Using CloudNS For DNS Resolution – Integrity, Authenticity, Confidentiality

CloudNS is a DNS host that supports a few cool security features. I’ve set it up, and it’s working for me on Linux Ubuntu 13.04. I think its security features give it the potential to be the preferred choice for those looking for that higher level of security and privacy.

* DNSCrypt Support
We only allow connections to our service using DNSCrypt, this 
provides confidentially and message integrity to our DNS 
resolver, and makes it harder for an adversery watching the 
traffic of our resolver to identify the origin of a DNS query as
all the traffic is mixed together.

* DNSSEC Validation
Our server does complete trust validation of DNSSEC enabled 
names, protecting you from upstream dns poisoning attacks or 
other DNS tampering.

* Namecoin resolution
Namecoin is an alternative, decentralized DNS system, that is 
able to prevent domain name censorship. Our DNS server does local
namecoin resolution of .bit domain names making it an easy way to
start exploring namecoin websites.

* Hosted in Australia
Our DNS Server is hosted in Australia, making it a faster 
alternative to other open public DNS resolvers for Australian 
residents.

* No domain manipulation or logging
We will not tamper with any domain queries, unlike some 
public providers who hijack domain resolution for domains that
fail to resolve. Our servers do not log any data from connecting 
users including DNS queries and IP addresses that make 
connections.

I think those are some really interesting features. For one thing, it forces DNSCrypt and validates with DNSSEC, and it appears to be the only resolver to do both of these things. And it’s also hosted outside of the US, which has its own implications for security.

So I went ahead and set up CloudNS using the following command (and setting this in rc.local) after configuring DNSCrypt from this guide. You can check Cloudns.com.au for the updated information, but as of today (Aug 8th, 2013) this command works for me.

dnscrypt-proxy --user=dnscrypt
--daemonize --resolver-address=113.20.6.2:443 --provider-name=2.dnscrypt-cert.cloudns.com.au --provider-key=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4

To use the secondary server as well the command is:

dnscrypt-proxy --user=dnscrypt --daemonize --resolver-address=113.20.8.17:443 --provider-name=2.dnscrypt-cert-2.cloudns.com.au --provider-key=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330

So the three big improvements for me are DNSSEC, DNSCrypt, and Australia hosting.

DNSSEC

DNSSEC is an extension of DNS that aims to provide authentication and integrity of DNS results; it ensures that you know who the result is from and that no one else has tampered with it. DNS responses are authenticated but they are not encrypted, so DNSSEC does not prevent someone between you and the resolver from viewing the request.

DNSCrypt

DNSCrypt provides encryption of DNS requests, which provides confidentiality of the requests, meaning that an attacker between you and the resolver can not view the traffic between you and your DNS resolver.

Stacking DNSSEC and DNSCrypt works out very well, as you end up covering your bases and achieving confidentiality, integrity, and authentication.

Hosting In Australia

While I’m not particularly familiar with Australia’s laws, hosting outside of the US definitely provides a bit more peace of mind. Just yesterday we learned that Lavabit (the email provider chosen by Edward Snowden) has shut down due to the US government trying to compromise their ability to protect their users. The truth is that hosting in the US just makes a service less trustworthy at this point, and hosting outside is a big plus. This, combined with Namecoin and their pledge to not log, is really somewhat comforting.

So, while I can’t absolutely recommend it at this point (I haven’t been using it long enough) I think there’s a lot of potential here.

Encrypted Call And Text From WhisperSystems

Whispersystems has released two Android apps that allow for encryption of all calls and texts with any other device running the apps.

RedPhone allows for encrypted calls using SRTP and ZRTP between you and other phones running RedPhone. Setup is simple and use of the app is seamless. All calls are VOIP, and the encryption documentation can be found here:

https://github.com/WhisperSystems/RedPhone/wiki/Encryption-Protocols

The other app, TextSecure, allows for both asymmetric encryption between you and those who also run the app as well as local encryption of text messages. You can even set a timeout so that your messages are locked after X minutes/ hours – a very handy feature.

