Q&A Tutorial: how to increase your security and privacy ON DEMAND

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
:) I made this thread for my younger brother, so mods please make it a sticky so he can find it more easy


What does this tutorial explain?

Privacy extensions not always apply the right restrictions. Content blockers like Noscript, uBlockOrigin in advanced mode apply restrictions which you don't always need (or become a hassle to configure for daily use). This tutorial shows how you can increase your privacy and security ON-DEMAND in an easy way with most settings pre-defined.



1607860500268.png

Step 1 configure Extensioner to add increased security and privacy on-demand.

The advantage with on-demand usage is that you can increase protection levels, because these higher protection levels are only switched on when you think you need it (e.g. for use with VPN or for risky browsing).

1607860917727.png


1607861225744.png

Step 2 Configuring Policy Control

1607861579147.png

1607861628256.png

1607861748465.png

Step 3 Configuring Trace

1607861904092.png

Now you need to fine tune your anti-fingerprinting settings to make the fake values as realistic as possible

1607868417024.png

1607862695209.png

1607895944633.png
 

Attachments

  • policy-control-settings.txt
    564 bytes · Views: 181
  • TraceSettings-baseline.txt
    17.5 KB · Views: 191
  • 1607868760511.png
    1607868760511.png
    162.3 KB · Views: 258
Last edited by a moderator:
F

ForgottenSeer 85179

Is this realy a good idea?

- a extension to manage extensions... and modify them!
- blocking flash isn't needed as it's disabled by default, EoL and get removed next month
- blocking Javascript isn't something a normal user want. For security it doesn't matter as Chromium (also Chrome) is secured

What exactly does Trace?
 

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Is this realy a good idea?

- a extension to manage extensions... and modify them!
- blocking flash isn't needed as it's disabled by default, EoL and get removed next month
- blocking Javascript isn't something a normal user want. For security it doesn't matter as Chromium (also Chrome) is secured

What exactly does Trace?
Nope I usually post bad ideas :ROFLMAO::ROFLMAO::ROFLMAO:

a) Extensioner - only enables and disables them, does not change them

b) Policy control is for enhanced security, blocking risky third-party stuff
ScriptSafe, uMatric, Noscript's and uBO's medium mode are great enhancements, only to much of a hassle to use all the time, that is why you can enable them ON-DEMAND (and Policy Control is using a different mechanism which makes its medium mode stronger than uBo's).

c) Trace is for privacy and anti-fingerprinting.


Let me explain again with some real life examples (for my brother that is :) )


CLICK ON THE MENU DROP DOWN (which is green now to indicate protection is ON)

1607863577456.png

Icons of Polciy Control and Trace have disappeared and clicking on Extensioner-icon shows a red drop down menu indicating protection is OFF
 
Last edited by a moderator:

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
TBH, I don't even feel like checking all these options out. Too much work. I prefer simple solution nowadays.
You don't need to. I have provided pre-defined settings for Policy Control and Trace with an extra extension to switch them off or on in an easy way. The tutorial is made like a comic strip with visuals, can't be made any easier.

I am a digital marketer so in terms of user tracking and advertising I have inside knowledge. I just pre-configured two strong extensions, so people can use them correctly. I am not going to explain everything, most people don't know how a Mobile Phone works technically and have no problem using one. It is up to you to try it out.
 
Last edited:

plat1098

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,635
Lenny_Fox: For GPU-spoofing, Trace says it uses its own list, plus it already applied fake memory and cpu-core specs under Hardware Fingerprinting Protection. But should you build your own "spoofed" computer or would this be overkill? Not sure any spying mechanism would get to that level of detail or would it?

Despite the screenshots, I'm still not sure how to import one GPU model into the Trace list, or if this is even necessary. I use Trace plus AdGuard for Windows. Some settings enabled by default in both do overlap but it seems OK, just disable one of the duplicates here and there when discovered.

Edit: thank you for this tutorial. Backing up the settings is a great recommendation! Done.
 

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Half of the tutorial makes the process much more complicated than it is. I prefer just blocking 3rd party scripts and adding 'global' noop rules for common CDNs. Fingerprint spoofing is a snake oil.
Blocking third-party with a global noop for common cdn's still breaks the majority of the websites, try CNN, foxnews, ESPN, etc for starters.

Fingerprint spoofing applied correctly is no snake oil. Pleas provide details (it is relatively easy to show it does not work with the right tools, so I challenge you to put your money where you mouth is)
 

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Lenny_Fox: For GPU-spoofing, Trace says it uses its own list, plus it already applied fake memory and cpu-core specs under Hardware Fingerprinting Protection. But should you build your own "spoofed" computer or would this be overkill? Not sure any spying mechanism would get to that level of detail or would it?

Despite the screenshots, I'm still not sure how to import one GPU model into the Trace list, or if this is even necessary. I use Trace plus AdGuard for Windows. Some settings enabled by default in both do overlap but it seems OK, just disable one of the duplicates here and there when discovered.

Edit: thank you for this tutorial. Backing up the settings is a great recommendation! Done.
Thanks plat1098 for the useful feedback. I have changed the pictures, could you check whether it is clear now?

You can also import the Trace GPU default list and remove all GPU's not from the same series as your GPU (by just clicking on them).

Conflicting values provide more data than well crafted noise (slightly different but credible values). I did not use the cores and ram values, because it is a shifting median. Also this value only has value in relation to other data points, so blurring the other fingerptint metrics, also reduces the value of providing the real value for CPU and RAM (unless you got a 12 core CPU with 64 GB ram, than I would fill in a more common value).
 
