1

What is vulnerable in this browser setup to avoid fingerprinting/tracking for general browsing that is still easy to use?

The setup is as follows:

  • Firefox on my personal machine with several profiles (3-5 profiles)--each profile is dedicated to certain aspects of my browsing (i.e. one for social media only, another for banking, another for purely "anonymous" browsing where I don't specify any of my personal info or login to accounts tied to my real identity, etc.

  • For each of these profiles, I have the following addons: uMatrix with a default-deny policy--I allow images and CSS by default for all sites and everything else is disabled unless I enable certain things like JavaScript or cookies for a specific site. uMatrix also deletes cookies and cache periodically throughout the session to prevent e-tagging or cookie tracking and can spoof header referers as well as disable web fonts. Canvas Defender addon and Random Agent Spoofer addon to give each profile a canvas fingerprint and a user-agent string that does not change for the duration of a session (for the user-agent string, it will be rarely changed, just like your average user that doesn't try to spoof his user-agent). HTTPS-Everywhere addon.

  • As for cookies, they are deleted after every session. If I have profiles that are only dedicated to a single website that requires login (and therefore requires cookies), then that cookie might not even need to be deleted because I don't see how it would provide any more information than what you providing to the company of the service you're using (i.e. what's the point of deleting Facebook cookie for a profile if that's the only site you're using on that profile? There's nothing for the cookie to track).

  • All browser plugins such as Java and Flash are not installed because you don't really need them nowadays; however, JavaScript can be enabled on a site-by-site basis if needed (disabled through default-deny policy by uMatrix by default).

  • For evercookies, they apparently can be deleted just by enabling the option to delete cookies at end of session from Firefox (I've tested this)--they are only seem to be persistent if you use plugins. As for HSTS fingerprinting, Firefox's implementation currently forces you to choose between privacy and security. I choose security and therefore enabled HSTS so sites can be tracked in a given session. I empty the contents of SiteSecurityServiceState.txt when I initiate system shutdown so at least you get a new fingerprint.

  • a user.js file that disables WebRTC, OpenGL, and geolocation.

  • Finally, for each profile, they will be tunneled through a separate exit node (proxy/VPN) that may or may not be changed frequently.

How effective is this browser setup? There are several things I'm concerned with:

  • Perhaps making so much customizations to he browser, even if their goal is to create a different identity, actually makes you stand out among the crowd if types of fingerprinting are cross-analyzed for consistency (what kinds of information can be tied together?). As a specific example, spoofing user-agent string means JavaScript variables need to be spoofed to match that user-agent. Unfortunately, there doesn't seem to be able to spoof all JavaScript variables, only some. For companies that check for this and find inconsistencies between your user-agent and JavaScript variables, they know you spoofed and therefore you are unique and most likely in a worse position than if you haven't spoofed at all. The question is: how many sites actually bother checking this? Internet privacy is all about net gains--if there are many sites including popular ones that do not check for this, then it might still be worth spoofing.

  • This setup does not use virtual machines--perhaps there are kinds of fingerprintable information regarding the machine itself I did not take into account for and it might not match all the information that I attempted to spoof for each profile. For example, how would using virtual machines be an advantage over the setup I've described?

Please remember that this is for general browsing, which means that the goal is to make it usable but still maximize privacy. I realize that much of the issues involve JavaScript, but disabling it for general browsing is not really realistic nowadays when so many sites depend on it for functionality. For any sensitive browsing, of course it it is recommended to use Tor.

EDIT: "General browsing" means what an average person's browsing activities would be like. That means not anything illegal and threats are ad companies and companies like Google, Facebook, Microsoft, Amazon, etc. "Usability" means these services are still used, JavaScript is required for certain sites, browsing experience is not significantly hindered (i.e. Tor would not be suitable).

Iteration
  • 73
  • 1
  • 5
  • 8
    Test it on https://panopticlick.eff.org/ and see why this is a heavy lift by reading their documentation... – zedman9991 Jun 14 '16 at 18:57
  • 3
    You probably stand out like a sore thumb. Your logins are a long way from the "normal" range. However, it's unlikely anyone cares enough to pay attention to this. Who are you trying to preserve your privacy from? – Matthew Jun 14 '16 at 19:03
  • 1
    I think you need to clarify your question as `usable but still maximize privacy` doesn't really explain your requirements – Neil Smithline Jun 14 '16 at 19:08
  • 1
    What perceived threat model are you trying to defend against? Are you trying to protect yourself so that Google can't associate your banking activities with your shopping activities, in order to limit targeted advertisements? Are you concerned that the NSA will connect your bank account with the videos you watch, because you hold an unpopular political position? Are you afraid that your ISP will tie your activities together, and make it easier for a warrant-based search of your browsing history? What is your assessment of the probability of these threats being realized? – John Deters Jun 14 '16 at 19:17
  • @JohnDeters Threats that are apparent for the general internet user, so from companies like Google, Microsoft, Facebook, etc., as opposed to the NSA or any government agency. General browsing means you aren't doing anything that would be considered illegal. I'm curious about my particular setup because I don't think it's overkill even for general browsing and I do think we should practice as much measures as we can so long as it doesn't hinder our browsing experience. – Iteration Jun 14 '16 at 20:20
  • @Matthew Threats that are apparent for the general internet user, so from companies like Google, Microsoft, Facebook, etc., as opposed to the NSA or any government agency. General browsing means you aren't doing anything that would be considered illegal. I don't think the setup is overkill for general browsing and there isn't much I'm sacrificing in order to achieve what I think is a decent attempt to be less uniquely identifiable and trackable. – Iteration Jun 14 '16 at 20:26
  • @Iteration `Threats that are apparent for the general internet user, so from companies like Google, Microsoft, Facebook, etc.` What threats would those be? You haven't actually identified a threat here. What are you actually worried about "companies like Google, Microsoft, Facebook, etc." doing? – HopelessN00b Jun 14 '16 at 20:30
  • @NeilSmithline "General browsing" means what an average person's browsing activities would be like. That means not anything illegal and threats are ad companies and companies like Google, Facebook, Microsoft, Amazon, etc. "Usability" means these services are still used, JavaScript is required for certain sites, browsing experience is not significantly hindered (i.e. Tor would not be suitable). Edited the original post to add this clarification. – Iteration Jun 14 '16 at 20:33
  • @HopelessN00b Google does not need to know my browsing activity, yet it does because many things such as its API, fonts, and services it provides such as captcha, google forms, etc. are used by other sites and cookies are used to track users in this way. This is just an example--these companies are profiling users for data in ways outside of the services they provide. – Iteration Jun 14 '16 at 20:38
  • 2
    @Iteration Your browsing and search history impact your search results, for Google specifically. Regardless, it sounds like the threat you've identified is "having information about you"/"profiling you", and would like to eliminate this threat without "significantly hindering" the browsing experience. That's not possible. You'll need to either change your goals, or loosen your restrictions. – HopelessN00b Jun 14 '16 at 20:54

1 Answers1

5

Given that you're attempting to defend against a Google "all-seeing-eye" attack, (and not the NSA), this is a good start. I've added a couple suggestions below.

Your search engine activity will be trackable through the generation of unique links. Consider using a privacy-oriented search engine, like DuckDuckGo. You have their word they aren't trying to track you, or they'll be obvious about it if they do.

If Firefox's "AwesomeBar"'s search option is turned on, it will leak your typed URL information back to your default search engine. Firefox can also send your URL info back to their servers for malware analysis; be sure all the phone-home functionality is disabled in each of your profiles.

Any web resource can provide tracking information, not just third party JavaScripts. That "Facebook" logo? Tracker. The "Pinterest" image? Tracker. Consider another add-on tool devoted to privacy, such as Privacy Badger, Ghostery, NoScript, etc., that recognizes and substitutes the "social widgets" with safe, local resources.

Consider downloading and running Burp Suite for a while, (the free edition will be just fine), in order to view all the data being leaked by your browser. Tune your tools until you can see the only data leaving your machine is the data you expect.

The tricky part is ongoing. You will need to carefully maintain your Operational Security while browsing. It sounds like a complex mix of profiles and proxies that would be easy to screw up, and provide an unintentional link for the hypervigilant servers to feast upon. One way to improve OpSec might be to have a dedicated bookmark toolbar for each of your social and banking profiles, and make it a strong habit to never search or type a URL while within those profiles.

Make no mistake: all the customizations you've made will ensure your profiles will be uniquely identifiable. Nobody else is doing exactly what you're doing. The good news is that most private website owners won't profile you themselves; they rely on the third party scripts to do that work. What you want to do is minimize the opportunities the analytic companies have to see that profile; blocking the analytic sites is key.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Never used Burp Suite (will look into it) and never considered operation security and I'll definitely use your suggestion for the dedicated bookmarks. Do you have any opinion on whether user-agent is worth spoofing for each of my profiles? If I am going to spoof, I will be making sure the OS and the browser matches my actual setup, that they are popular, and that they won't change mid-session. However, I'm not sure if many webpages check for spoofing (such as JavaScript variables that aren't consistent with spoofed user-agent). If so, then spoofing makes one more unique. – Iteration Jun 15 '16 at 02:11
  • With many thousands of Firefox users out there, User-agent likely doesn't reveal too much about you, while a poor choice could result in a poor browsing experience on some sites. I don't know how many sites profile on that tag. If you are concerned, you might want to alter the version numbers slightly so they aren't an exact match. – John Deters Jun 15 '16 at 05:26
  • Late comment: Set your browser search to ddg and get used to typing search queries into the address bar. It helped me to escape the googlism. There are cases when ddg does not return what you want, but 90% of the queries are answered. – antipattern Jun 26 '17 at 22:47