In light of recent disclosures about US wiretapping, PRISM and otherwise, you may want to seriously consider trying these out.

https://github.com/WhisperSystems/TextSecure/wiki/Protocol

You can download both of these apps off of the play store:
https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

Wikipedia Discussion On Iron Browser

For my original Iron Browser blog – see here.

So I got two referral hits from the discussion page for Iron Browser. It seems that someone there wants a “conflict” section explaining that Iron doesn’t actually provide anything that Chromium doesn’t, and nothing of substance compared to Chrome. A really great endeavor.

I’m not optimistic it will be let through. Why? The discussion page is clearly bias.

UPDATE: I posted on the discussion page. I talked to someone there about getting proper sources up. I’m obviously not reputable but my sources are – the issue is that because none of my sources explicitly mention the Iron browser they can’t be used to discredit the browser. Essentially Iron says X and the reputable source says ‘X is false’ but because the reputable source doesn’t say “X is false and therefor Iron is making a false claim’ it can’t be linked – Wikipedia doesn’t allow that type of connection, which they refer to as ‘synthesis’. I think that’s idiotic but I don’t really care – I’ve had thousands of hits on my Iron page so even though users who go to Wikipedia are essentially getting lied to via proxy there are many who have come to my blog and gotten the facts.

To quote:

“Scam” is not accurate

I’ll be reverting some of User:98.207.42.24‘s edits that basically littered this article with the same statement over and over, about how a self-published source compared Chromes and Irons source code and concluded that Iron is a “scam” because of the fashion in which Iron sets privacy values (hard-coded instead of through a user interface).

I have several problems with this:

  • For someone that doesn’t want to do research about Google Chrome’s privacy faults before starting up the browser (even for the first time), Iron is helpful. And according to Irons website, that is what it was created for.
  • The source is not a reliable source.
  • The source is not timestamped so we have no idea when it was created and what has changed since then on Iron and Chrome.
  • Iron disables RLZ, Chrome doesn’t.

As far as I can tell Iron was made for comfort and it’s not ment to fool anyone into thinking otherwise.

That’s from user Bitbit. Taking a look at user Bitbit’s page we see he’s obviously anti-Google (there’s a banner dedicated to disliking Google). His bias is obvious because his post is a bit silly, I checked his page because reading his post it seemed clear. I’ll explain why in this post! I want it clear that, unlike my post about the Iron developer, I’m not trying to be insulting here. The Iron developer is throwing out crapware/ scareware whereas this is just one user with his opinions. I’m not going to attack him or his opinions, only explain why his post on the matter is invalid. So many people have fallen for the Iron browser, I don’t blame any of them, and I’ve seen so many users on other forums read the information and immediately state that they’re moving to another browser.

Let’s take this one step at a time.

For someone that doesn’t want to do research about Google Chrome’s privacy faults before starting up the browser (even for the first time), Iron is helpful. And according to Irons website, that is what it was created for.

For someone who doesn’t want to do research? Well… if you’re a user who winds up on Iron’s page it should be obvious that you were looking for a more private alternative to Chromium or Chrome. So the defense that Iron isn’t purporting itself as a more private alternative, only one with a more private default configuration is fairly weak. Furthermore, the Iron developers claims are disingenuous – one really clear example is the “URL Tracker” feature,  a poor choice of name but the Iron developer makes it out to be a privacy issue when it is obviously not (you can read about this all in my original post). Therefor it is far more than a claim of “default configuration” because the developer has made claims that features removed are privacy violates when they are not.

  • The source is not a reliable source.
  • The source is not timestamped so we have no idea when it was created and what has changed since then on Iron and Chrome.

There are multiple sources available. I found many in my original blog post on Iron. Bitbit didn’t look for any, so naturally he didn’t find them. The information is out there, and I’ve put it all in one place to make things simpler.

Iron disables RLZ, Chrome doesn’t.

As I explained in my original post, RLZ is not a privacy issue. It also does not exist in Chromium.

As far as I can tell Iron was made for comfort and it’s not ment to fool anyone into thinking otherwise.

If you look at the facts from my first post it should be clear that Iron was made for money. It is absolutely designed to fool people – the page is filled with lies.

