What is the recommended cocktail of extensions to use these days for optimal privacy? I have so much to think about that I haven't had a chance to dig in and learn what's best.
Pihole is great for stopping stuff that’s not in the browser in particular. OS telemetry, in-app ads, phishing sites, etc. In pronciple I suppose it can block cryptoviruses, but it’s probably hard to keep a good blocklist up to date.
Someone correct me if I'm wrong, but ublock breaks almost nothing because it just allows trackers on pages where blocking it would break something.
So if blocking a doubleclick tracker will stop a video from playing on some page/site, an exception will get added to the block list to just allow it on that page/site.
It makes it 'just work', but imo it's not clear enough in the UI that this is happening and I would guess that most users don't even know.
I used noscript before umatrix. Umatrix is def technically superior in my eyes. Also noscript has some pretty shady sht in its history. Exactly what I don’t need from a privacy extension
Adblock Plus itself has trackers in it. They also accept money to whitelist every major ad company and trackers meaning you gain nothing privacy wise and just waste CPU resources.
I went through the pain period of noscript but still couldn't stick with it. I had to be constantly mindful every time I buy something online. The process would half-fail at some stage and then I have to start hunting for which domain is the one that's essential for the checkout to complete.
This is not NoScript's fault of course. Some websites are including 20-30 different domains (check out maperformance.com for example) and picking and choosing to get something to work is a nightmare.
I keep a separate browser profile just for purchases; once I've decided to buy something, I open that profile and copy the URL over. That way, my "browsing" profile remains locked down, and purchases stay easy.
Adblock is run by Wladimir Palant's Eyeo GmbH. It used to be an open source project but was rewritten to what it is now and is tied to "acceptable advertising" policies and is run by a for-profit company. As always, if you aren't paying for it, you should be asking who is.
uBlock Origin is Free. Open source. For users by users. No donations sought.
Without the preset lists of filters, this extension is nothing. So if ever you really do want to contribute something, think about the people working hard to maintain the filter lists you are using, which were made available to use by all for free.
Well someone is still paying for opensource.. the maintainers and developers. The contributors. They're mostly paying with time, but there's some direct cost too.
It's why we want to be good users of open source and contribute back, whether that's donating or helping write documentation, manage issues, etc.
The cost of open source is the direct cost - what it takes to build an adblocker in this case. The cost of a for-profit product is the direct cost and the profit margin - a higher number in every situation. Instead of the for profit company paying that, it's some external party and if that isn't you it's.. well, still somebody. As the saying goes, if you aren't the customer, you're the product.
These tests are sketchy - I have been awarded 17.85 bits on this browser however 13.94 bits come from one line item:
> System Fonts Arial, Bitstream Vera Sans Mono, Bookman Old Style, Century Schoolbook, Courier, Courier New, Helvetica, Monaco, Palatino, Palatino Linotype, Times, Times New Roman (via javascript)
But as a Linux user, those are all mapped by Freetype (some to the same typeface) as many of those are copyright (? encumbered, not freely licensed) fonts:
$ for zzz in Arial "Bitstream Vera Sans Mono" "Bookman Old Style" "Century Schoolbook" Courier "Courier New" Helvetica Monaco "Palatino Palatino" Linotype Times "Times New Roman"; do fc-match "$zzz"; done;
LiberationSans-Regular.ttf: "Liberation Sans" "Regular"
.. 12 more lines of font replacement maps...
This website javascript test is measuring a heuristic, giving it a very high score (almost twice as high as anything else, "Hash of canvas fingerprint" is next) but that measurement is patently false compared to the real data. (it also reports no Ad Blocker used and I have uBlock-O fully enabled).
I am a lifelong EFF fan and supporter, but... well, if everyone (ad / tracker people) is using this code and set of techniques I'm better off not pointing out how wrong it is. :)
It's almost like how Airwolf used to toss out chaff left and right to escape the bad guys, I have Earnest Borgnine in the back going "Why can't we hover like regular helicopter people?" as Firefox tosses out fake font results to Javascript sniffers.
Cookie autodelete is also worthwhile to prevent cookies from lingering unnecessarily.
The Resist fingerprinting and Third party isolation settings is also worth a try, it doesn't stop everything but it does prevent some of it. For usability I usually install the corresponding add-ons so I can toggle them with a button (these settings tends to break stuff).
LocalCDN may also help a bit by using local copies of commonly used resources.
I used to have an add-on that could spoof the font detection by making small random changes to font sizes, but it stopped working and I haven't found a replacement.
