Saturday, May 3, 2014

Enough Privacy?

I'm trying to debug by Candy Crush is slow to load in the latest Firefox. It seems to go faster in Safe-Mode, so that's good. The next step, of course is disabling all add-ons. If I didn't know better, then I'd be asking why "Restart with add-ons disabled" isn't the same. For those of you that don't know, it is because that invokes Safe mode which also eases up on some other restrictions.

But that is something for another post. As I was re-instating my add-ons, I realized that while I care about my privacy, I don't know the best way to achieve that. I have at least 5 add-ons related to that. I know I'll keep NoScript, but which of the others do I also need? The Add-Ons website lists more than 1100 extensions to choose from. How is someone supposed to choose?

3 comments:

ssokolow said...

Here's the combination I use and why:

- Beef Taco (for opt-out cookies for the various ad networks)
- BetterPrivacy (to delete flash LSOs on restart and after 2 days)
- CookieMonster (NoScript-like toolbar icon UI for "all cookies are session-only unless whitelisted")
- Cookie Time (force upper limits on expiry of unused whitelisted cookies)
- NoScript (see below list)
- RefControl (forge the referrer header unless whitelisted to prevent things like Google-hosted jQuery from tracking)

I use NoScript for several reasons:
1. Firefox is one giant cooperative multitasking loop. NoScript is a major performance booster.
2. Killing Javascript is a great way to kill annoyances and, once things like YouTube are whitelisted, most sites Just Work™.
3. Killing JS and Flash is the easiest way to kill most cross-site tracking mechanisms.
4. NoScript can substitute for extensions like Disconnect via rules in the Application Boundaries Enforcer component.

Here are a couple of example ABE rules:

# facebook.com containment rule
# This rule allows Facebook scripts objects and frames to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

# twitter.com containment rule
# Like the Facebook rule, but for twitter
Site twitter.com .twitter.com twimg.com .twimg.com
Accept from twitter.com .twitter.com twimg.com .twimg.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

ssokolow said...

Oh, I forgot to mention the non-extension tweaks I make specifically to counter tracking mechanisms implemented by evercookie.

1. Set Firefox to clear cache and active logins on restart
2. Set browser.sessionstore.privacy_level=2 in about:config so that "session cookie" means "until restart" rather than "until a restart when no tab in the saved session is pointed at that domain".

Together, the extensions I listed plus the tweaks I gave do an excellent job of not only defeating evercookie but crunching down Panopticlick's uniqueness score to the point where the main thing making me distinctive is my user agent string.

(Very few people run Aurora channel on Linux and even fewer via the Ubuntu Mozilla PPA which patches "Ubuntu;" into the User Agent string. Unfortunately, User Agent Switcher doesn't remember settings across restarts.)

I also added the "Restartless Restart" addon to make it easy to restart the browser to trigger a cleaning.

geeknik said...

Check out the new Privacy Badger extension from the EFF. Seems pretty good.