8:52 a.m.
Hello,
Perhaps this will help someone in their quest for greater online privacy
and enhance their computer security. I'm simply trying to give back to
the list for all the help I've received over the years. This is what I
do...
I use Firefox simply because it allows me to stay in control of my
browser. If you didn't know... "about:config" in the address bar allows
control of any available setting. While private browsing seems to work
well I like to keep everything in a single window to permit more
flexibility and take the tab-specific route to essentially equivalent
security that private browsing provides. So these are my plugins:
1. NoScript - virtually every exploit/tracking out there starts with the
scripting approach. This kills javacript & the others while providing
real-time total control of the tool.
2. Better Privacy - this tool deals with LSO tracking. This is just in
case since I don't use flash since I don't need it anymore. I'll get to
that later.
3. Privacy Badger - this blocks trackers websites use; it's sponsored by
eff.org. This is my Ghostery replacement since I don't like the recent
developments with that tool.
4. uBlock Origin - this is a FOSS ad blocker. I use this to replace
AdBlock Plus since I don't like recent developments with that tool
either. Then in preferences I enable the 3rd party filters: Fanboy
privacy, Fanboy social media, and hpHosts multipurpose list.
5. Cookie Controller - this deals with general-purpose cookies.
These are my security essential plugins. Here is how I'm able to play
videos on youtube & cnn etc. w/o flash.
1. I use the "Video Without Flash" plugin.
2. Install vlc with vlc extras also.
3. Install all the gstreamer & gstreamer1 plugins
I don't watch many video's but this gives me everything I need. Perhaps
there are some this approach won't play but I haven't run across them yet.
Back to Firefox configuration in about:config...
1. search on geo and change geo:enabled to false (double click it)
2. geo.wifi.uri - change to localhost
3. browser.search.geoSpecificDefaults - change to false
4. search for pocket - disable I don't want anything auto-updating my
system
Then in my Firefox preferences I remove all the default search engines
(they all try to track you) except DuckDuckGo and add the Startpage
search engine as my default. This will give you google results privately
and even provides a proxy thru which you may visit a site.
FWIW I do the same geo stuff in Thunderbird in the Config Editor.
I never get geographical-specific ads then and my browser does not
remember anything about me since Firefox is also set to delete all
history when it closes. The only thing sites are ever able to determine
about me is thru my isp provided ip address and then they customize
"stuff" for that location 100 miles away.
Then more generally about security...
I run this config inside a virtualbox vm. Yes that's Fedora running
inside Virtualbox on a Fedora host. Why? To provide a layer of
abstraction in case the worst happens, my primary system is not likely
to be compromised. In reality all of this resides in a single file on
the host which is then deleted or backed up or transferred easily. I run
another separate vm for banking and that is its only function in life.
It only boots once or twice a month so I can log in and pay bills or
transfer $ etc. I still use FF with the above config but simply provide
a permanent exception to NoScript so the bank or credit card site gives
me the best experience. I don't ever visit other sites or check email or
do anything else in my banking vm. Then I turn it off except to keep it
updated. I try not to browse the web on my host and always keep an
original vm "Fedora Master" copy so if I want to start from scratch - to
ensure no trackers are present it's a simple clone / file copy and I
have a brand new Fedora environment. I give it 4 cpu cores & 8gb ram
from the host and get good response & performance. I have plenty more on
the host. I have another vm dedicated solely to use TOR.
Then here are some other plugins I use to make things more convenient.
1. New Tab Override sets specific page for new tabs
2. Mozilla Archive Format
3. Toolbar Buttons adds icons for convenient tasks. It has an icon
for about:config and for noscript exceptions (so you don't have to pull
down a menu) and many others. I like it.
4. Download Flash & Video even when the option is not available on
the site
5. IdentFavIcon & FavIconReloader for when your bookmark loses its icon
This works for me and provides a good experience since I'm able to run
1920x1440 inside a vm since my host is running 2560x1600. However on my
13" laptop it can get frustrating fast since it all get's so small so I
rarely use vm's there. I just use the more general FF configuration.