Last edited:

Nagisa

Level 7
Verified
Jul 19, 2018
341
Blocking third-party with a global noop for common cdn's still breaks the majority of the websites, try CNN, foxnews, ESPN, etc for starters.

Fingerprint spoofing applied correctly is no snake oil. Pleas provide details (it is relatively easy to show it does not work with the right tools, so I challenge you to put your money where you mouth is)

For sites you trust and that use uncommon CDNs you could easily allow all 3rd-party scripts by adding local noop rule. It's still as easy as using the Extensioner, and you get benefit of not adding additional attack surface by keeping extension count as minimum.

On a browser with javascript enabled you expose too much information you can be tracked on. On top of that, selectively spoofing some parameters makes you more unique paradoxically. You're the one has to prove that such extensions really work for effectively reducing online tracking and fingerprinting.
 

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
For sites you trust and that use uncommon CDNs you could easily allow all 3rd-party scripts by adding local noop rule. It's still as easy as using the Extensioner, and you get benefit of not adding additional attack surface by keeping extension count as minimum.

On a browser with javascript enabled you expose too much information you can be tracked on. On top of that, selectively spoofing some parameters makes you more unique paradoxically. You're the one has to prove that such extensions really work for effectively reducing online tracking and fingerprinting.
Policy control in the setting I provided blocks more dynamic third-party than uBO. Medium mode of uMatrix is good, uBlock is half baked because it only blocks frames and scripts.

You can't use uBO in an on demand mode. You are using it in a block by default, allow by exception mode, that is something different, because it requires constant fiddling.

There are many data points one can acquire with javascript, plugins and API's. So there are even more fingerprinting opportunities than you mentioned.

Fact is that no website uses them all, simply because it takes to much response time which chases away users (no one likes to wait). As an example youporn only looks at IP while xhamster (from the same network) looks at languages implemented in browser.

So I am not guaranteeing your untrackable, what I can promise is that the options I provided beat most of the fingerprinting mechanisms used in practise.

I am not going to respond to your No You kindergarten like response on proof.

PS ubo can be used in combo with this setup using Windows_Security thread on ubo in easy medium mode
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Like you, I use Malwarebytes Browser Guard for regular browsing. For increased security and privacy on demand, I enable my VPN with its extra protection.
Yep, but you could still enable trace as additional extension (simply don't install policy control and only use trace on demand wiith extensioner when you use VPN).

I am using BulletVPN and I am using only trace with extensioner. Just run the browserleaks.com test with and without Trace enabled (on-demand) while using your VPN.

Question do you have your local language added to your browser from which your are using your VPN also?

I use Frankfurt servers from BulletVPN, so I also have enabled German as language in my browser (so as a Dutch guy I am using US-English and German). When you use a VPN from say the US and your langauge is French-Canadian your are an easy to track visitor. :) Remember conflicting data points are easier to pinpoint than congruent data points.
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
I tried Trace, I even bought a licence to get the premium blocklist, but it broke way too many pages. Once setup, it might work great, but it takes a lot of time and effort.
:) Hence the on the demand usage I am promoting.

Also the default Trace predefined settings are more from a technical point of view, than real world marketers usage (apologize for sounding over pretentious, but better use trace on demand with my adopted high settings, because there is no practical middle ground when it comes to anti-fingerprinting),

Personally I like Cydec better, but the developer needs to overhaul the predefined settings. I contacted David Heilig and he told me he was heavily redesigning the application, with privacy zones and preset protections.

I liked his idea of applying trusted zones, de-millitarised zones and suspicious zones presets because anti fingerprinting is to complex for most users.
 
Last edited:
F

ForgottenSeer 85179

any other suggestions?
You can't secure a weak browser with extensions.

My recommendation: let your brother use what he want. It doesn't make sense to configure it in your way if he doesn't like it and then install another, non-configured browser anyway.
Let him first get own experience with his config and if he's in trouble, you can give recommendations.
This is my final path with experience from my family :D
 

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Okay, I added Temporay Containers (json attached, rename txt to json) which keeps tabs when he accidentally clicks on premium links. Also the my_filters file of uBO is attached, blocking downloads of executables and containing two adult websites:

My brother uses Google as primary browser, it seems that he uses Firefox only with his VPN. I also kept Trace (settings files attached in first post with explanation). I have configured uBO with Kees1958/Security123 blocklist because AdGuard Easylist Optimized filters have allows for A-B testing of adult advertising networks This is not the fault of Adguard, but when I checked those A-B testing allow exceptions were already in the Easylist filters (n)(n)(n) What ????? who sneaked in those allows :eek::eek::eek:

Something is seriously wrong with the easylist filters
(I guess that is inevitable when a community is allowed to maintain it).
It is common knowledge that porn funded the internet evolution ,so with the money involved it was only a matter of time before the easylist filters got their "accepted adult ads" included in the filters. When you don't watch adult websites, you can keep using the easylist filters. For others it is better to switch to Adguard filters when you are using a ABP-rules based content blocker, or better switch to Adguard.
 

Attachments

  • temporary_containers_preferences_for_use_as_secondary_browser.txt
    2.2 KB · Views: 180
  • my-ublock-static-filters_restricting_two_adult_websites.txt
    1.6 KB · Views: 170
Last edited by a moderator: