If you’re still reading, it means that old Silverback wasn’t too boring in his last post. For most of these INFOSEC posts, I’m relying on information shared by some former aviary and marine animal friends. Nothing “secret squirrel,” but they know the current environment better me. As always, take what’s useful and ignore the rest.
Your browser in your computer’s “doorman” to the internet. It determines how websites and third parties will behave. More importantly, your browser will determine how much information your computer stores and what information third parties can access and store. Setting up your browser is a critical step in controlling your virtual security perimeter and protecting personal privacy.
This substack will be set up in two parts. The first will focus on “mainstream” browsers such as Firefox, Chrome, and Safari. We’ll cover how to “harden” these browsers to limit the amount of information that may be collected by the sites you visit. We’ll also work on making the browser itself more secure. The second part will focus on browsers that are designed around privacy and security. Because these browsers can be inconvenient and can break websites (also you may not always have a choice which browser to use), Silverback acknowledges the need for both types. Before getting into to specific tactics, techniques, and procedures (TTP), we’ll cover some of the general things we’re trying to avoid.
Threats
Most animals have at least some awareness that “Google is tracking me.” Knowledge about how users are actually tracked online is perhaps less common; especially among us older apes. These threats include tracking, malware installation, and hardware exploitation.
Cookies are the most common means through which your browser sessions are tracked. Cookies are small pieces of data placed on your computer by the websites you visit. They can be helpful. They remember links you clicked, products you have looked at, and sometimes your login information. Accepting cookies is often required to complete a purchase or other transactions. For example, if you don’t accept a cookie, the site you are visiting cannot remember what items are in your cart.
Unfortunately, cookies are capable of doing much more than remembering which videos you previously viewed. Cookies can also be used to spy on you. Third-party cookies are especially nefarious. Third-parties partner with “host” sites to place cookies for analytical purposes. These include tracking your browsing from site to site. Each one of these can record your username, account name, IP address (which can reveal your physical location), and each site you visit. All of these data points can create a very comprehensive picture of your online activity. Silverback recommends clearing cookies frequently and never accepting third party cookies.
Malicious websites will attempt to lure you into downloading and installing viruses and other malware. While the best practices discussed in part 1 will prevent almost all applications from installing without your explicit permission, you still need a sound first line of defense. The browser is your first line.
Malvertising is a “relatively” new and dangerous threat. Malicious advertising is the insertion of malicious code into seemingly legitimate ads. Many well-known sites have inadvertently served malware ridden ads. Once a malicious ad is clicked, the host computer becomes infected.
Your computer stores a vast amount of information about your browsing sessions, such as what sites you visit. These sites reveal your interests, dating and relationship history, sexual “proclivities”, items you purchase, places you visit, usernames, email and social media accounts. All of this data can be a huge PERSEC risk. This data can be stolen physically if your device is lost or stolen, or accessed remotely with malware.
Later substacks will deal with securely removing this data, however proper browser setup will prevent such information from ever being saved. It’s way easier to avoid saving such data in the first place. It’s also much more secure.
Firefox
To be clear, Firefox is the only mainstream browser that Silverback recommends. If you wish to set up a commercial browser for maximum security, Firefox is the best choice. This does not mean that off the shelf Firefox is the most secure browser; or that it is an inherently security and privacy focused commercial browser. The reason Silverback likes Firefox is that it offers the most control over security and privacy settings.
The first and most basic step you should take is to ensure that your browser is up to date. Outdated browsers with security holes are an extremely common attack vector. Browser updates are issued frequently to patch vulnerabilities as they are discovered. You can check your version by clicking the Menu button. The menu button appears as three stacked horizontal lines the upper left corner of your browser. Go all the way to bottom of the menu and click the Help button, then choose the very last option labeled About Firefox. If your version is out of date, update it immediately.