Perhaps this will provide info you haven't considered before.
Drew
10 a.m.
Allegedly, on or about 23 August 2016, Drew Samson sent:
Perhaps this will help someone in their quest for greater online
privacy and enhance their computer security.
If *only* safer browsing didn't have to venture into tinfoil hat
territory... But the moment you start shutting off the hazardous parts
of browsing, which are numerous, most websites fail to work, or fail to
work well. Yes, I'll go as far as saying *most* websites.
Just about every site I look at, doesn't work (at all, or usefully)
without scripting. And usually it's not just scripting from the site,
but it's scripting from half a dozen or more different services, some of
which will chainload more crap from yet another set of services. Even
if security wasn't the concern for denying scripts, it becomes almost
necessary to deny scripts so that my PC doesn't bog down from all the
scripting from one page, never mind trying to open multiple tabs.
Can't read the on-line tv guide, or read the news. It's just ordinary
stuff, not websites about doing dodgy things. Even simple things are
ruined by this recursive-scripting crap that designers go through. Go
to a musician's website, he offers some free samples to listen to, but
they're not on his site, where you could simply download/listen to a
MP3/Ogg/whatever, it's a link to soundcloud, dropbox, or any one of a
number of bulk file handling sites that require you to allow a plethora
of scripts to run.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
I reserve the right to be as hypocritical as the next person.
10:48 a.m.
Just about every site I look at, doesn't work (at all, or
usefully)
without scripting. And usually it's not just scripting from the site,
but it's scripting from half a dozen or more different services, some of
which will chainload more crap from yet another set of services. Even
if security wasn't the concern for denying scripts, it becomes almost
necessary to deny scripts so that my PC doesn't bog down from all the
scripting from one page, never mind trying to open multiple tabs.
I too have found browsing doesn't work without scripting yet still find
NoScript essential. Here is my typical usage - like 5 minutes ago on
cnn.com:
Full protection of noscript = page doesn't load. 23 scripts blocked.
1 click on icon - temporariliy allow all this page.
Page loads and 5 of 17 scripts are allowed to load. NS blocks the
others. Now I can load pages from links, see the pics, and the videos
play normally as one would hope. Thankfully NoScript loads subsets of
scripts in stages so typically I'd have to click "temp allow all" 3
times before all scripts on any page loads. Point is: I can "get by"
with just one additional mouse click for a typical page like cnn to get
"acceptable" usage" and perhaps another click to get almost everything.
I find this acceptable for blocking the other 17 sites trying to do
"whatever" on my system.
FWIW:
turner.com
cnn.com
chartbeat.com
optimizely.com
postrelease.com
These are the 5 sites running scripts with the first click giving me the
aforementioned functionality. Now cnn makes $ from my visit.
Clicking the 2nd time on "temp allow all" gives me 14 more scripts from
sites like:
amazon-adsystem.com & googletagservices.com along with 12 others. Now
cnn makes more $ off me visiting their site. This is the stuff I don't
want and don't need so I usually click only a single time...
Should I click 1 more time cnn.com and all it's friends can load
anything they please and cnn is making the most $ they can from my
visit. Thankfully firefox will delete everything after I close it.
Summary: A little bit of privacy is going to cost me 1 extra mouse click
to visit a site. Otherwise I'm going to see ads for Preparation H on
amazon if I happened to search WebMD for hemorrhoid 3 weeks ago!
This is what the web has become; another tool for making $ and this is
how I make my experience there tolerable.
Drew
8:14 p.m.
Allegedly, on or about 23 August 2016, Drew Samson sent:
I too have found browsing doesn't work without scripting yet
still
find NoScript essential. Here is my typical usage - like 5 minutes ago
on cnn.com:
Full protection of noscript = page doesn't load. 23 scripts blocked.
1 click on icon - temporariliy allow all this page.
At which point, you may as well have not bothered with using NoScript,
in the first place. Sure, this half measure has stopped some of the
nonsense (the other things that would also have loaded), but you're
still exposed to the risk that many people are trying to mitigate
(whether that be privacy, hacking, or simply having your computer grind
to a halt under the burden of many badly programmed scripts).
I tend to go through the annoying route, of temporarily allowing likely
looking scripts, one by one, until either the page works, or I'm so
annoyed with it that I abandon it.
If there are sites that I want to regularly use, I consider permanently
allowing the scripts that were needed to make them work. But don't
always do so. It's slightly less of a risk if they're self-hosted than
coming from a third party. But that could be faked, they could be
proxying a third-party script through their own domain.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
ZNQR LBH YBBX!
7:41 a.m.
On 25 August 2016 at 03:14, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
[...]
At which point, you may as well have not bothered with using NoScript,
in the first place. Sure, this half measure has stopped some of the
nonsense (the other things that would also have loaded), but you're
still exposed to the risk that many people are trying to mitigate
(whether that be privacy, hacking, or simply having your computer grind
to a halt under the burden of many badly programmed scripts).
I tend to go through the annoying route, of temporarily allowing likely
looking scripts, one by one, until either the page works, or I'm so
annoyed with it that I abandon it.
If there are sites that I want to regularly use, I consider permanently
allowing the scripts that were needed to make them work. But don't
always do so. It's slightly less of a risk if they're self-hosted than
coming from a third party. But that could be faked, they could be
proxying a third-party script through their own domain.
I used to use NoScript up until a couple of years ago when loading
pages took extra time *because of* NoScript which is just irritating.
So I ditched NoScript (which over the years became *too much*) and
switched to other methods to block troublesome javascripts, to cut the
story short, nowadays I use uMatrix[1], it's much lighter on resources
and more intuitive to use IMHO. I've seen various reports of others
using uBlock Origin (developed by the same author of uMatrix), but
personally I settled for just using uMatrix.
[1]https://addons.mozilla.org/en-GB/firefox/addon/umatrix/
1:21 a.m.
On 25/08/16 06:41, Ahmad Samir wrote:
On 25 August 2016 at 03:14, Tim <ignored_mailbox(a)yahoo.com.au>
wrote:
[...]
>
I used to use NoScript up until a couple of years ago when loading
pages took extra time *because of* NoScript which is just irritating.
So I ditched NoScript (which over the years became *too much*) and
switched to other methods to block troublesome javascripts, to cut the
story short, nowadays I use uMatrix[1], it's much lighter on resources
and more intuitive to use IMHO. I've seen various reports of others
using uBlock Origin (developed by the same author of uMatrix), but
personally I settled for just using uMatrix.
[1]https://addons.mozilla.org/en-GB/firefox/addon/umatrix/
--
users mailing list
uMatrix looks interesting. Need to give it a try.
Robin
3:09 a.m.
On 08/25/16 08:41, Ahmad Samir wrote:
I used to use NoScript up until a couple of years ago when loading
pages took extra time*because of* NoScript which is just irritating.
So I ditched NoScript (which over the years became*too much*) and
switched to other methods to block troublesome javascripts, to cut the
story short, nowadays I use uMatrix[1], it's much lighter on resources
and more intuitive to use IMHO. I've seen various reports of others
using uBlock Origin (developed by the same author of uMatrix), but
personally I settled for just using uMatrix.
[1]https://addons.mozilla.org/en-GB/firefox/addon/umatrix/
--
+
After reading this I installed uMatrix and it apparently works well but
for a few sites. the only way I can get any idea of what it is doint is
in Firefox > Tools > Extensions > uMatfix > Logs which can display a lot
of data for the page I can't display, but fome ther I am stuck, dunno
what to do?
I never get any other display or see an icon in the browser as is mentioned.
This is with Redora 24 and xfce upcated this morning.
any suggestions?
Bob
--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10 FEDORA-24/64bit LINUX XFCE POP3
10:58 a.m.