[…], these are flat-out dry facts, not an opinion

Here are some absolute sourced facts that can be externally verified, and I didn’t go into in my original post. I suggest reading the first post for a full tear down of Iron.

The default installation of Iron contains a bookmark to the Iron forum. On this forum? Ads.

Image

And the default home page? Ads as well!

Image

On its own this is hardly damning. Ad-based software is perfectly fine. Where the issue lies is that this is software designed to make a profit and it does so by playing on users fears. Adware, Scareware, Scamware, all can easily be seen as fitting. In every case it’s a matter of a user being tricked, or scared, into using a software that makes money off of them while providing no actual benefit to that user.

So it’s my hope that Wikipedia does include a section that puts all of the information available in their article. I’ve made use of many sources and they’re free to verify it all. When you search “Iron Browser” on DuckDuckGo Wikipedia is in the result box and it’s the first thing many users will see – providing those users with all of this information is important, it’s what Wikipedia is for. I’ve sourced my original post thoroughly and redundantly. I hope the information in that post is put to good use.

Thanks to whoever said the nice words about the post on that Wikipedia article (no username). I appreciate that.

You can find my original post here: https://insanitybit.wordpress.com/2012/06/23/srware-iron-browser-a-real-private-alternative-to-chrome-21/

Chrome Gets New “Script Bubble” Feature

Chrome now includes a “Script Bubble” feature that shows you how many scripts are running on a specific page and which ones. The feature could potentially allow users to spot a malicious extension more easily.

There’s no way to stop the extension from running on the page through the Script Bubble, which is something I’d really like to see. Further, I’d like to see scripts on on pages on a whitelist as well and options similar to the other content settings.

You can enable the feature under chrome://flags.

Image

SRWare Iron Browser – A Private Alternative To Chrome?

Iron Browser claims to eliminate “critical points that the privacy concern”, in other words it’s trying to solve Chrome privacy issues.

A noble endeavor. Or at least it would be if there were any credible aspect to the program. The labels “scamware” and “scareware” are fitting here.

Iron v Chrome

The SRWare Iron Browser website has a page called “Iron Vs Chrome” that ‘matches up’ the privacy features. This is actually the easiest thing to point to to say “wow, this browser really is bullshit.” The Iron Vs Chrome page is riddled with misinformation and false implications – it’s incredibly blatant that the iron developer is using scare tactics here.

1) Installation-ID

This is the only privacy ‘concern’ that isn’t optional. Some facts:

  • The installation ID only runs once and then it’s removed.
  • The installation ID contains no personal information, it’s gibberish

2) Suggest

Suggest is referring to the omnibox suggestions. In order to predict what you’re searching for Chrome sends the text in the URL bar to the default search engine (Chrome has no default search engine, you choose on installation.) You are then subject to that search engines privacy restrictions, I use DuckDuckGo so it’s really them logging me.

This is entirely configurable. You can disable it with absolute ease. All the Iron browser has done is disable the option by default and removed the ability to enable it. To disable it check the Chrome Privacy Settings.

3) Alternate Error Pages

The Iron browser developer is really reaching with this one. When Chrome hits a page that can’t be reached it replaces the error message.

A few facts:

  • Navigation errors are first checked locally.
  • Only a hash is sent to google.
  • All GET parameters are removed.

And, of course, it can be easily disabled. Again, all Iron has done is disable a feature and not give you the option to add it back.

4) RLZ-Tracking

The RLZ string is an encoded string that contains no indentifying information. It’s used purely to gauge how well promotional campaigns did ie: if an ad runs on Monday they want to know how many people downloaded it Tuesday. That’s the kind of information in the RLZ String and the source code is provided to decode the RLZ and look inside.

It couldn’t really be less malicious unless you have a problem with Google knowing that someone out in the wide world downloaded their browser on a Tuesday.

You can disable this on Linux. Not Windows. It also doesn’t even exist in typical builds downloaded from Google’s website, only for builds having to do with marketing campaigns.

The RLZ String doesn’t actually exist in Chromium, the browser Iron is based on.

5) Google Updater

Another big reach. Iron is now claiming that this is a privacy failure. I literally have absolutely no idea what the hell this guys point is for this one so it’s incredibly difficult to refute. The updater is open source. At this point it should be clear that the developer has 0 credibility and is just pulling things out of his ass.

