The purpose of this "howto" is to document how browsing can be done in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.
I welcome contributions and comments on the information contained. Please see the "How to Contribute" section for information on contributing your own knowledge.
Table of Contents
- Technologies that Effect Security and Privacy
- Browser Choice
- Browser Settings
- Required Browser Plugins
- Required Browser Plugins - Chrome
- Required Browser Plugins - Firefox
- Browsing Strategies
- Changing Your Search Engine
- General Security Best Practices
- Checking Your Setup
- Closing Thoughts
- How to Contribute
- How to Contact the Author
This guide was written in response to the continually growing creep of advertising companies and the constant threat of compromise and data loss that all users of the internet face.
For those unfamiliar with these threats, please familiarize yourself with tactics of advertising companies, such as "undeleting" cookies, scraping your browser history and here, building personal profiles of your activity without your consent, and more.
Recent articles, such as 20 Home Pages, 500 Trackers Loaded is a well done look into just how far advertising companies go in tracking you. The article Looking Up Symptoms Online? These Companies Are Tracking You, shows how much data is transmitted to tracking companies as you search health care related information.
When using browsers in their default mode, one wrong click in a search engine or one malicious advertisement loading on your favorite website is all that it takes to fully compromise your system.
By following the steps in this guide, you will severely reduce your exposure to such tactics.
This guide is written for computer users, both technical and non-technical, who wish to acheive privacy and security when performing a variety of web-based tasks. This document takes an "all out" approach, meaning that no shortcuts are taken and no technologies are spared. If it tracks you online or exposes you to risk then mitigations are needed.
This document is meant to be accessible to users of all technical levels. If you feel that a section is too technically difficult and not clear to non-technical users then please let me know. You can also contribute your own changes. See the "How to Contribute" section for how to do so.
If you do not wish to the read the whole document, but want to get value out of it, then read the sections on per-browser settings and required plugins. This guide recommends and provides guidance for Firefox and Chrome.
This document will be updated as new technologies emerge and as browsers and their plugins evolve. The bottom of this document will contain a changelog for major updates. Otherwise, you can check the git history log in order to see changes over time and who contributed them.
This section lists several technologies that prevent or effect efforts to perform secure and private browsing. These technologies and their issues are listed in this section while mitigations are described in the following sections.
HTTP (Non-SSL) Browsing
Rule 1: The internet is not a safe or friendly place.
By default, communication between your web browser and web servers that you contact are not encrypted (HTTP). This exposes all of your web traffic to:
- Your ISP
- Anyone at the cafe/library/university providing your internet access
- Anyone that can monitor traffic between your provider and your destination server
It also allows anyone between you and your destination to modify your traffic, including injecting malicious content that can compromise your privacy and security.
HTTP is such a security issue that Mozilla is deprecating HTTP in favor of HTTPS.
To mitigate this issue and to enable secure, encrypted communication, HTTPS must be used. This encrypts communication between your web browser and the web servers that you contact.
Cookies are used by websites to track users for both legitimate and non-legitimate purposes. Legitimate uses include keep track of logged-in users, storing user preferences, and so on.
Non-legitimate uses include tracking users across the web by use of uniquely identifying cookie values. For large advertising networks, such as Google Analytics, which have tracking code installed on many websites, this unique cookie value allows for tracking and targeting you across nearly every website you visit.
A popular and effective method to tame advertisers that track you through cookies is to block 3rd-party cookies. 3rd-party in this context means websites that are loaded outside of the direct website you visit. For example, if you visit https://www.cnn.com, then CNN comes the first party. Advertisers that CNN dynamically loads will load from their own infrastrucutre (e.g., static.chartbeat.com). This seperate infrastructure is considered "3rd party", and by setting your browser to block 3rd-party cookies, you can greatly reduce advertisers' effectiveness. Guides exist on how to do this for Internet Explorer, Firefox, and Chrome.
Rule 2: Adobe Flash is a security nightmare that should be avoided at all costs.
Adobe Flash is a popular technology installed on nearly every non-secure browser in the world. It is used to display Flash movies that websites use to display interactive media content. Flash is quickly being replaced by HTML5, but like most technologies, will be used long after its successor is available.