On Sat, 27 Aug 2016 04:09:26 -0400
Bob Goodwin <bobgoodwin(a)fastmail.us> wrote:
After reading this I installed uMatrix and it apparently works well
but for a few sites. the only way I can get any idea of what it is
doint is in Firefox > Tools > Extensions > uMatfix > Logs which can
display a lot of data for the page I can't display, but fome ther I
am stuck, dunno what to do?
I never get any other display or see an icon in the browser as is
mentioned.
This is with Redora 24 and xfce upcated this morning.
any suggestions?
I've been running umatrix for a whole two days, so no expert. And I
get the icon in the tool bar. That's the key to being able to enable
and disable things. I can't find it now, but I remember there was a
preference selection for putting an icon in the toolbar.
Once you have the icon, clicking it brings up a grid / matrix, and you
just click on the grid square with the feature you want to enable, click
the enable / disable at the top left, then click the page refresh.
Done!
Found the preferences, they are reached by clicking on the asterisk
like icon in the upper left of the dialog opened by the toolbar icon.
Are you sure it isn't there? A green or gray square? Try removing and
re-installing it.
12:09 p.m.
On 08/27/16 11:58, stan wrote:
On Sat, 27 Aug 2016 04:09:26 -0400
Bob Goodwin <bobgoodwin(a)fastmail.us> wrote:
> After reading this I installed uMatrix and it apparently works well
> but for a few sites. the only way I can get any idea of what it is
> doint is in Firefox > Tools > Extensions > uMatfix > Logs which can
> display a lot of data for the page I can't display, but from ther I
> am stuck, dunno what to do?
>
> I never get any other display or see an icon in the browser as is
> mentioned.
>
> This is with Fedora 24 and xfce updated this morning.
>
> Any suggestions?
I've been running umatrix for a whole two days, so no expert. And I
get the icon in the tool bar. That's the key to being able to enable
and disable things. I can't find it now, but I remember there was a
preference selection for putting an icon in the toolbar.
Once you have the icon, clicking it brings up a grid / matrix, and you
just click on the grid square with the feature you want to enable, click
the enable / disable at the top left, then click the page refresh.
Done!
Found the preferences, they are reached by clicking on the asterisk
like icon in the upper left of the dialog opened by the toolbar icon.
Are you sure it isn't there? A green or gray square? Try removing and
re-installing it.
+
I don't display the icons , normally text only, and use a color blind
extension for Firefox.
I changed temporarily to icons and found the uMatrix icon and now have
it visible as text in my usual preferred display. You provided the bit
of information I've been looking for for two days, dumb?
Now I can play with it and see if it will let me view the
Weatherunderground radar image for Norfolk, actually Wakefield, Va. I
also had trouble viewing my ISP data usage numbers since I have to stay
under 25 GB per month I track that daily. Now I'll play with it and see
what else it blocks that I need. For the most part it shows what I want.
Thanks for the help,
Bob
--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10 FEDORA-24/64bit LINUX XFCE POP3
5:32 p.m.
On Sat, 27 Aug 2016 13:09:53 -0400
Bob Goodwin <bobgoodwin(a)fastmail.us> wrote:
Now I can play with it and see if it will let me view the
Weatherunderground radar image for Norfolk, actually Wakefield, Va. I
also had trouble viewing my ISP data usage numbers since I have to
stay under 25 GB per month I track that daily. Now I'll play with it
and see what else it blocks that I need. For the most part it shows
what I want.
I think I gave you some bad advice. Further experience with umatrix
has shown me that the on off button to the left of the vertical line
at the top, completely turns umatrix on or off for a site.
To turn on or off individual cells, it is enough to click in the cell,
and then the result shows under the lock symbol, as either a larger or
smaller number. Refreshing the page then uses the changes. I *think*
that clicking on a name to the left allows everything from that domain,
and clicking on a header name, allows all of that type.
My original technique was turning umatrix on or off each cell
change. :-\
In your case, that means that if those two sites are important to you,
you could temporarily turn umatrix off to see them while you experiment
to see the minimum permissions they need to function for your purposes.
4:51 a.m.