6) URL-Tracker

Google stupidly named this feature “URL-Tracker” which sounds really awful. It’s really not, and they just picked a horrible name.

Basically the URL Tracker connects to three random sites. It does this to check your DNS configuration in order to tell whether your DNS tries to resolve error pages or if Chrome should. Nothing scary here and it’s handled in a very nice way.

So, we’ve now discredited the Iron browser in terms of its use. Obviously it offers absolutely nothing to the user in terms of privacy – the only thing it adds is a slightly modified UI, the ability to block ads from a file, and the ability to change your user agent (something you can do from the command line with Chrome already); basically it adds absolutely nothing an extension wouldn’t. I personally think it’s time to discredit the developer on a more personal level, because, honestly, the project just really annoys me.

Why Does Iron Exist?

Since the Iron browser provides nothing to the user you have to ask yourself, why does it exist? Very simple, and a bit obvious – money. The Iron developer plays off of users fear, creating ‘privacy issues’ where none exist in order to turn a profit. And how does he get money? Very ironically he uses Google Adsense.

In a conversation with Chromium devs the Iron developer essentially states that he has no interest in making commits to Chromium to improve privacy and is only after the ad revenue.

<mgreenblatt> Iron.. why not propose a patch based on preprocessor defines that disables the sections you dislike without forking the code?
<Iron> because a fork will bring a lot of publicity to my person and my homepage 
<Iron> that means: a lot of money too ;)
<Iron> i dont take money for my fork 
<Iron> but i have adsense on my page ;) 
<Iron> a lot of visitor -> a lot of clicka > a lot of money ;)
<Iron> we are here in germany 
<Iron> the press will love my fork 
<Iron> i talked to much journalists already 
<DrPizza> Why are you forking? 
<DrPizza> to do what? 
<Iron> to remove all things in source talking to google ;) 
<jamessan> to get fame and fortune 
<Iron> nobody here trusts google 
<Iron> the german people say: google is very evil 
<jamessan> yet you use google's adsense

Sure seems trustworthy! Yes, that’s the Iron developer outright saying that he’s playing off of fears rampant in Germany and he’s in it for the adsense money. If you’re supporting the Iron browser you are supporting a product that provides a false sense of privacy, it outright degrades what privacy is about – disclosure and integrity.

I’m a pretty crappy programmer and I could probably do what Iron’s done. It’s just deleting a few snippets of code, adding in a bit of Iron code (like automatically bookmarking his webpage with ads), and the few features added that could easily be replicated by extensions. Of course, the developer hasn’t really released the source code in forever so… yeah… that also brings me to my point of it not exactly being open source. I think the last I checked I couldn’t find source code for any recent version of Iron.

Chrome and Chromium are pretty privacy oriented. At least to a fair extent. There’s a Chromium privacy team and they are very responsible. I’ve personally bugged Mike West with my questions on multiple occasions and he’s been nothing but quick to respond and helpful, which has lead to a bug fix or two. Recently I dealt with another member of the Chromium privacy team and got another feature request for privacy, which they took seriously instead of simply saying “no go away.”

The Iron browser is a scam and the developer is using you. It’s  snake oil and it’s dangerous. You’re going to be slower to patch and you’re going to think you’re ‘more private’ when you aren’t.

The defense for Iron is that it has a “privacy by default” configuration, that users may not want to “research” to find out how to make Chrome meet Iron’s configuration. It should be plainly obvious that if a user has taken the time to look for Iron it’s a very short step to find guides that explain how to uncheck the boxes clearly marked in Chrome’s settings. The Iron developer is blatantly disingenuous with the claims made, quite a few of which (as you can read above) are just ridiculous.

Don’t support scamware. If you see someone recommending the Iron browser simply link them to some information.

I’ve seen a lot of referrer info from this post on websites and I’m very pleased to say that users are consistently dropping Iron when presented with the facts. PCLinuxOS has dropped the Iron browser from their repositories after reading this post.

