Privacy Tool Recommendations

From Martin Krafft's August 2018 talk at WOSSAT

Here's the list of resources/extensions, which I also put at https://twitter.com/martinkrafft/status/1031838014262063104, and if you have Twitter, then I'd appreciate a Retweet (and a Like at your leisure, but only if you also retweet ;).

  1. https://github.com/gorhill/uMatrix — comprehensive resource/sub-request blocker, which eclipses your standard ad-blocker, and can do a whole lot more.
  2. https://decentraleyes.org/ — serve commonly used Web 2.0 fabric (e.g. jQuery) from localhost to avoid pinging 3rd parties/CDNs helpfully hosting that stuff.1
  3. https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/ — flexible white-/greylisting, and removes cookies on blacklist after a configurable amount of time.
  4. https://mybrowseraddon.com/audiocontext-defender.html and https://mybrowseraddon.com/canvas-defender.html — fuzz two commonly used fingerprinting methods to make it harder for the remote to profile you.
  5. https://www.eff.org/https-everywhere — ensure you don't leak plain text information to snoops on your way.
  6. https://leotindall.com/randomua/ and https://github.com/ray-lothian/UserAgent-Switcher, two extensions I'm currently evaluating/hacking on to spoof and fuzz your user-agent for every request.
  7. https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/ — Handy means to control Firefox's built-in containers, which isolate your browsing of certain data-hungry websites from the rest of your activity.
  8. https://github.com/mozilla/lightbeam-we — visualise 3rd party requests.
  9. https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor — Introduction to using the network monitor to trace what your browser is doing on the wire.
  10. https://browserleaks.com/ — Frigthening collection of fingerprinting methods you can use to track your progress.
  11. https://panopticlick.eff.org/ — EFF's anti-tracking checker.

Feedback and additions welcome!

1) The question came up post-talk about the browser cache, and it's true that your browser should be able to just indefinitely cache these immutable resources. However, I don't trust that, nor the companies to set the expiry headers correctly, and apart, I believe that caching really only prevents re-transfer, but still pings the HTTP host to find out what the current timestamp/eTag is.

For instance, I picked a random static piece of content from about:cache: https://assets-cdn.github.com/favicon.ico, which is set to expire a year from now. When I load it, there's a genuine connection with Github.com/Fastly, including Referer and User-Agent and several other bits about me that the other side could use to correlate their requests:

  >Host: assets-cdn.github.com
  >User-Agent: browza
  >Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  >Accept-Language: en-US,en;q=0.5
  >Accept-Encoding: gzip, deflate, br
  >Cookie: logged_in=no
  >Connection: keep-alive
  >Upgrade-Insecure-Requests: 1
  >Referer: https://github.com
  >If-Modified-Since: Sat, 01 Jan 2000 00:00:00 GMT
  >Cache-Control: max-age=0

  <HTTP/1.1 304 Not Modified
  <Date: Tue, 21 Aug 2018 09:22:55 GMT
  <Via: 1.1 varnish
  <Cache-Control: max-age=31536000, public
  <Expires: Tue, 20 Aug 2019 19:16:02 GMT
  <Age: 50813
  <Connection: keep-alive
  <X-Served-By: cache-akl1421-AKL
  <X-Cache: HIT
  <X-Cache-Hits: 3353
  <X-Timer: S1534843376.566037,VS0,VE0
  <Vary: Accept-Encoding
  <X-Fastly-Request-ID: 09998a7735d76f5a11507ddde252094145d15ed3
  <timing-allow-origin: https://github.com

I've had the idea now that we could have an extension that simply auto-answers such outbound requests for resources that we determine to be valid if present in local cache. For all that matters, this could be a list of hashes of those resources, which would be one step closer to simply asking your peers around your whether they have a certain hash in their caches, so that you can procure it completely offline.