Once you have ensured that your browser is the latest stable version, some settings must be modified to ensure the greatest possible privacy and security. To access the settings, go to the Menu button, open the menu, and select Options (gear icon). The options menu consists of five categories:
· General
· Home
· Search
· Privacy & Security
· Sync
Home: The first item under the Home category that should be changed is the homepage. You may choose any website you like, or you may choose to use a blank page. Silverback likes DuckDuckGo (https://duckduckgo.com) as a homepage. Millions of animals use this as their homepage and it is completely non-alerting.
General: The next setting that should be altered is Files and Applications. By default, Firefox saves downloaded files to a “Download” folder, but this is not ideal because files are not immediately visible to the user. They may be forgotten, unencrypted, in the Download folder. Instead, old ape prefers to have Firefox always ask where to save files and let us make the choice for each file downloaded. If you download many files and prefer to have a default folder, Silverback recommends that you create an encrypted location to which they save.
Privacy & Security: This is where the real work begins. The first section in Privacy & Security is “Enhanced Tracking Protection” which has three options: Standard, Strict, and Custom. Silverback prefers Custom for reasons we’ll get to, but it may cause some sites to break. Under your Custom Enhanced Tracking Protection menu, check “Cookies” and select “All third-party cookies” from the drop-down menu. Remember, we discussed the dangers of third-party cookies earlier in this substack.
The next section to alter in Privacy & Security is History. Under the “Firefox will:” option, select “Use customer settings for History” from the pulldown menu. This will allow you to choose everything that is stored or forgotten when you close the browser. Next, uncheck “Always use private browsing mode”. Even though this likely removes everything; Silverback likes the control of choosing exactly what will be deleted. Uncheck “Remember browsing and download history” and “Remember search and form history”. This will prevent Firefox from remembering any history after your browsing session has closed.
Under “Cookies and Site Data” check the option “Delete cookies and site data when Firefox closes”. This option will ensure that cookies are not saved after your browsing session ends. Next, check the box that says “Clear history when Firefox closes”. This will delete remainders of your session that Firefox has retained.
Under Permissions, check the “Warn you when websites try to install add-ons” box. This will require you to approve or deny a site when and add-on attempts to execute. This affords a degree of protection against annoying add-ons or semi-malicious add-ons.
Finally, under Logins and Passwords deselect the “Ask to save logins and passwords for websites” and “Use a master password” options. When Firefox stores a password, is does not do so in the most secure manner. Store your passwords in a password manager. Old ape likes KeePassXC for desktops (smart phone PERSEC rates its own substack). It’s free and open source. Be sure to remove any previously saved passwords from Firefox once you’ve transferred them to your password manager.
“Private” Browsing modes
Don’t rely on Firefox’s built in “Private Window.” These are never fully effective. By manually configuring your security settings you have way more control over what is stored on your browser and what isn’t. But, remember, any browsing you do in these modes is “private” only on your device. Your traffic is not encrypted or protected. More importantly, your IP address (which can reveal your physical location) is not obscured. To achieve true PERSEC, you must also use a Virtual Private Network (VPN) or Tor. VPN’s may be covered in detail in another substack, but the short answer is that Silverback prefers Avast VPN.
Add-Ons
Silverback only recommends four add-ons for Firefox.
HTTPS Everywhere: Encrypts data in motion between two devices using SSL and TLS encryption protocols. Encrypting your entire browsing session ensures that anyone using a WiFi sniffer will encounter much more unusable, encrypted information.
Cookie Auto-Delete: This add-on deletes cookies automatically as you close tabs. This allows you to control cookie tracking by closing tabs rather than the whole browser. For example, if you’re on Amazon and want to log in to your ProtonMail account, simply closing the Amazon tab will delete its cookies and history, preventing Amazon from knowing you also visit ProtonMail.
NoScript or uBlock Origin: Both block ads and any other type of script that is attempting to run on the page. uBlock is easier to use, but NoScript is more robust for the true privacy autist. Both work.
Other Commercial Browsers
Google Chrome, Internet Explorer, etc. Silverback does not recommend any of these. Chrome and IE are data collection platforms for Google and Microsoft. Opting completely out of this is impossible.
