Locking Down a Leaky Browser (read: Google Chrome)

Everyone has their browser of choice. Myself, I prefer Safari as it functions closest to how I expect a Mac application to function. However, I do find myself using Chrome more and more. There are a couple of things that I do prefer Chrome for. In particular, containing the dumpster fire that is Adobe Flash, but also because Chrome has a rich extension ecosystem. Apple should be jealous. Hardly anyone makes extensions/add-ons for Safari.

This post is intended to take Google’s default options, and modify them such to leak less information to Google. After all, with Google you are the product. There is nothing altruistic about Google. They are an advertising company first, a tech company second. Your data is how they make money. That being said, there are good technologies that Google creates, and their security team hunts bugs at a voracious pace so I can totally respect that. That being said, let’s lock down Chrome as it comes out of the box.

Upon first launch, Google asks you to log in. HELL NO. This is the #1 step to prevent Google from tracking all that you do in your browser. No thanks is the option to select here.

Next, run on over to DuckDuckGo – the search engine that won’t track you. When you go there with Chrome, it will ask if you’d like to install the DuckDuckGo Chrome extension. Absolutely do this.

DuckDuckGo’s Chrome extension does a few things:

First, it will change your search engine within Chrome from Google to DuckDuck Go.

Second, it will stop sites from running tracking scripts and will actually rate sites on their privacy. For instance, here’s CNN:

DuckDuckGo takes CNN’s D rating to a B by blocking 19 unique trackers. It’s incredible just how pervasive tracking is across the internet.

Lastly, DuckDuckGo’s Chrome extension will force HTTPS connections.

Don’t worry, you can still do Google searches with DuckDuckGo, and you can do it very easily. Have a look at all their bang shortcuts for quick searching various sites. The ones I use all the time are !w !a and !yt

If you do nothing else in this post, you’ve already greatly increased your level of online privacy. Continue on for additional tightening up of your shit. I realize that we’re now going to get into functions that you may find convenient. Some of these you may want to keep enabled, and that’s fine. Privacy and security is always a tradeoff with convenience.

Next, let’s look at Chrome’s default privacy settings. Open up Chrome’s settings. (If you’re using Chrome, that settings link will work. Otherwise go to the … menu at the top right of the browser window and click it. Then Settings.

Scroll to the bottom of the settings window and click Advanced. Next find the section called Privacy and security.

The first three options you want to disable. Use a web service to help resolve navigation errors, Use a prediction service to help complete searches and URLs typed in the address bar and Use a prediction service to load pages more quickly.

The “service” that they’re referring to is Google. What you type is sent to Google, it’s analyzed, and they return something that may be helpful (depending on each of these options). I don’t like this kind of help. I don’t need this kind of help. Just let me use my web browser.

Like I said, you may like this help, and that’s fine. Just be aware of what Google’s hoovering up by default. Next select Content settings and you’ll see this window:

Open up the Cookies section.

The third option, Block third-party cookies is the one you want to enable here. So just what is a “third-party cookie?” Let’s say you go to CNN.com. It may set a cookie such as which edition of CNN you prefer. US vs International for instance. A third-party cookie could, for example, be a cookie that CNN’s ad agency uses to lay on your browser so that it can track your activity as you travel to different websites. The reason Google doesn’t block these by default is because, like I said previously, Google is an advertising company and by setting this setting on by default, they’d effectively be blocking their own products from functioning. So, “third party” refers to websites or services that you didn’t explicitly navigate to, but may be embedded into the site you did navigate to.

For the record, Apple’s Safari and Mozilla’s Firefox enable this setting right out of the box. Mozilla and Apple’s privacy stories are miles better than Google’s.

Next click See all cookies and site data:

WOAH. Look at what comes right out the box with Chrome. REMOVE ALL. In the words of Strongbad, BA-LETED.

Next, open up the Extensions area from the … menu -> More Tools -> Extensions:

 

Note all of the Google extensions. If you have no need to use Google Docs, Sheets, Slides, etc, remove them all. (Or at the least disable them.) I don’t know for certain, but I suspect that they will report information back to Google. It’s on my to-do list of things to investigate.

Now, if you’ve gone this far and go no farther, you’re even better off than those quitters up above who stopped after installing the DuckDuckGo extension. I have a question for you, however. Are you ready to go full retard on this?

In this case, we’re going to.

Open up this link. (“chrome://flags” if you prefer to type it in on your own.) You’ll get a big, giant long list of options like this:

 

I’ll be the first to admit that you’re probably not going to know what a lot of these things do. I don’t either. But, have a look through the list and what I’d suggest is that if any leap out at you as, “Hey, I wonder if that needs to send information about me or my computer somewhere…” you may want to throw that setting’s name through your search engine of choice to find out. That search engine is DuckDuckGo, right… RIGHT!?!? (Full disclosure: I am not compensated in any way by DuckDuckGo. I just really like them is all. There are plenty of non-Google search engines.)

Here’s what I’ve modified within chrome://flags:

  • Hyperlink auditing – Disabled
  • Mark non-secure origins as non-secure – Always mark HTTP as actively dangerous. (As an aside, Google will be treating HTTP this way within Chrome by default beginning in July 2018. May as well get a jump on it.)
  • Show in-form warnings for sensitive fields when the top-level page is not HTTPS – Enabled
  • Enable tabs for the Clear Browsing Data dialog – Enabled
  • No-State Prefetch – Disabled
  • Speculative Prefetch – Disabled
  • Enable new preconnect predictor – Disabled

So, there you have it. If you’ve got other tips for locking up the information sieve that is Google Chrome, let me know via Twitter.

Privacy in an ever un-private world

Whatever your politics may be, privacy should be important to you. We’re in a world where we share ever increasingly more private things about ourselves with a lot of people – many of whom we don’t even know and many times without even meaning to. Simply by browsing the web companies (and even governments thanks to the revelations made public by Edward Snowden) are building digital dossiers on you. They may not have you pegged by name (if you’re lucky) but they can be extremely accurate. Shopping habits, news sites you frequent, which memes you share – all of these things can be used to build a profile about you to a scary level of detail. Most times, this is simply used to sell to advertisers in order to make money. Other times, however, that information lands in the government’s hands. Often we give up our privacy in the name of convenience. We get free services for giving it up – Facebook is a great example. I’m not saying that there’s no value in these services, I’m just saying that sometimes you need to think about what you’re giving up.

Privacy & security is always a balancing act vs convenience & usability. I’ll let you decide how far down the privacy & security rabbit hole you want to go, but here are the top things I think you can easily do to improve your privacy.

Install an ad blocker on your desktop and mobile browsers

If there is only one thing you do, install an ad blocker. There are many ad blockers out there (AdBlock Plus, uBlock Origin, EFF’s Privacy Badger) but the general gist of them all is one thing: Block websites from tracking you across the web. Advertisers don’t just advertise on one website but rather they use web technology to track you across various websites. This is how they build a profile on you. Ever notice how perhaps you were browsing Amazon for a hair dryer and then all of a sudden elsewhere you’re seeing ads for hair dryers? Thank advertisers tracking you across the web. I find it incredibly creepy. With an ad blocker at a minimum you can stop this. What you can also do is stop seeing ads all together. They can be incredibly intrusive to your browsing experience. If you’re on a laptop or smartphone, simply because your browser is processing more things, ads and trackers can chew into your battery life. There’s even well known cases where malware and viruses are distributed via ad networks on legitimate sites (I’m looking at you, Forbes.com) so having an ad blocker can protect you from more nefarious things as well.

Encrypt all the things

“Power to the people” is a very apt phrase to describe encryption. Encryption is the process whereby math scrambles content such that it’s unreadable unless you have the right key to unscramble the content. Really smart people figured this out and when it’s done correctly, encryption is absolutely the best way to keep information private. It’s the only method strong enough to resist nation-state grade brute force supercomputing.

There’s a couple of kinds of data that you want to encrypt: Data in transit and Data at rest.

Data in transit is literally data that is going between one device and another device. A good example is when you check your email. You have your local email application and the remote server that it talks to. The content of your email you want to make sure is safe while it goes over the internet, otherwise it’s like a postcard you’ve dropped in the mail – anyone can read it along the way if they desire. Here we want to secure our data in transit. Thankfully, the technology to make this safe has been around for a long long time and is common. The easiest way to know if your data is safe is if you’re visiting a site that begins with “https://.” That “s” is for secure. Most browsers will also display a padlock so you know it’s safe. Get in the habit of going to https:// sites and in fact, these days many sites will redirect you to their https:// site by default anyway (like this one does. Go ahead, go to http://nerdily.org and you’ll land at https://nerdily.org). The technology that secures this is called “SSL” (Secure Socket Layer) and/or “TLS” (Transport Layer Security). If you’re really interested, read up on them on Wikipedia. You’ll be there all day.

Data at rest refers to data that sits on a device that isn’t transmitted. For instance all your photos on your smartphone. Sure, they may be stored in the cloud somewhere, but local copies exist on your smartphone. When they’re on your smartphone you’d like them protected, right? Thankfully, smartphone manufacturers (such as Apple and Google) have made encrypting this data super easy – often easy enough to unlock with your fingerprint. I highly encourage you to enable these technologies because they’re to the point where you don’t need a degree in physics to understand the intricate detail on how to use it, but also because so much of our lives now live in our pockets, easily accessible. Should your device be lost or stolen your data will be safe without the passcode and in many cases you cannot be compelled to reveal it.  In an even worse scenario, you could be at the mercy of an over-zealous law enforcement officer. I once had a US Customs officer demand my iPhone’s passcode at the US/Canadian border. I politely stated that I would not do that without a warrant and he decided that would be too much of a pain in the ass apparently as I was allowed to re-enter the US without further incident. (Obligatory “I am not a lawyer.“) Computers are also equipped with easy to use encryption to keep your data safe. Use it!

Read the privacy policy and dive into the settings

Got a shiny new app or service you’ve signed up for? Perhaps when you signed up you agreed (unknowingly) to receive newsletters or have your information shared with third parties for advertising purposes. This is one reason I recommend reading a company or service’s privacy policy before you sign up. Sometimes they’re long and hard to read, but many times they have a human-readable version (i.e. one non-lawyers can figure out) that sums it up nicely. Give it a read so you know what you’re giving up.

If you decide to sign up, once you’ve got any associated software installed or accounts set up go digging into the settings provided. Many times software and services don’t come with the most secure configuration out of the box – and this is intentional. It’s even true for ad blocking software that I mentioned above. Many ad blockers now partner with – you guessed it – advertisers to get their ads past the blockers. Many of them allow this by default but you can change that and button things up. Have a good rummage around the settings and if you run into technobabble you don’t understand, you may have hit gold. Google that word and see if you can learn something.

Speaking of Google…

Don’t use it if you’re serious about digital privacy. Google is the epitome of giving up privacy to advertisers. Google is an advertising company first. Their products exist to sell advertising. I’ll admit, the word “google” has become a verb meaning “web search” but there are alternative search engines that are frequently just as good. Personally I use DuckDuckGo whose stated purpose is to search without tracking. They don’t do it. At all. And, many browsers already have DDG integration and you just need to flip a setting. Gmail is also another good service to get off of if you don’t want a digital dossier built on you. There’s a reason Google doesn’t offer encrypted* email – because then they can’t (easily) comb your email in order to display advertising to you.

*In this case I’m referring to the email itself being encrypted such that only the sender or receiver can read it. Your browsing session with Google is secure, though they can read all of your email. Yes, this is a really complicated rabbit hole.

Stay up to date

The biggest attack vector for malware and other privacy stealing baddies is through out of date software. Software is amazing and it’s powered everything from getting man to the moon to allowing you to chat with friends while taking a dump. But, software is made by humans and humans make mistakes. In software those are called bugs and that’s frequently how the baddies gain access they shouldn’t have. By updating your software frequently you can hopefully stay one step ahead. This means making sure your Operating System (e.g. Windows, macOS, Android, iOS etc) is up to date along with the the other software (web browsers, email clients, other apps) you use. Updating software isn’t hard so there’s little excuse to not be running the latest and greatest. Besides, often when you update software you get new shiny features you’ll find useful. Do it!

If you do nothing but the items above you’ll actually be ahead of the curve – it’s not hard! If you want to go further down the privacy road, head on over to the Electronic Frontier Foundation’s Surveillance Self Defense project. The Electronic Frontier Foundation (EFF) is an online privacy advocacy group and I highly encourage you to donate if you find their work useful (I do.)