On 08/27/16 18:32, stan wrote:
Further experience with umatrix
has shown me that the on off button to the left of the vertical line
at the top, completely turns umatrix on or off for a site.
To turn on or off individual cells, it is enough to click in the cell,
and then the result shows under the lock symbol, as either a larger or
smaller number. Refreshing the page then uses the changes. I*think*
that clicking on a name to the left allows everything from that domain,
and clicking on a header name, allows all of that type.
n your case, that means that if those two sites are important to you,
you could temporarily turn umatrix off to see them while you experiment
to see the minimum permissions they need to function for your purposes.
+
Things look better now, I had to turn off some Firefox add-on's, did a
few more things largely by accident, "what does this item do?", etc.
Anyway the uMatrix "dashboard" menu is entirely different and seems to
correlate with your comments now ... I normally use an add-on "BYM"
that changes the display to white on black, however I found that it
reduces the uMatrix dashboard to a useless display bearing little
resemblance to what it is with BYM off.
Simply turning off uMatrix for the two sites I mentioned earlier makes
them usable again, e.g:
https://www.wunderground.com/radar/radblast.asp?zostorms=10&map.x=21&...
A reload brings back the blocked radar image and re-enabling Adblock
cleans up other cruft, gets me back to what I want. I don't know that
those uM settings are saved through a restart though, but I guess I can
experiment further.
That's some progress anyway ...
--
Bob Goodwin - Zuni, Virginia, USA
http://www.qrz.com/db/W2BOD
box10 FEDORA-24/64bit LINUX XFCE POP3
12:21 p.m.
Thanks for sharing this!
Some more addons I use:
1. HTTPS Everywhere – force-redirects to HTTPS on a list (whitelist) of known sites.
Doesn't break much stuff. I think this is a must-have.
2. RequestPolicyContinued – can be configured to disable _all_ requests from any server
but the page source host. This preference is pretty safe but breaks _lots_ and *lots* of
pages. In contrast to uBlock Origin (which does blacklisting, same as AdBlock and other ad
blockers) this addon can do whitelisting. Better protection, more sites break.
3. CanvasBlocker – blocks canvas elements used to track you.
More addons, not security-related:
* Config Descriptions – for heavy users of about:config
Video without flash:
I highly recommend you don't use any plugins in firefox, not only for security reasons
but also for safety (crashers!) reasons. You won't need flash on many sites anyway.
You probably should disable search suggestions too, because due to correlations on your
typing frequency you could be tracked even through "anonymizing" search engines
like DuckDuckGo.
The Firefox-inside-VM sounds like [Qubes OS](https://en.wikipedia.org/wiki/Qubes_OS) to
me, maybe that's of interest for you. Since you're not saving any history at all,
why don't you use the tor browser? It has some more very nice anti-tracking features
btw.
8:30 a.m.
Allegedly, on or about 31 August 2016, Christian Stadelmann sent:
1. HTTPS Everywhere – force-redirects to HTTPS on a list (whitelist)
of known sites. Doesn't break much stuff. I think this is a must-have.
Actually, this is one *kind* of thing that I hate, because it causes
breakage all over the place.
If you're on an older system (whatever the OS/device/browser is), having
HTTP forced into HTTPS frequently results in being unable to use the
site because they can't find a mutually acceptable HTTPS scheme.
While I don't use it on the browser, there's quite a few sites which
implement it themselves (you go to http://example.com and *they*
redirect you to https://example.com).
You won't need flash on many sites anyway.
I don't agree with that, either. There's scads of sites that use Flash
for video, YouTube for one (it's only partially HTML5), News websites,
etc. And plenty of sites that provide audio-only (radio, streaming, or
simply "listen to my file" services) use Flash. Just about anything
that wants to control your viewing/listening to only viewing it through
their service, rather than being possible to download it, use Flash as
the method.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
less is more when playing with your cat...
2796
days inactive
2805
days old
12 comments
7 participants
participants (7)
-
Ahmad Samir -
Bob Goodwin -
Christian Stadelmann -
Drew Samson -
Robin Laing -
stan -
Tim