Unfortunately, Adobe Flash is also one of the most insecure pieces of technology in widespread use, and is very often targeted by malicious actors to remotely compromise users.
Flash "Cookies" (LSOs)
Flash local stored objects (LSOs), also known as "Flash Cookies", are a feature of Adobe Flash that allows for Flash applications to store data on the user's local system.
LSOs are an issue as many advertisers have abused Flash Cookies to track users, even if the users attempted to clean their information by deleting their HTTP cookies. Several (1, 2) lawsuits have been successfully won against advertising companies abusing LSOs in this manner.
LSOs are also a privacy concern as Flash places LSOs for every browser into the same location. This means that a Flash cookie set by an application in Internet Explorer can later be read by that application even if it is later loaded in Firefox or Chrome. Abuse of this cross-browser tracking has been the subject of privacy-related lawsuits as well.
HTML5 Local Storage
HTML5 is the latest version of the HTML specification. One of its features that has drawn privacy concerns, is the ability for websites to create "HTML5 Databases". These databases are similar to HTTP cookies, but they are not kept in the same data stores and allow for much larger and more flexible amounts of data to be stored.
HTML5 also poses a risk to due the Canvas Fingerprinting issue. As will be discussed later, this is something that the Tor Browser Bundle specifically defends against that other browsers provide no defense for.
WebRTC is another new technology that allows for browser-to-browser interactions not previously possible with other standards.
Like other technologies, a serious privacy issue has been found in WebRTC. This issue allows for websites to enumerate the local IP address of a user. This has been observed in the wild and is a part of the Browser Exploitation Framework.
The ability for websites to determine the local IP address of a user is a major concern as that allows for unique identification of users behind NATs, VPN, and potentially Tor.
In non-technical terms, this means that instead of every member of a family appearing as coming from the same network (e.g., the in-home wireless router), advertisers can determine a very specific property of each user's system in order to more uniquely track them.
You can check if your current browser is vulnerable by visitng this website. If you see your local IP or your VPN IP then you need to follow the advice in this guide.
In this section, we will begin to describe how you can protect yourself from advertisers, attackers, and other malicious actors on the internet. To start, we will discuss the choice of which browser(s) to use and when they may be applicable.
Unless you are on a corporate system with no other choice, you should never use Internet Explorer.
It is a security and privacy nightmare, and its lack of a plugin/extensions API and community means that you cannot easily modify the browser to meet these needs. Its long history of having vulnerabilities is also a major concern.
Safari should also be avoided unless necessary to be used. It is built on a notoriously insecure code base, meaning that many vulnerabilities have been discovered, and it also does not provide a robust plugin/extension API. As will be discussed with the following browsers, plugins and extensions are necessary to fully modify the browser to be as secure and privacy conscious as possible.
While Chrome provides the best security, Firefox is a much better choice for security and privacy than IE or Safari.
Be aware that Mozilla's has recently embraced advertisers though, which has troubled many privacy-conscious people.
Firefox also has a much weaker security model than Chrome, but much of this can be tamed through extensions as we will see.
For general purpose browsing, Chrome is the most ideal browser after being configured correctly (see the following sections on "Browser Settings" and "Required Browser Plugins").
Chrome has a very mature security model (see here, here, and here), which often requires advanced exploitation and multiple vulnerabilities to fully compromise. No other browser comes close to this model.
This security models helps to protect both privacy and security of its users.
The Tor Browser Bundle
The Tor Browser Bundle (TBB) is the recommended browser to use when utilizing the Tor network. A full discussion of Tor is outside the scope of this document, but compared to connecting directly to the internet through your ISP, Tor provides substantial privacy for users. Before using TBB, I highly recommend reading the Tor documentation and FAQ. While Tor does provide anonymity in most situations, depending on your adversary and geolocation, there may be a higher chance of deanonymization while using it. If you are going to use Tor and/or TBB for anything besides the reasons listed in this document's "Audience" section, then you MUST consult further Tor documentation before proceeding.
While you can use Tor with any modern browser, TBB is built and configured with both security and privacy in mind. Every concerning technology listed in "Technologies that Effect Security and Privacy" is accounted for in TBB as well as other privacy effecting technology. A full list of these protections and TBB's design goals can be found in it's design documents. This document is also the best available on current threats to browsing privacy, and is a must read for technical users.
In the "Browsing Strategies" section is extensive discussion on when TBB is best used for this document's purposes.
By default, Chrome sends a substantial amount of data to Google. This includes URLs visited, "suspicious" files downloaded, misspelled words, and more. Luckily, Google documents all of this information on the Chrome Privacy Page, and describes how to opt-out of the "features". To do so, simply follow the "Turn off a privacy setting" instructions on the privacy page.
To be fully safe, you should uncheck everything under "Privacy", and then only check the "Send a ‘Do Not Track’ request with your browsing traffic" option. 'Do Not Track' is an option that tells websites not to track you. Unfortunately, major advertisers decided to ignore this feature, but some websites do honor it. By unchecking everything else under privacy you will ensure that Google is not collecting data on your every browser action.
In order to achieve the maximum amount of privacy and security reasonably possible, browser extensions (often also called plugins), must be used. These extensions have substantial control over the browser and can provide layers of security not otherwise obtainable.
To start, we will discuss plugins for Chrome. We will then discuss how to achieve the same goals in Firefox. Many of the plugins mentioned support both browsers, but some require different plugins with similar or equivalent capability.
To install extensions in Chrome, please follow this guide.
Even if you install nothing else recommended by this guide, you should install HTTPS Everywhere.
Also, whether you use HTTPS Everywhere or not, before sending any sensitive or private data to a website you should verify that a secure SSL connection is established. Instructions for how to check an SSL connection are available for Internet Explorer, Chrome, and FireFox.
Privacy Badger is another project by the EFF that monitors websites' behaviors in order to dynamically identify those that collect tracking information. You can then use the extension button in order to block offending websites. The button UI is very well done, and after visiting a few sites with heavy advertising (e.g., major news websites), you will have effectively blacklisted a majority of advertisers.
An Ad Blocker
From a security perspective, malicious advertising is one of the biggest threats to ordinary end users. From a privacy perspective, advertisers are the biggest threat to web-based privacy. They track every move you make across nearly every website and then correlate all your data in the background to build very personal profiles of your behavior and actions.
To prevent the security and privacy hazards that online ads present, you need to install an ad blocker.
The most popular of these is Ad Block Plus (ABP), but recent behavior by the company has caused concern among many web users. To make Ad Block Plus most effective, you must go into its 'Options' and uncheck "Allow some non-intrusive advertising". Otherwise, Ad Block Plus will apply a filter that allows companies, such as Google and Taboola, to still serve ads. Such ads break the overall security model due to the tracking they enable.
Instead of ABP, many users are now moving to uBlock. It provides the same benefits as Ad Block Plus without the potentially questionable business practices -- and also without allowing paid advertisers to bypass the filters.
As mentioned previously, Adobe Flash is one of the biggest threats to internet security. If you need to have it installed in your browser, then you MUST install a plugin, such as Flash Control, that will prevent Flash from auto-playing. Instead, these plugins make Flash "click to play", meaning that the Flash object will not load unless you click to explicitly enable it.
By making Flash click-to-play, you significantly reduce the ability for malicious advertisers or websites to compromise your system with Flash exploits. Similarly, this prevents Flash-based ads from loading.
As a general security precaution, you can make all Chrome plugins click-to-play by following the instructions here. This prevents the need for an extension, but can be less flexible depending on your use case.
As discussed above, WebRTC has a major privacy issue in that it can be abused to leak the internal IP address of users. This is very useful for advertisers who wish to develop very unique identifiers for users. It can also be abused to deanonymize users that whom utilized VPNs and/or Tor (1, 2, 3) in order to hide their true identity.
To block WebRTC in Chrome you must install this plugin. The Chrome "official" fix is rather insane and requires manually editing a huge JSON file (bug tracker). Also, Chrome enables WebRTC by default, leaving users vulnerable to this issue. Hopefully this issue is treated better by the default Chrome in the future. This document will be updated if that occurs.
To test if the plugin is operating correctly, visit this website and make sure that your local IP address does not appear.
To install plugins in Firefox, please use this guide.