Privacy and Security Focused Browsers
The browsers in this section are designed with privacy and security in mind. They are a bit less user friendly but require no customization to be private and secure.
Epic Privacy Browser
If you want a VERY secure browser, but don’t want to take the time or effort to configure Firefox (or if you just like Chrome’s interface system), consider using Epic. Epic is a privacy and security focused browser out of the box and is based on Chrome. Unlike Chrome, Epic doesn’t track or store any information about you.
Epic also blocks third-party trackers and does not allow third-party cookies. In addition, Epic offers a built-in proxy, which masks your IP address. The proxy also encrypts your traffic and routes all searches through the proxy.
Tor
You can’t have a conversation about secure web browsing without discussing Tor. The Tor Browser Bundle is a secure, anonymous web browser. While it’s impossible to be completely anonymous online, Tor is about as close as you can get. Tor prevents your internet service provider, third-party advertisers and trackers, and even some governments from seeing what you’re up to online. Tor is free, open source, heavily audited for security issues, and frequently patched. While Tor is frequently demonized in the media as a tool for criminals and terrorists, it was actually developed by the US Navy.
Anyone can visit the site at https://www.torproject.org and download the Tor browser bundle appropriate for your operating system.
Tor, however, does have some disadvantages. While Silverback believes strongly in personal privacy, he would be remiss if he didn’t point these out. The first disadvantage is that it is, for most animals, inconvenient. By routing all your traffic through multiple intermediate servers prior to sending it, Tor is much slower than commercial browsers. Another major disadvantage is that some sites will simply not allow logins, account creation, or other transactions from the Tor network. Unfortunately, PERSEC and convenience are often inversely proportional. It’s up to the individual animal to determine the level of PERSEC that is right for them.
Finally, Tor creates a very distinctive signature that attracts a great deal of attention from both various three letter agencies and certain bad guys. Silverback believes that this may actually elevate your profile and makes you more “interesting” than non-Tor users. Similar to having a house with a big wall and armed guards, it makes you more secure but can also attract a great deal of unwanted attention. Before using Tor, you should definitely consider your adversary and his capabilities.
Browsing PERSEC Best Practices
Don’t stay logged in: When you are logged in to your email and social media accounts, these services monitor everything you do on the internet. Ever searched for a product online only to immediately see a Facebook ad for the same product? These sites record other sites you go to, accounts you create, things you purchase, and a ton of other information. Many people like to remain logged in to these accounts due to the convenience, but it will comprise your privacy.
While it may be more work, old Silverback recommends the following. If you need to check your Gmail, Twitter, or other accounts that are associated with your name, close your browser and clean it (as described in setting up Firefox). After you’ve done this, open your browser, log in, and conduct your degen business. When your finished, log out of the site, close your browser, and clean your system again.
Close and Clean: Silverback strongly recommends closing your browser between sessions. It’s especially important to close your browser after visiting a site to which you have logged in, such as email or social media. While this won’t delete all data and is not an absolute measure for privacy, it will break your data down into smaller pieces. If you never clear your system you are creating a month or year long record of every site you have visited.
Old ape also recommends cleaning your system between sessions (or at least regularly). Silverback likes Bleachbit (remember Hilary Clinton’s server) or CCleaner. These programs will thoroughly delete all browsing history.
That’s it for this substack. Stay tuned.
"Tor creates a very distinctive signature that attracts a great deal of attention"
The voice of experience. Most of us should strive to be grey men.
Thank you very much for your insights. I learned a lot.
I would be interested in your workflow, what set up do you use for which task?
One example:
1. Tails for BTC, Proton Mail, Sensitive internet searching
2. Windows for Ledger for Altcoins, work in Microsoft office, EPIC browsing
3. Windows and Firefox if EPIC is not possible.
Tails is the best option, but probably not suited for all the tasks. So I will need 2-3 set ups.
How do you operate? How do you spread your tasks among the different set ups?
How careful are you to separate? I would guess it wouldn’t be smart to use the same ledger, same proton mail with Tails and Windows.