But disabling WebRTC and Canvas makes you easier to be fingerprinted? Most people doesn't block that, so those feature not being available on a modern browser makes you "special" right?
The browser is a complete traitor in this commercial surveillance system.
It doesn't seem possible with any of the mainstream browsers to avoid a "unique" fingerprint. RSS is a good counter-tactic.
In the end, if I have to apply defensive tactics just to read information, I will stop visiting. When I enter a store, I am unique. But I don't let the store cover me with tracers.
Privacy Badger and Catblock might not be the best combo but it is furry mammal themed. I haven't had the urge to upgrade from it. However, sometimes I feel guilty for partaking in content that I have ad blocked as the creators lose out.
Then I think about how it is that adverts might zonk out my brain, thereby rendering me unable to write helpful pleasant comments that are hopefully well received by the content creators. So being an advert blocking person isn't all that bad if you contribute with engaged comments.
I don’t think that is true. See the other sibling comment. Also LocalCDN, whilst it has some nice extras, isn’t a recommended extension - decentraleyes is.
It makes sure that when you type www.somewebsite.com and press enter you go directly to https instead of going through a http-https redirection that could be intercepted. This is only useful for websites that support https but are not in the HSTS preload list. Alternatively you can enable that Firefox setting someone mentioned but once you do that you stop being able to visit websites that don't support https so HTTPS Everywhere is a good middle ground.
I like the idea of Skip Redirects and Smart Referer, but I feel they aren't worth the risk.
They're not popular extensions (11K and 6K users respectively) and aren't being reviewed by Mozilla. I'm certainly not going to review them myself, and I see no reason to trust their developers and their personal security practices.
'almost'? Do you have examples of websites breaking? Does it mean for example that you wouldn't be able to log onto YouTube because Google cookies are blocked?
What is the best way to use DDG like Google with minimum friction and good search results (I rarely get relevant answers if I do a pure DDG search)?
Also, what is DDG? It has its own crawlers (DuckDuckBot) like Google and Bing have (assuming Bing has, haven't read on it)? Or DDG (or DuckDuckBot) just filters/parses results from Google et al?
Does anyone have a good example of a site plastered with ads that still renders with privacy badger? I want a go-to screenshot to link to for my rants any time a website tells me to disable my "ad blocker"
Didn't I just read somewhere on slashdot or hacker news that privacy badger logs all of your websites you visit and websites that you enable/disable certain cookies or javascript?
This is quite unfortunate news but not surprising. This effectively turns Privacy Badger for the majority of users into another block list.
Fingerprinting vs ad tracking protection has been an ongoing war. The natural escalation to tracking protection is to fingerprint even harder. I'd expect most power users who like to configure their extensions and blocking lists to be suprised how much information thst provides to differentiate them. Even without that browsers by default share a lot of information with every website (https://panopticlick.eff.org/).
I don't see a good ending to this war. Solutions like Firefox containers requires you to be extremely thoughtful in your site usage and don't protect from more advanced fingerprinting techniques (that for example cloudflare employs). The web is fundimentally a little broken here.
Disagree on DoH though, because it defeats DNS caching and blocking in the subnet. Plus, many people trust their own provider more than yet another US corporation.
That's fascinating, but now you know why people in the US are quick to embrace DoH in its default configurations. And, of course, nothing ties DoH to major US corporations. You can DoH to a NUC in your cousin's bedroom closet.
The "community learning" feature they mention investigating at the bottom of the article sounds like the best of both worlds: automatic learning without fingerprinting and a pre-trained block list.
I'm not a security expert so I may be wrong (if so, someone please educate me). My impression is that if you own several websites and trackers, you can identify users by the specific combination of blocked and non-blocked trackers, plus data about their machine/OS, ISP, screen resolution, and browser languages, as well as checking to see if browser permissions are turned on for notifications, location, and the like. I'm not sure you can prevent that with a javascript-based approach alone.
This is quite unfortunate news but not surprising. This effectively turns Privacy Badger for the majority of users into another block list.
Yes. Privacy Badger was not just an anti-tracker. It's also something of an ad blocker. Since ad sites tend to track, it learns to block them.
Checking "cnn.com" right now, Privacy Badger is blocking 36 sites. These include "static.ads-twitter.com", "c.amazon-adsystem.com", "www.googletagmanager.com", "ad.doubleclick.net", and "amplify.outbrain.com". Blocking those knocks out most of the ads from the big players. Two of those are Google's, and they probably don't like being blocked by a large number of users.