The following plugins from Chrome are cross-compatible with Firefox and provide the same benefits:
- HTTPS Everywhere
- Privacy Badger
- Ad Block Plus & uBlock
The following require Firefox specific plugins:
Flashblock for Firefox provides the same functionality as "Flash Control" for Chrome. It will block Flash by default, but with a click you can view the content.
To disable WebRTC in Firefox:
- Enter "about:config" in the URL bar
- Find the key of "media.peerconnection.enabled"
- Set the value to "false"
To mitigate the threat in a different manner, along with mitigating other threats, please read the next section "Browsing Strategies".
Many users, including technical ones, perform all of their browser-based activity (web mail, banking, Facebook, "Bing searching", reading the news, etc.) in one browser. While convenient, this is a HORRIBLE security practice, and should be avoided at all costs. In this section, we detail the issues with this approach and provide more secure and privacy conscious alternatives.
Problems with Using only One Browser
The problems with using only one browser for "everything" are numerous.
Any scripting vulnerability in authenticated websites can lead to compromise of all data related to authenticated sessions. When using one browser for all activities, users will generally be logged into many services at once - greatly amplifying the effects of such vulnerabilities.
XSS, which is short hand for "Cross Site Scripting", is an web-based attack technique that allows an attacker to control a victim's browser's actions on a particular website. In less technical terms, XSS allows for a malicious actor to perform actions in a user's browser as if the attacker were controlling the user's mouse.
Common malicious uses of XSS include forcing victims to perform banking actions (withdraw, transfer, etc.), resetting passwords to email accounts, or disabling security protections associated with online accounts. All of these can lead to loss of control of accounts as well as loss of very personal information. XSS is also a threat to businesses as attackers can leverage employees' legitimate access to systems in order to steal data or backdoor corporate systems.
UXSS or Universal XSS is a more dangerous form of XSS in that the attacker can force the user's browser to perform actions on any website, and not just a vulnerable one.
CSRF is another attack technique wherein an attacker can control actions of a user's browser, including forging requests to online banking, social media, medical, and other authenticated sessions.
Preventing All Tracking is Nearly Impossible
By being logged into a number of services at once, it becomes nearly impossible to filter out data associated with trackers. Take for example a user that is logged into:
- Gmail (email)
- Facebook (social media)
By being logged into Gmail, you cannot effectively block Google analytics, Double Click (Google owned), as well as several other major advertising networks. This occurs as Google controls the entire ecosystem - search, YouTube, Maps, email, etc. This means every time you search a term, Google immediately knows who you are, what search term you entered, and any search results link(s) you may click. Similarly, if you plan your vacation route through Google Maps, Google then knows exactly where you are going. Besides, Google services, through DC and GA, Google tracks you throughout the entire web. Now they not only know everything about your search, email, and travel plans, they also know essentially every website you visit, how you got there, and where you will be going next.
Similarly, through Facebook's Like Button, you are tracked throughout the web. Every time you visit a website (or individual page) with a "Like" button, Facebook sends the URL back to itself. If you are logged into Facebook at the time, then it also has your authentication information, which allows to it tie many of your browsing habits directly to your very personal user account. More info: 1, 2, 3
In this example, if we tried to block Facebook and Google properties, then we would certainly stop the tracking - but at the same time we would be breaking the sessions we have open to Facebook and Gmail.
While Google and Facebook were used in this example as they are two of the most popular services on the web, the same issues are faced when utilizing any service that combines ads with other features.
As we will see, using multiple browsers effectively alleviates this issue and provides the opportunity for true privacy.
Compromise Affects all of your Data
As you can likely deduce, using one browser is a major vulnerability as a compromise of the browser compromises all of your web data - and potentially all of your data in total. Using one of the following strategies will effectively fix this issue as well.
Using Multiple Browsers
To fix the previously described issues, one approach you can take it to use multiple web browsers on a single computer. This will greatly reduce the attack surface related to XSS, UXSS, etc., as well as allow true filtering of ad networks. This step is also much more achievable for less technical users than the virtual machine approached described in the next section.
Using multiple browsers allows for compartmentalization of data. We will use this setup to limit tracking as well as the risk of XSS & its friends.
In this example, we will use one install of Firefox for authenticated sessions with tracking (Google, Facebook, etc.), one install of Chrome for online banking and other sensitive logins, and TBB for all non-authenticated browsing (reading Reddit, watching memory forensics talks, etc.). The Firefox and Chrome installs need to be configured as discussed above for both settings updates and required plugins.
As a side note - many security professionals use this exact setup.
When browsing, we must be sure to follow our compartmentalized flow. We cannot cross contaminate any browser with data from another one. One way you can train yourself to do this is use a plugin, such as Block Site, that allows you to whitelist and blacklist websites. In the Chrome browser, you would blacklist every site not related to online banking and your other sensitive logins. Likewise, in Firefox you would whitelist Google and Facebook, and blacklist everything else. This prevents data leakage.
Another option you can choose is to change your default browser to a non-browser application, such as Notepad. Then, if you accidently click a link in an email, Twitter client, etc. then it won't load in any browser. Instead, you will need to copy the link and then paste it into the appropriate browser. This prevents accidental data leaks and security breaks.
Security and Privacy Gained
By using this setup you:
- Prevent cross-contamination of data and cross-browser data leakage
- Stops the real power of XSS and UXSS as you aren't logged into sensitive websites in a browser that visits untrusted websites
- Prevents advertising based on your unique habits. TBB provides anonymous browsing, and by confining Google, Facebook, and other trackers only to their own services they cannot gather external data on you or your habits
Note: You need to very careful if you enable Flash as the cross-browser data reading can occur as explained previously in this document.
Use of Virtual Machines
While using multiple browsers provides substantial benefit over using one browser, using virtual machine guests to browse provides the highest level of security and privacy you can achieve on a single physical system.
To use virtual machines for browsing, a virtualization package must be chosen. Popular candidates are VMware Workstation and Fusion, as well as Virtual Box.
A base operating system must then be installed in a secure fashion. A good setup is base Debian install with GrSec/Pax enabled kernel and the Chromium (Chrome) browser with the setup and plugins described previously. For less technical users, a Windows operating system, such as Windows 7, can be virtualized.
Once a virtual machine guest is created with a base operating system and a properly configured browser, a secure, offline copy of it must then be made. It is advisable to use hashing and other file integrity techniques to ensure its security.
For the use of TBB, the TBB browser can also be installed in the image, or Tails, which is a virtual machine configured specifically for anonymous and private browsing, can be utilized. Tails is highly recommended in this scenario.
If you are going to use the virtual machine approach then you should consider and learn about Qubes OS.
To perform browsing, unique copies of the configured virtual machine guest must be created. The copies will mirror the browser setup from the previous section, except that instead of installing multiple browsers directly to the host operating system, each VM will run a browser with a specific purpose.
For example, one VM copy will be used for Facebook and Google, while another will be used for online banking, and another for logging into your hospital's medical system. Installing multiple browsers to an OS can be difficult, but making copies of VMs is very straightforward.
For general browsing and search, Tails should be used.
After each session the Tails VM should be rebooted. Similarly, at least once a week, the VMs used for logging into services should be reverted to the original state. As discussed next, this will greatly time limit the exposure and time frame any potential attackers have in which to be active.
To help you keep browsing sessions into their correct VM, you may want to use visual cues. For example, set a different background for each VM and then associate that with a security level.
Security and Privacy Gained
Using VMs has the same benefit as multiple browsers as well as the added bonus of:
Limit the time your data is exposed. By using VMs and reverting them often, which brings them back to their original state, you are setting a defined time limit on which attackers or malware can be active before you instantly remove them. When revering a virtual machine you are bringing it back to the state it was in when you first installed it. If attackers want to get access to your VM again they then must re-exploit your browser. Similarly, if tracking companies have bypassed your filters, resetting while remove all tracking data.
Protection of browser exploitation. If one VM has a compromised browser, the data on the other VMs are not affected.** Reverting the VMs often can greatly close this time window. No other approach can save you if a browser is fully compromised. This approach saves your other web data as well as the rest of your personal data contained on the system.
** Technical Note: While guest->host escapes exist, they are quite rare compared to other software vulnerabilities, and are generally reserved for very targeted attacks.
