Locking Down a Leaky Browser (read: Google Chrome)

Everyone has their browser of choice. Myself, I prefer Safari as it functions closest to how I expect a Mac application to function. However, I do find myself using Chrome more and more. There are a couple of things that I do prefer Chrome for. In particular, containing the dumpster fire that is Adobe Flash, but also because Chrome has a rich extension ecosystem. Apple should be jealous. Hardly anyone makes extensions/add-ons for Safari.

This post is intended to take Google’s default options, and modify them such to leak less information to Google. After all, with Google you are the product. There is nothing altruistic about Google. They are an advertising company first, a tech company second. Your data is how they make money. That being said, there are good technologies that Google creates, and their security team hunts bugs at a voracious pace so I can totally respect that. That being said, let’s lock down Chrome as it comes out of the box.

Upon first launch, Google asks you to log in. HELL NO. This is the #1 step to prevent Google from tracking all that you do in your browser. No thanks is the option to select here.

Next, run on over to DuckDuckGo – the search engine that won’t track you. When you go there with Chrome, it will ask if you’d like to install the DuckDuckGo Chrome extension. Absolutely do this.

DuckDuckGo’s Chrome extension does a few things:

First, it will change your search engine within Chrome from Google to DuckDuck Go.

Second, it will stop sites from running tracking scripts and will actually rate sites on their privacy. For instance, here’s CNN:

DuckDuckGo takes CNN’s D rating to a B by blocking 19 unique trackers. It’s incredible just how pervasive tracking is across the internet.

Lastly, DuckDuckGo’s Chrome extension will force HTTPS connections.

Don’t worry, you can still do Google searches with DuckDuckGo, and you can do it very easily. Have a look at all their bang shortcuts for quick searching various sites. The ones I use all the time are !w !a and !yt

If you do nothing else in this post, you’ve already greatly increased your level of online privacy. Continue on for additional tightening up of your shit. I realize that we’re now going to get into functions that you may find convenient. Some of these you may want to keep enabled, and that’s fine. Privacy and security is always a tradeoff with convenience.

Next, let’s look at Chrome’s default privacy settings. Open up Chrome’s settings. (If you’re using Chrome, that settings link will work. Otherwise go to the … menu at the top right of the browser window and click it. Then Settings.

Scroll to the bottom of the settings window and click Advanced. Next find the section called Privacy and security.

The first three options you want to disable. Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar and Use a prediction service to load pages more quickly.

The “service” that they’re referring to is Google. What you type is sent to Google, it’s analyzed, and they return something that may be helpful (depending on each of these options). I don’t like this kind of help. I don’t need this kind of help. Just let me use my web browser.

Like I said, you may like this help, and that’s fine. Just be aware of what Google’s hoovering up by default. Next select Content settings and you’ll see this window:

Open up the Cookies section.

The third option, Block third-party cookies is the one you want to enable here. So just what is a “third-party cookie?” Let’s say you go to CNN.com. It may set a cookie such as which edition of CNN you prefer. US vs International for instance. A third-party cookie could, for example, be a cookie that CNN’s ad agency uses to lay on your browser so that it can track your activity as you travel to different websites. The reason Google doesn’t block these by default is because, like I said previously, Google is an advertising company and by setting this setting on by default, they’d effectively be blocking their own products from functioning. So, “third party” refers to websites or services that you didn’t explicitly navigate to, but may be embedded into the site you did navigate to.

For the record, Apple’s Safari and Mozilla’s Firefox enable this setting right out of the box. Mozilla and Apple’s privacy stories are miles better than Google’s.

Next click See all cookies and site data:

WOAH. Look at what comes right out the box with Chrome. REMOVE ALL. In the words of Strongbad, BA-LETED.

Next, open up the Extensions area from the … menu -> More Tools -> Extensions:


Note all of the Google extensions. If you have no need to use Google Docs, Sheets, Slides, etc, remove them all. (Or at the least disable them.) I don’t know for certain, but I suspect that they will report information back to Google. It’s on my to-do list of things to investigate.

Now, if you’ve gone this far and go no farther, you’re even better off than those quitters up above who stopped after installing the DuckDuckGo extension. I have a question for you, however. Are you ready to go full retard on this?

In this case, we’re going to.

Open up this link. (“chrome://flags” if you prefer to type it in on your own.) You’ll get a big, giant long list of options like this:


I’ll be the first to admit that you’re probably not going to know what a lot of these things do. I don’t either. But, have a look through the list and what I’d suggest is that if any leap out at you as, “Hey, I wonder if that needs to send information about me or my computer somewhere…” you may want to throw that setting’s name through your search engine of choice to find out. That search engine is DuckDuckGo, right… RIGHT!?!? (Full disclosure: I am not compensated in any way by DuckDuckGo. I just really like them is all. There are plenty of non-Google search engines.)

Here’s what I’ve modified within chrome://flags:

  • Hyperlink auditing – Disabled
  • Mark non-secure origins as non-secure – Always mark HTTP as actively dangerous. (As an aside, Google will be treating HTTP this way within Chrome by default beginning in July 2018. May as well get a jump on it.)
  • Show in-form warnings for sensitive fields when the top-level page is not HTTPS – Enabled
  • Enable tabs for the Clear Browsing Data dialog – Enabled
  • No-State Prefetch – Disabled
  • Speculative Prefetch – Disabled
  • Enable new preconnect predictor – Disabled

So, there you have it. If you’ve got other tips for locking up the information sieve that is Google Chrome, let me know via Twitter.

Why I must walk away from football

We New Englanders have it good when it come to football. We have Tom Brady and Bill Belichick. They are among the greatest ever on their own, but together (and with a cast of supporting characters) they have built a dynasty that modern football has never seen. The Belichick system is so good, that any player can be plugged in and it’s just going to all work out.

  • 4 game ban for Tom Brady? No problem. 3-1 through those first 4 games.
  • Go 5-1 in the division and 11-1 in the conference? Sure, we’ll trot our way to yet another Super Bowl appearance.
  • Down 28-3 with 2 minutes left in the 3rd quarter at the Super Bowl? Time to humiliate Atlanta right into the record books.

Football is a spectacularly entertaining sport – especially with emotional roller coasters like Super Bowl 51. However, the medical evidence in combination with the NFL actively avoiding any acknowledgement or responsibility for CTE means that I cannot in good conscious be a fan.

The NFL and team owners making millions upon millions of dollars on the backs of players whose lives are irrevocably changed for the worse is barbaric and morally abhorrent.

I will not watch any longer.

Why your event shouldn’t rely on hotel Wi-Fi

I work for a company that does mobile content delivery, typically to field sales teams. We ensure your folks are using content that’s current, pushed to them so they’re not hunting and pecking for it, and that it’s relevant to their role.

Frequently when we have a large company doing a kick-off of our app with their employees, they’ll want to get them all in one place for an initial training session. I’m here to tell you that this isn’t always the best idea because hotel Wi-Fi network are poor if you’re lucky – downright hostile if you’re not.

I have personally witnessed hotels from Hilton, Hyatt, Marriott, and Starwood all exhibiting horrendous Wi-Fi during events, even though they charge a crazy amount of money for event services. Frankly, it just makes your brand look awful when your Wi-Fi is atrocious.

Recently we did a deployment for a customer at a kick-off/training session. While it went better than other customer kick-offs, it still had issues that were squarely laid at the feet of awful hotel Wi-Fi networks.

We’re somewhat at the mercy of the underlying OS, iOS, for network services provided to our app. iOS is generally pretty good about gracefully degrading network service to apps, however there are situations when a combination of packet loss, re-transmission, being in a high-collision domain (such as hotel Wi-Fi), downloading data, and trying to utilize a lot of memory to display files combines into a Perfect Storm™ situation where the app bombs.

I’d like to give a bit of a Wi-Fi explainer as it’s the largest contributor to this problem. The easiest (and most simplified) way to explain how Wi-Fi works is that it’s one giant game of musical chairs, however there’s one chair no matter how many people are playing. A single device (Access Point or client) can only talk at once. Coupled with that, devices do not need to be on the same Wi-Fi network in order to be part of this game of Musical Chairs. They simply need to be on the same or overlapping operating frequencies in order to forcibly take part in this wretched game.