Taking that away to prevent a theoretical approach to tracking seems like a sell-out by EFF.
Firefox Containers ought to just let do such things:
1. Open every new website (the one which doesn't have a saved container for it) in a new random/untagged container - destroy that container and data/everything when I close the last tab of that site
2. Unless I tag/name that container for that website and then persist it the way you do - and give me one click operation to tag name and (maybe select an icon/colour for that container)
3. What about giving website favicon as an option to the container icon
4. Get rid of those "Oh you are opening this website B (container_B) from a website A (container_A) - do you want us to open it in container_B instead"? "Always"? Yes! Yes! Make it default or give me an easy options to make it default damn it - give me an option the first time where I can mark "always do this"!
5. Do we really need special container for Firefox and then for the rest? Why not ship with a default already set container in the Multi Container add-on that's Fb container?
There's an option "Select a container for each new tab" but it's not very helpful as it lets you just choose either one among all the existing containers, or "No container" and that is blocking pop-up.
Can DuckDuckGo Privacy Essentials be an alternative to Privacy Badger? Once I replaced Privace Badger by it, because Privacy Badger had conflicts with some sites I read often. But I'm not sure if its's an optimal alternative.
I don't know what Privacy Badger's blocklist looks like, but without the learning aspect, if it's inbuilt blocklist is already covered by uBlock then all you're doing is slowing down your browser without any benefit.
As many adblockers as possible is a very bad idea. They interfere with each other. Half of the issues on r/ublockorigin are cause by people using adblock plus with it.
They're saying not only can it still be turned back on, but that the inbuilt list is going to be built on their side using the same learning aspect, not built manually.
Google's original report on Safari's ITP was part of a major FUD campaign about privacy measures. Google went so far as to suggest because fingerprinting was possible, we should just allow third party cookies. Arguably, carrying this forward in limiting the effectiveness of Privacy Badger to block tracking domains is a further extension of that behavior.
Google has finally been pushed to accept that third party cookies are going away, but are now advocating for a "privacy budget" system that essentially gives them a certain amount of allowance to violate your privacy. They are still FUD-ing about the drastically more correct solution: To just protect your privacy outright.
>because fingerprinting was possible, we should just allow third party cookies
Nothing is either/or. Increasing the cost and difficulty of tracking does increase privacy. At the same time, there is some truth to the argument that Google is not losing the arms race between its trackers and the blockers anytime soon. Fundamentally, as long as web pages have this much control over your computer, they will be able to track you. The web is broken and needs to be paired down and reworked so that privacy is part of the protocol.
97 comments
[ 3.9 ms ] story [ 165 ms ] threadPrivacy badger and ublock origin seems to break almost nothing.
Adding umatrix blocks additional stuff but breaks sites. And worth running a pihole too. It seems to catch a lot even with adblockers enabled
So if blocking a doubleclick tracker will stop a video from playing on some page/site, an exception will get added to the block list to just allow it on that page/site.
It makes it 'just work', but imo it's not clear enough in the UI that this is happening and I would guess that most users don't even know.
Don't disagree there.
> Also noscript has some pretty shady sht in its history.
I haven't heard anything about that. Could I get some more info? I use NoScript pretty much everywhere and would like to know if I need to stop.
Edit: Punctuation
https://en.wikipedia.org/wiki/NoScript#Controversies
- uBlock Origin
- Facebook Container
- Decentraleyes, ClearURLs
- HTTPS Everywhere
- Privacy Badger.
- Redirect AMP to HTML
- Terms of Service; Didn’t Read
- Smart Referer
- User-Agent Switcher
Next to that I'm using Bitwarden and Floccus (Nextcloud Bookmarks) for self-hosted decentralised password and bookmarks sync.
No script is a pain to begin with, but you come to find out that google and facebook are everywhere constantly watching. It's incredibly unsettling.
uBlock Origin is many times better (and faster)
This is not NoScript's fault of course. Some websites are including 20-30 different domains (check out maperformance.com for example) and picking and choosing to get something to work is a nightmare.
Another option is to use another web browser for online purchasing.
jomashop for instance...
Here is the source code for ublock: https://github.com/gorhill/uBlock which is GNU GPL v3.0
Adblock is run by Wladimir Palant's Eyeo GmbH. It used to be an open source project but was rewritten to what it is now and is tied to "acceptable advertising" policies and is run by a for-profit company. As always, if you aren't paying for it, you should be asking who is.
Without the preset lists of filters, this extension is nothing. So if ever you really do want to contribute something, think about the people working hard to maintain the filter lists you are using, which were made available to use by all for free.
You can contribute by helping translate uBlock Origin on Crowdin: https://crowdin.net/project/ublock
from https://github.com/gorhill/uBlock#about
It's why we want to be good users of open source and contribute back, whether that's donating or helping write documentation, manage issues, etc.
The cost of open source is the direct cost - what it takes to build an adblocker in this case. The cost of a for-profit product is the direct cost and the profit margin - a higher number in every situation. Instead of the for profit company paying that, it's some external party and if that isn't you it's.. well, still somebody. As the saying goes, if you aren't the customer, you're the product.
At the most extreme using Tor Browser and its defaults maximises privacy for any general loginless browsing.
If you're logging into services with accounts then a mix Firefox containers, uBlockOrigin, ClearUrls and Smart Referer provides pretty decent privacy.
See also: https://panopticlick.eff.org
> System Fonts Arial, Bitstream Vera Sans Mono, Bookman Old Style, Century Schoolbook, Courier, Courier New, Helvetica, Monaco, Palatino, Palatino Linotype, Times, Times New Roman (via javascript)
But as a Linux user, those are all mapped by Freetype (some to the same typeface) as many of those are copyright (? encumbered, not freely licensed) fonts:
This website javascript test is measuring a heuristic, giving it a very high score (almost twice as high as anything else, "Hash of canvas fingerprint" is next) but that measurement is patently false compared to the real data. (it also reports no Ad Blocker used and I have uBlock-O fully enabled).It's almost like how Airwolf used to toss out chaff left and right to escape the bad guys, I have Earnest Borgnine in the back going "Why can't we hover like regular helicopter people?" as Firefox tosses out fake font results to Javascript sniffers.
The Resist fingerprinting and Third party isolation settings is also worth a try, it doesn't stop everything but it does prevent some of it. For usability I usually install the corresponding add-ons so I can toggle them with a button (these settings tends to break stuff).
LocalCDN may also help a bit by using local copies of commonly used resources.
I used to have an add-on that could spoof the font detection by making small random changes to font sizes, but it stopped working and I haven't found a replacement.
Then there is CSS exfiltration and rectangle readout...
I use the following extensions for browsing "security" (ha!):
Disable WebRTC
Canvas Blocker
Firefox Multi-Account Containers
LocalCDN
Privacy Badger
uBlock Origin
Disabling WebRTC isn't as much as an identifier, I imagine.
It doesn't seem possible with any of the mainstream browsers to avoid a "unique" fingerprint. RSS is a good counter-tactic.
In the end, if I have to apply defensive tactics just to read information, I will stop visiting. When I enter a store, I am unique. But I don't let the store cover me with tracers.
Then I think about how it is that adverts might zonk out my brain, thereby rendering me unable to write helpful pleasant comments that are hopefully well received by the content creators. So being an advert blocking person isn't all that bad if you contribute with engaged comments.
Privacy badger
Ublock
Cookie autodelete
HTTPS everywhere
Decentraleyes
DuckDuckGo (extension) (it auto sets DDG as the browser search engine, but you can disable that)
Multi account containers - 1 for every frequently visited site. There’s an extension called temporary containers that’s interesting too
I don’t but should use noscript
Canvas blocker would freeze my browser so I don’t use it.
NextDNS is installed on every device and the router.
For mobile (ios) I use safari with Firefox focus set as the content blocker.
https://git.synz.io/Synzvato/decentraleyes
Is there an official announcement somewhere? The website doesn't indicate anything.
"uBlock Origin" is the original and real deal. The other one is a scam.
https://github.com/gorhill/uBlock (mentioned multiple times in these threads)
Discussion about the two: https://news.ycombinator.com/item?id=14335190
[1] https://privacytools.io/browsers/#addons
[2] https://privacytools.io/browsers/#about_config
Last time I saw plain old http was quite a while ago.
So my setup is:
- uBlock Origin [0]
- Cookie AutoDelete [1]
- Firefox's "Enhanced Tracking Protection" set to "Strict" [2]
- DuckDuckGo as the default search provider
[0]: https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin...
[1]: https://addons.mozilla.org/en-GB/firefox/addon/cookie-autode...
[2]: https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
Against anti-adblock, Nano Defender is the thing. (There's an uBlock Origin mode in that.)
They're not popular extensions (11K and 6K users respectively) and aren't being reviewed by Mozilla. I'm certainly not going to review them myself, and I see no reason to trust their developers and their personal security practices.