For updates and other articles follow me on Twitter: @Insanitybit

Sources

https://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/intl/en/landing/chrome/google-chrome-privacy-whitepaper.pdf

http://neugierig.org/software/chromium/notes/2009/12/iron.html

http://echelog.com/logs/browse/chromium/1262127600 (IRC log)

mikewest.org/2011/09/chrome-privacy

mattcutts.com/blog/google-chrome-communication/

http://blog.chromium.org/2010/06/in-open-for-rlz.html

Fixing A Broken CA System – Perspectives And Convergence

ImageCertificate Authorities (CAs) hand out digital signatures that websites can use to do two things. They can provide encryption and verification – the connection between you and the server is encrypted and the Certificate Authority has verified that the website is ‘legitimate.’ Encrypting the connection attempts to stop Man In The Middle Attacks (MITM.)

Man In The Middle

A Man In The Middle attack is when an attack gets between you and the server and reads or interferes with the data. This means that the attacker can read passwords sent to a website, read an email, read anything. They can also redirect you to an exploit page or change the information in other ways.

If the information is encrypted, as it is with SSL, then MITM attacks are more difficult (more on cracking and bypassing SSL in another post.)

Why The CA System Is Broken

If the entire web were encrypted and verification were a perfect process and CAs couldn’t be hacked or tricked it would all work beautifully. Obviously all of this is impossible, so the system has to change.

Comodo and VeriSign make up the vast majority of certificates used for websites. Between the two of them they hold the majority of the CA market share but neither one has a pristine record for security. Comodo was hacked by someone who is most likely a novice hacker and VeriSign has accidentally issued certificates to malware in the past. They aren’t the only ones to have been hacked, DigiNotar brought a lot of press to the situation when they were hacked and for all we know this has happen without users finding out.

There’s also the problem of trust – we can’t really trust every single CA. Some CAs have handed out certs that allow MITM attacks for companies/ government to spy on users.

Servers can sign their own certs but then a user has no way of knowing if the cert is legitimate (hackers can provide one) and browsers will give tons of warnings about it.

The Solution

Convergence essentially works by checking the certificate against notaries. These various notaries all have information on the certificate and if the information doesn’t match you can assume that there’s something wrong. Instead of verification happening on the CA level it’s handled by many different independent notaries.

Users have full control over which notaries they use. Whereas on WordPress I’m forced to take Godaddy.com’s word on this website being legitimate with Convergence I could choose any notary I like.

CAs could act as notaries as well but the current system has the two segregated. This may not always be the case.

If you’re looking to install Convergence it’s Firefox only and Google (Microsoft, Apple) has not shown interest in supporting it.

The Definitive Guide For Securing Chrome

This is Part 2 in a series where I’ll be detailing various settings for specific programs and operating systems. For Part 1 (Firefox) click here. I won’t get to do the Ubuntu/ Windows guides today as both of those will probably take days on their own – don’t expect them before Monday.

Chrome

Google Chrome is based on the open source Chromium project. It differs in that it includes Adobe Flash Player, a PDF viewer, an auto-updater, as well as support for closed source codecs. Chrome makes use of a sandbox based on OS-provided MAC. On Linux it uses a SUID, PID, and Chroot sandbox with Mode 2 Seccomp filters and on Windows it uses various levels of Integrity Access Control.

Chrome is the browser that I consider to be most secure and in this guide I’ll be showing how to lock it down further.

I am choosing Chrome and not Chromium due to including Flash and handling updates automatically.

Privacy Settings

Chrome enables certain features that users may feel pose a privacy concern. You can enable and disable these features in the Chrome ->Settings -> Advanced Settings page.

Image

Those are my specific settings but you can enable/ disable as you please. See this link by Mattcuts to understand communications to Google Chrome.

To make Chrome more private click on the Content Settings.

Chrome allows for a fair level of control over what websites can and can not do. You can disable third party cookies from being set entirely and you can blacklist/ whitelist sites from setting cookies at all.

Image

Next you can type about:flags into the URL bar.

Go enable the feature labeled:

Disable sending hyperlink auditing pings.

Enabling this disables hyperlink audit pings, which can be used to track users.

LastPass

Chrome does not include a master password feature so you’ll have to use LastPass for something similar. I’ve posted a guide to setting up LastPass here.