When moving to a posture of security and privacy, one thing you must often rethink is your search engine. Even if you use TBB, major search engines (you know who they are), still track your search terms and attempt to uniquely identify you by setting cookies and other data.
Startpage does not log your IP or search and uses Google's results to "enhance" its own results - meaning you get the power of Google search without the tracking.
Similarly, DuckGoGo does not log your searches in any manner that can be traced back to you.
What about Private Browsing?
"Private Browsing" is a feature provided by all modern browsers in order to enhance privacy by not recording data to your local system (browsing history, cookies, etc.) as well as on the network when the browser is in private mode. Unfortunately, this browsing mode sounds more secure than it really is. For a well done, illustrated guide to these problems, please check the Private Browsing Myths website.
Why not use TBB or TAILs for all Browsing?
As you read this document, you may wonder why you shouldn't use TBB for all of your browsing, including authenicated sessions. There are two problem with this approach.
The first is that malicious exit nodes, which are the last servers your data travels through on the Tor network before it reaches the outside internet, can maliciously sniff and alter your non-HTTPS traffic. Since many websites still allow for authenticated use without strict HTTPS, you are essentially trusting your account security to Tor exit nodes - which is something you shouldn't do. There are a number of references here, here, and here on malicious exit nodes.
The second issue with authenticated Tor browsing is that when using Tor you can appear to be browsing from anywhere in the world. This is a great advantage from a privacy and anonymity perspective, but it will almost certainly cause lockouts on your banking, health, and other websites where sensitive data is stored. Similarly, it is a strong security measure for these websites to know which geographic regions you usually login from in order to detect when your account gets compromised by an attacker on the other side of the world.
Use a Password Manager
Password Managers provide great password security as they generate strong passwords and then save them for all the websites you visit. This not only makes your password uncrackable after database dumps (related: Troy Hunt's iampwned? project here), but it also means you will have a unique password on every website - a strong measure compared to most people's security posture.
When using password managers remember the rules on compartmentalization.
Enable Two Factor Authentication Everywhere
On top of strong passwords, you should also enable two factor authentication (2FA) everywhere possible. Nearly every reputable service provides this option now, and if you have sensitive data in an account where 2FA is not possible then you should switch services and remove your data.
2FA is such a strong security measure as it requires not only your password to log in (one factor), but also a second factor that attacker's cannot easily access - such as a code retrieved from a SMS to your phone or a code generated in a mobile application. This extra step mitigates attacks after your password is stolen or where attackers attempt to force you to log into a service through a scripting vulnerability.
Log only into Websites Currently being Used
When logging into sensitive websites, you must only log into one at a time. If you have multiple bank accounts at different companies, log into one, logout when you finish, and then log into the next. This prevents a scripting vulnerability in one banking website from compromising data or performing actions on your behalf on the other website. Apply the same logic to every other website that you don't want your data stolen from.
After creating your secure and private browsing setup, you then need to test that it works. To test your setup, visit BrowserLeaks, and click every option (leak method) on the sidebar. If you see data that shouldn't be there or if you see data that you are not comfortable leaking in a particular context, then you need to fix it.
As stated in the beginning, this guide is for those who want maximum privacy and security related to their web browsing sessions. Privacy is about preventing leakage of data and minimizing the damage of any future leak. Similarly, security is about reducing the chance of your your system being compromised as well as minimizing data that is accessible to any potential attacker. This guide helps you achieve this through blocking and modifying technologies that allow for web-based tracking and browser exploitation.
If you don't take security and privacy seriously, then you will eventually lose data that is sensitive to you. You can't then go back in time and fix what is already leaked - you need to secure it before catastrophe occurs.
As @thegrugq often says:
OPSEC is prophylactic, not retroactive.
I wrote this as a Gist in order to promote contributions from others, and to spur discussion. If you have a GitHub account, please feel free to use its facilities when commenting or contributing changes. If you are not comfortable using Git or GitHub, then please feel free to email me.
This guide was originally developed by Andrew Case. I can be contacted through the methods described on my website.
This will be updated with people who make contributions or suggestions and who want to be credited for them.
July 22, 2015 - Version 1 released publicly at https://gist.github.com/atcuno/3425484ac5cce5298932