- Firefox > Preferences > Privacy & Security > Delete cookies and site data when Firefox is closed
- Firefox > Preferences > Privacy & Security > Delete cookies and site data when Firefox is closed > Manage Exceptions
Also, what is DDG? It has its own crawlers (DuckDuckBot) like Google and Bing have (assuming Bing has, haven't read on it)? Or DDG (or DuckDuckBot) just filters/parses results from Google et al?
- uBlock Origin, most lists enabled, 3rd party iframes blocked
- Privacy Settings
- Multi-Account Containers, Temporary Containers
- Decentraleyes
I do this:
VPN on at all times
Firefox as the main browser
Firefox enhanced tracking protection set to Strict
Firefox containers enabled to isolate specific sites when I do want to log into them (Google...)
Everything set to be deleted (cookies, cache etc) when I close Firefox
Allowed cookies for a handful of sites I want to keep being logged into
DuckDuckGo as the main search
uBlock Origin on with default blocklists. I really love the "element picker" feature which allows me to remove annoying elements
Here are some Austrian examples https://kurier.at/ https://www.diepresse.com/
Fingerprinting vs ad tracking protection has been an ongoing war. The natural escalation to tracking protection is to fingerprint even harder. I'd expect most power users who like to configure their extensions and blocking lists to be suprised how much information thst provides to differentiate them. Even without that browsers by default share a lot of information with every website (https://panopticlick.eff.org/).
I don't see a good ending to this war. Solutions like Firefox containers requires you to be extremely thoughtful in your site usage and don't protect from more advanced fingerprinting techniques (that for example cloudflare employs). The web is fundimentally a little broken here.
a browser with security extensions (although a good browser should be built with security as a design principle, not as an "add-on")
ESNI and DoH (even though Cloudflare can see the aggregate)
DNS caching and blocking in the subnet
iptables/nftables blocking of undesirable IP address ranges by the router
edit: It's safer to leave the dysfunctional WWW alone and use only RSS.
Is their any evidence that Google killed Google Reader because it interfered with their Ad/user-tracking metrics business?
However, local caching on the Pi might yield faster lookup time.
Yes. Privacy Badger was not just an anti-tracker. It's also something of an ad blocker. Since ad sites tend to track, it learns to block them.
Checking "cnn.com" right now, Privacy Badger is blocking 36 sites. These include "static.ads-twitter.com", "c.amazon-adsystem.com", "www.googletagmanager.com", "ad.doubleclick.net", and "amplify.outbrain.com". Blocking those knocks out most of the ads from the big players. Two of those are Google's, and they probably don't like being blocked by a large number of users.
Taking that away to prevent a theoretical approach to tracking seems like a sell-out by EFF.
1. Open every new website (the one which doesn't have a saved container for it) in a new random/untagged container - destroy that container and data/everything when I close the last tab of that site
2. Unless I tag/name that container for that website and then persist it the way you do - and give me one click operation to tag name and (maybe select an icon/colour for that container)
3. What about giving website favicon as an option to the container icon
4. Get rid of those "Oh you are opening this website B (container_B) from a website A (container_A) - do you want us to open it in container_B instead"? "Always"? Yes! Yes! Make it default or give me an easy options to make it default damn it - give me an option the first time where I can mark "always do this"!
5. Do we really need special container for Firefox and then for the rest? Why not ship with a default already set container in the Multi Container add-on that's Fb container?
There's an option "Select a container for each new tab" but it's not very helpful as it lets you just choose either one among all the existing containers, or "No container" and that is blocking pop-up.
Ideally you're using a multi-layered approach, meaning that much of the ugly stuff should be filtered out upstream of your browser extensions anyway.
I recommend uBlock Origin. Remove everything else.
Use only uBlock Origin.
They're saying not only can it still be turned back on, but that the inbuilt list is going to be built on their side using the same learning aspect, not built manually.
Google has finally been pushed to accept that third party cookies are going away, but are now advocating for a "privacy budget" system that essentially gives them a certain amount of allowance to violate your privacy. They are still FUD-ing about the drastically more correct solution: To just protect your privacy outright.
Nothing is either/or. Increasing the cost and difficulty of tracking does increase privacy. At the same time, there is some truth to the argument that Google is not losing the arms race between its trackers and the blockers anytime soon. Fundamentally, as long as web pages have this much control over your computer, they will be able to track you. The web is broken and needs to be paired down and reworked so that privacy is part of the protocol.