Adblock Plus

As Chrome does not yet implement a Do Not Track feature if you’d like to use it you need to install Adblock Plus, which will block ads and tracking.

I also suggest you use this filter to block tracking.

UPDATE: Chrome now supports Do Not Track in the Privacy settings.

Security Settings

Credit to m00nbl00d here.

We can set Chrome to block Javascript globally and then allow by top level domain (ie: .com, .org.) This means that we can block Javascript on many sites without it bothering us. By blocking Javascript on domains like .ru and .cn we actually block a fair amount of pages that could otherwise be used against us.

Image

Notice that I’ve done the same thing with plugins. Something I personally like to do is set Click To Play, and not whitelist any sites. This is a wonderful way to prevent attacks. My recommendation is Click To Play and no whitelist.

Image

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

HTTPSwitchBoard

HTTPSwitchBoard is another Chrome extension aimed at providing a more private and secure browser. The extension allows you to limit requests that the browser makes for a wide variety of content – you can allow a website to load its CSS/images and nothing else, or add in scripting, plugins, video tags, etc on a per-request basis.

It’s quite easy to use, maintains a great blacklist that makes whitelisting safe and easy, and is much faster than conventional content blockers.

https://github.com/gorhill/httpswitchboard

 

AppArmor (Linux Only)

Chrome does not have an AppArmor profile by default on any distro that I know of. You’ll have to make one, so have a look at this guide.

Chrome already makes use of a powerful sandbox on Linux but making use of AppArmor is a good idea. There isn’t a ton of up to date documentation on the Linux sandbox so while we can gather that it’s pretty strong we shouldn’t trust it and therefor AppArmor is a very good idea. What we do know is that the Chrome sandbox makes use of Chroot, a call that requires root privilege, so I’m not sure how they’re accomplishing this (I think they use a separate UID for this and then drop from root) but either way I don’t want anything that can Chroot and Chmod having access to more of my system than it needs.

Seccomp (Linux Only)

Chrome now uses Seccomp filters for plugins. Read about seccomp here.

PPAPI Flash Player

UPDATE: Chrome now uses the PPAPI Flash Player by default, which comes in a very powerful sandbox. Make sure you have your Flash using only PPAPI in chrome://plugins.

Remember

Chrome doesn’t update anything other than itself and Flash so make sure to keep your Java, Silverlight, or any other plugins up to date as well as the underlying operating system. And make sure to set your plugins to Click To Play.

And Of Course…

If I’ve missed anything let me know. I don’t think I’ve missed anything worth putting it. I’ve purposefully left ScriptNo (now SafeScript) out as I can’t attest to it actually working correctly 100% of the time and it doesn’t have many important features built into NoScript. I think that m00n’s Javascript trick works fine.

The Definitive Guide For Securing Firefox

This is part 1 in a series where I’ll be detailing various settings for specific programs and operating systems. I’ll be writing a guide for Chrome, Firefox, Windows Vista/7/8, and Ubuntu 12.04 (maybe other things I can think of.) The guide will cover everything I can think of and will cover both system compromise, in-program compromise, and privacy concerns. I won’t cover all subjects today, probably just Firefox and Chrome.

Firefox

Firefox is the free and open source browser developed by Mozilla. It focuses on user-oriented features like a customizable UI and ensuring user satisfaction through an interactive developer community.

By default without any plugins Firefox is fairly secure in that it makes use of modern mitigation techniques and is quick to patch. This guide will go over some Firefox extensions that you can install as well as  settings that you can change to improve security and privacy.

Privacy Settings

First up we’ll change our privacy settings to include the Do Not Track header, which I recently posted about. We’ll also be disabling third party cookies as these are typically only ever used for tracking users (though they can have legitimate uses, like logging into websites via third party logins).

Firefox -> Edit -> Preferences -> Privacy

It should look like this after you’ve changed the settings:

Image

Security Settings

From the privacy tab you can click the next tab – Security.

Here we can set our master password. This password will encrypt all others so that if anyone gains unauthorized access to your system they will no be able to gain access to your information.

See this guide for creating a strong password.

Content Settings

Firefox lets you allow or deny Javascript throughout the browser in the content settings page. Disabling Javascript will break many sites but it will improve security – I recommend NoScript instead.

NoScript

NoScript is an extension developed by Giorgio Maone. NoScript is a default-deny system that blocks a webpages ability to run scripts or plugins. It also makes use of a strict XSS filter and clickjacking prevention.

By default NoScript blocks the following:

Image

This renders most attempts at exploiting the browser unsuccessful and will protect even whitelisted pages fairly well.

The problem with NoScript is that there is a ton of user interaction required. You have to whitelist every site you want to visit. It’s a pain. But if you’re after high level of security that’s what I recommend. If you globally disallow (default) you’ll benefit even when you whitelist a website.

Even if you hate the interaction I highly recommend you install NoScript and turn on the “Allow Scripts Globally” feature because it will still provide further improved security.

With NoScript ‘Allow Scripts Globally’ you miss out on the full extent of its protection but even then you’ll benefit from a few really great protections such as:

The XSS Filter – NoScript’s XSS is kinda the XSS Filter to compare all other XSS Filters to.

ClearClick – Clickjacking is a method used by attackers to trick a user into clicking a hidden or invisible ‘button’ that can lead to an exploit page or even a bank transaction. ClearClick is the only protection for this currently implemented.

CSRF Protection – CSRF is harder to explain. It attacks from the users end of the system so it can do things like get into your email account and bypass protections because it all originates from ‘you.’

MITM Protection – Man In The Middle attacks happen when, simply, the attacker is between you and the server. SSL is the typical solution but you can spoof certs and hijack even SSL communications or just attack mixed content transmissions. NoScript implements multiple protections here.

So, there you have it. Even with Scripts Globally Allowed NoScript is going to make your Firefox much more secure.

HTTPS-Everywhere

HTTPS-Everywhere is an extension developed by the EFF (Electronic Frontier Foundation) that aims to force HTTPS on all sites that make it available.

Many sites, like wordpress, offer HTTPS but don’t default to it. HTTPS-Everywhere will block and redirect requests so that you end up using the HTTPS version.

HTTPS means that the traffic between you and the server is encrypted. That means that no one besides you and the server gets to read or manipulate the data.

This prevents MITM attacks that can be used to sniff passwords or even compromise the machine by redirecting your request to an exploit page.

Convergence

Convergence is an extension that aims to solve many of the issues we see today with SSL and MITM attacks.

Check out this explanation on it here.

It hasn’t been updated in ages, and I’m not even sure if it’s supported anymore, so take this tip with a grain of salt – results may vary.

AppArmor (Linux Only)

I’ve written a guide for AppArmor already but I’d like to highlight that Ubuntu comes with a Firefox profile by default. It probably needs a bit of tweaking but if you follow the guide it’s easy to set up.

To set your apparmor profile to enforce simply enter:

# aa-enforce /etc/apparmor.d/usr.bin.firefox

Afterwords your Firefox will be held in a tight sandbox, which will prevent and contain exploits.

Use PDF.JS

Adobe Reader is one of the most commonly exploited applications and although it has improved you may want to check out PDF.JS.

You can use this simple extension to install it and Firefox will handle PDF through Javascript.

You can read more about PDF.js here.

PDF.js is arguably less secure than Adobe Reader as Reader will run within a sandbox. The goal of PDF.js is to reduce attack surface by having PDFs rendered by the Javascript engine already present in Firefox.

Remember

Always make sure to keep Firefox and all of its plugins up to date. This is critical on Windows where out of date plugins consistently lead to compromise.

And Please…

Firefox is not my default browser and hasn’t been for over a year now. If you know of any other methods for securing it please leave me a comment and I’ll try to fit it in. Thanks.

Do Not Track On By Default In IE10

Internet Explorer 10 is the browser shipping with Windows 8 (currently in Release Preview) and it’s got an interesting feature. Do Not Track is a new would-be standard for telling advertisers not to track you online. Microsoft has stated that it will be enabled DNT for IE10 by default.