Have a look a “Good Wi-Fi” example:

This is the Wi-Fi situation at my house. I run two 2.4 Ghz SSIDs (Durmstrang for legacy Wi-Fi devices that cannot speak 5Ghz. Beauxbatons is my guest network with a route straight to the internet with no peer discovery. It’s in a separate IP space from everything else.) Over on the 5Ghz side of things, I run 1 SSID, Hogwarts. It’s on the same IP space as Durmstrang. Hogwarts is my production Wi-Fi SSID. Notice in each frequency range, I have 3 “humps” for each. This is because I have 3 Wi-Fi Access Points in my house. Each is set to service a separate frequency within 2.4 and 5Ghz ranges. This way, devices that are on each Access Point only have to play Musical Chairs with the other devices on that single frequency. I’ve also tuned my radios down so that a device isn’t trying to roam to another Access Point that’s further away than a closer Access Point.

Over on the 2.4Ghz range, note that there is a Netgear device and a Compex device. One on channel 11 and one on channel 1, respectively. They’re from my neighbors across the street. I’ve told them many times to tune them down – they doesn’t listen. Though devices are on totally separate networks, air is a collision domain. My devices on Durmstrang/Beauxbatons on channels 1 or 11 must wait their turn for devices that are across the street on the Netgear & Compex networks. Only my 2.4Ghz devices on Durmstrang/Beauxbatons channel 6 (the Access Point in my living room) wouldn’t be part of those games of Musical Chairs.

So, that’s what good Wi-Fi looks like. A client device should see 1 Access Point on each channel within a frequency range at a time, with Access Point radio power turned down so that devices roam properly from one Access Point to the next. Turning down Access Point radio power also prevents my networks from interferring with others beyond the area I wish to cover. I swear if everyone would just turn their radio power down, everyone’s Wi-Fi experience would improve greatly.

Now have a look at this “Bad Wi-Fi” example:

With our “Bad Wi-Fi” example, you can see the 2.4Ghz range is totally saturated. Lots of Access Points. There’s even someone on channel 2 on 2.4Ghz which means that due to the limited frequency spread of 2.4Ghz, he’s interfering with the channel 1 and channel 6 devices making everyone on both those channels wait for him and devices connected to him to get their turns. Jerk. Over on the 5Ghz range, there’s a few standing on top of each other at channel 36 and then a HUGE SWATH of unused frequencies until someone is on 165.

This is exactly what the Wi-Fi situation at the hotel looked like (in this particular case a Hyatt Regency), and unfortunately, it’s completely common. You’ll have crowded 2.4Ghz and completely unmanaged and underutilized 5Ghz. Basically, for training, we had a lot of devices on 2.4Ghz tripping all over themselves waiting for their turn to talk while being forced to listen to every Access Point in their frequency range because the hotel likely thought that “best Wi-Fi” equals “crank up the power.” Right? WRONG. By cranking up the radios to maximum, they’re creating interference and crowded airspace.

Thus, we see a lot of dropped packets, re-transmissions, and a network situation that is difficult to navigate, even for iOS. We’ve seen rollouts on Windows devices and it’s been even worse, believe it or not.

So, the moral of this tale: If customers really want to do a group rollout, beg and plead with them to do it in a Wi-Fi environment that they control. The only well engineered Wi-Fi that I have ever seen in a hotel is one that Apple built themselves specifically for the event they were hosting. (Apple does this as a matter of course because event space Wi-Fi is god awful.)

iOS is typically graceful in poor network conditions, but when an app is trying to really bang on the network stack, it’s downright hostile. Something has to give at that point, unfortunately.

With each iOS release, Apple’s network stack does improve. However what really should happen is that hotels need to get with the program and engineer Wi-Fi networks for when they’re under load. I’m guessing they didn’t plan their channel layout so that clients only saw one Access Point on a given channel at any time. I’m also guessing they never walked their hotel with a spectrum analyzer to see which Access Points should have their radios turned down so they’d prevent interference. These are fairly simple things to do, yet hotels don’t care about it. They’re doing themselves a disservice.

If I find a hotel with decent Wi-Fi under load, I’ll be sure to always recommend them for events if given the opportunity.