators see coming to their site, the less likely they are to use Windows or Internet Explorer specific technology.

I have to wonder, though, how much of the current Firefox user base is hidden behind a changed user agent? How many Firefox users are pretending to be MSIE users right now? There is probably no way to tell.

Summary

That it. That's all I do.

1. Use Firefox
2. Change some default settings
3. Install a number of extensions
4. Be diligent.

I feel much more confident while surfing the Internet, and my browsing experience is greatly improved. I recommend it to anyone.

Hardcore Browsing Security: Anonymous Proxies

One might point out that I could use an anonymous proxy service like Tor from the Electronic Freedom Foundation. Maybe someday I will. It definitely offers a whole other layer of protection. (See Tor's Overview for a brief discussion). However, there are a few reasons I haven't yet.

1. Anonymizing services like Tor are slow.
2. They also require additional resources to use. And where they require resources, they also require money.
3. If the service is centralized, like many on this List of Free Proxy Servers then that represents another point of failure that can either be killed by traffic, or targeted by a malicious third-party.

I just haven't been convinced of the sustainabilty of these services to provides reliable and transparent access, but I look forward to being convinced at some point in the future.

Until then, I'll stick with Firefox and this set of very nice extensions.