The Importance Of Privacy

Every single user should have complete and final control over their data. No one should be able to track you if you don’t want to be tracked – not the government and not corporations. I hold this to be fundamentally true.

Do Not Track does not actually stop anyone from tracking you. It “asks nicely” for them to stop tracking you and they have no legal obligation to care. Still, as DNT is incorporated into modern browsers it will hopefully become the standard and it could be enforced both by browsers (blacklisting ads that don’t comply) and the law.

The Big Problem

I’m new to blogging, and while I don’t own this domain or use Google Analytics I can see a lot of information. I see where people come from (the majority of users who visit this blog are from Google), which articles are popular, which tags are popular etc. If I were so inclined it would be very easy to make my blog more targeted to take advantage of the information provided to me. Even with a few days of information I can see a ton about how to increase my blogs popularity.

The same is true for advertisers. This tracking isn’t just about being creepy – it really does help. If I’m getting ads for makeup products I’m not going to click them, if I get an ad for some new book about computer or whatever I’m way more inclined to click that ad.

The sad truth of it all is that ads are what make the internet possible. Everyone has to pay for hosting or come up with some other business model, which means selling you something else. That or you’re paying out of pocket.

So while I commend Microsoft for implementing Do Not Track I’m going to outright say that this is a bad decision for the internet as a whole. It should be a choice but it should be off by default. Put a little box asking users to enable it at first run if you want, explain to them what it means. But turning off tracking for 50% of the internet is not ‘healthy’ for it.

If the entire world turned on DNT and Adblock the internet would have no way to maintain revenue. It’s not that every site would shut down overnight but tons of sites would have to start paying monthly fees and a lot would shut down.  I’m not saying to turn DNT off, just think about that.

Personally, I run Adblock Plus (which sends a DNT header) and I whitelist any website that I want to support. Adblock Plus already whitelists ads that it considers to be unobtrusive and that is a policy that I wholeheartedly support.

I think this is a really weighted subject and there’s a lot to talk about here but for now this will do.

Sources:

https://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/05/31/advancing-consumer-trust-and-privacy-internet-explorer-in-windows-8.aspx

Three Simple Steps To Stay Private Online

Privacy is definitely a big issue lately. People are starting to realize how much information they really put out there, and it can be scary. The thing is, most people also don’t really care enough to do anything about it and trying to attain significant levels of privacy is just a huge pain (TOR, VPN, whatever.) That’s why I’ll just list three incredibly quick and painless ways to help stay a bit more private online.

Block Third Party Cookies

Third party cookies are used to track a user across multiple sites. They really don’t serve too much of a purpose except for tracking.

Chrome:

Wrench -> Settings -> Show Advanced Settings -> Content Settings -> Block Third Party Cookie and Site Data

Firefox:

Edit -> Preferences -> Privacy -> Set “Firefox Will” to “Custom Settings” and uncheck “Accept Third Party Cookies”

Install Adblock Plus With Privacy Filter:

Adblock Plus is available for Chrome and Firefox. It includes Do Not Track and can make use of privacy specific filters.

Get Adblock Plus for: Firefox | Chrome

Then go to: http://adversity.uk.to/ and install the “Antisocial” list.

Use Private Browsing/ Incognito Mode

This may seem obvious to some but many people aren’t aware that there are “private browsing” modes provided by their browsers.

These private sessions won’t store any information on your computer about what sites you’re visiting and is useful for ensuring that your session stays private to anyone else who has access to the computer.

Chrome: Control + Shift + N

Firefox:  Control + Shift + P

These are just three very simple steps to help you maintain privacy while you browse. They aren’t “perfect” and there are still issues to be worried about but for the average user I think the above information will suffice.

So Why Aren’t Third Party Cookies and Ads Blocked By Default?

I think people need to understand that by blocking ads and tracking you are fighting the one thing that keeps the internet alive. Websites are run by ads. The world, really, is run by ads but that’s a bit out of scope.

The point is that if you’re on a website you like go ahead and whitelist it with Adblock Plus. Maybe you’ll see an ad you like and they’ll get a bit of cash so that they can continue to providing you with that site.

Sources:

https://www.cdt.org/privacy/20090804_browser_rpt_update.pdf

adblockplus.org