January 27th, 2018
I'm sorry, this is not a blockchain article. I just thought it might be useful to quickly run through some of the privacy- and security-relevant settings I have twiddled with in my browsers. If you have additional recommendations, please let me know via email or on Twitter.
I have three browsers I use regularly: Firefox for all my private browsing, Chrome primarily for work, and Safari as my "insecure" browser to use when the settings I describe here break a website I need to access. For example, if I want to access my bank's website, or have to endure mandatory company security training, which (sobs) requires pop-ups to be enabled, Flash and Java to run, 'Referer' headers to be sent, etc. etc.
Every now and then, something breaks and won't work in one browser, but will in another. My general chain of trying things is to start in Firefox, then fail over to Chrome, then finally give up and try Safari. I don't have every conceivable security or privacy setting turned on, but just what, over time, has proven to work well enough for me. Here they are:
Firefox is set to auto-update. Check in 'Firefox Updates' under about:preferences#general:
I use Tor as my proxy. Under about:preferences#general, scroll down to 'Network Proxy', then select 'Settings'. Enter 'localhost' and your Tor proxy port (default: 9150) as a SOCKSv5 proxy:
To ensure DNS lookups go through Tor as well, toggle network.proxy.socks_remote_dns to true in about:config.
I also have set my default search engine to use DuckDuckGo's hidden service onion address. Unfortunately, getting that enabled wasn't as trivial as you might wish. There are some extensions to add "DuckDuckGo Onion" as a search option, but at least with the latest version of Firefox, those do not seem to work. Instead, you can follow the instructions from here or here to get the onion search as an option. Basically, what I did was go to this site and paste this snippet into the box:
<link rel="search" type="application/opensearchdescription+xml" title="DuckDuckGo Lite Tor" href="https://www.netmeister.org/browser-privacy-settings/ddg-tor.xml">
After that, you can find the little green '+' in the search bar and add the resulting search option:
After all this, you can then change your default search engine under about:preferences#search:
Next, under about:preferences#privacy ("Privacy & Security"), I disable logins and passwords (I use a password manager for that), and set Firefox to Never remember history. That is, any time I close Firefox, it deletes all cookies, browser history etc., putting my default browsing mode to be the same as 'private mode':
(Note: if you never retain any history, Firefox will also not remember any HSTS or HPKP settings for any site.)
'Tracking Protection' is enabled 'always', just as Firefox is set to always send the Do Not Track header:
I tell Firefox to block pop-up windows and to warn when websites try to install add-ons. For privacy reasons, I disable Firefox data collection:
Under 'Security', I do enable block dangerous and deceptive content, although it's important to be aware that this means that Mozilla could, in theory, track a lot of my usage, as it requires the browser to send a fair bit of data to Mozilla to make this determination. (In effect, your browser pings Mozilla every 30 minutes, which could be used to e.g. track your location (unless you use Tor).) Trade-offs.
Under 'Certificates', I enable OCSP querying.
I try to keep the list of add-ons small, in part to reduce the uniqueness of my browser, and in part to simplify setting up my browser anew when I e.g. switch laptops or whatever. (Random tangent: I similarly only have minimal customizations in my shell startup scripts.) The add-ons I do have installed are:
The 1Password browser extension. This allows me to trivially fill in passwords from my password manager.
DuckDuckGo Privacy Essentials. This is a new extension I just added to try out DuckDuckGo's tracker blocker:
Ghostery. (Possibly broken with Firefox 58?) Even though Ghostery has seen some criticism due to its "Ghost Rank" system, it still seems to be one of the most efficient blockers I've used. Of course I opt out of sharing my data:
The Google Analytics Opt-out Browser Add-on. Just what it says.
uBlock Origin. The original. I enable most block lists that are available and not marked 'experimental'. You could say... ¬_¬ ... it's my blockchain.
Other Firefox Settings
In addition to all of the above, Firefox's about:config allows a myriad of other settings to be adjusted. This page has a good rundown of many security and privacy related settings; I'll just explicitly call out security.cert_pinning.enforcement_level = 3 (because I fiddle around with HPKP), and the disabling of the 'Referer' header and XSiteReferrer settings:
network.http.sendRefererHeader = 0 Network.http.sendSecureXSiteReferrer = false
Toggle beacon.enabled to false to opt out of misc. analytics data being sent by your browser.
Toggle network.prefetch-next and network.dns.disablePrefetch to false to prevent link-prefetching and DNS leaks.
Toggle network.IDN_show_punycode to true to avoid falling prey to IDN homograph attack.
Toggle privacy.firstparty.isolate to true to restrict cookies and cached data to the domain level.
Toggle privacy.resistFingerprinting to true to avoid or at least reduce browser fingerprinting.
Set network.trr.mode = 5 to disable the use of DNS-over-HTTPS with a single default of Cloudflare (see this post for more information).
My settings and extensions in Chrome mirror those in Firefox, with the exception that for Chrome, I do not use Tor. Other than that, in chrome://settings, under 'Advanced->Content Settings', I enable 'Keep cookies until quit', 'Block third-party cookies', and 'Block Flash'.
To disable sending the 'Referer' header in Chrome, I long ago had fiddled the Preferences file.
Due to Spectre, I recently enabled site isolation in Chrome via chrome://flags/#enable-site-per-process. Finally, Chrome is the only browser in which I log into a Google account, so I'll quickly add here that in gmail I also disable displaying external images under https://mail.google.com/mail/#settings/general .
Addendum 2018-11-20: Under 'Privacy and security', I toggle off 'Allow Chrome sign-in' so that signing into e.g., Gmail does not also sign me into Chrome.
And that's about it. Something else I've been meaning to do for a long time is to really trim the list of root certs in my browsers' and OS's trust stores, but I just haven't gotten around to that.
January 27th, 2018