It’s now common knowledge that we’re being watched online, by a thick mix of nation-states, private companies, and criminals. They sometimes do worse than watch. What do we do? Should we care?

It’s not very clear what the probability of having your password leaked in a breach / having your email read / having your laptop being remotely disabled and wiped (unless you pay the creator Bitcoin) is. But something like this will probably happen to you in your lifetime, so I would take 10 mins to mitigate them now.

There is no absolute security; it’s always partial and relative to a goal. This guide is aimed at “not losing control of your accounts, not being surveilled by companies or criminals, not having your online banking subverted, not getting infected by trojans or ransomware or whatever”. It’s strictly for people with average risks: not that much money, not much tech cred, not much sensitive information to protect.

Most of this article assumes you’re using Firefox, because Chrome is itself an attack. That is, it protects you very well against everyone except Google. Firefox is also significantly faster than Chrome in Private mode. It’s not a big deal compared to the other parts of this list, you’ll just need to find alternatives to the add-ons I recommend.

First: password hygiene

Attack: password cracking

If people hack a website you’re registered on, they could easily get the encrypted ‘hash’ of your password even if the site owners do everything right. These can eventually be brute-force decoded, and then they have your password. To prevent this common occurrence, we need our passwords to be very long (16 characters +) and have no English words. You also want a different password for each site, so that one brute-force doesn’t open up all of your accounts at once. So, easy!: We want passwords that are too hard to remember, and we need to never reuse any of them.

Mitigation: A ‘password manager’, for instance the free, open-source, cross-platform KeePassX. Keep the database file on several devices, and on a thumb drive, and an offsite. Can put it in the cloud if you think you’re likely to lose those. LastPass and 1Password seem fine, maybe a bit slicker and more friendly, but they cost.

Attack: password phishing

People can create convincing clones of websites just so you give them your password freely. (This isn’t just about human inattention: attackers can register urls which look exactly like the real one).

Mitigation: Password manager / no password reuse.

Real mitigation: 2FA everywhere you can, Yubikey. If the site doesn’t ask you for the access code from your phone, you should immediately change your password (from the top search result for that site).

Cognitive burden: once you have the Master passphrase memorised (not hard, give it a couple days): much less than remembering 40 different passwords.

Then: Browser

Attacks: IP tracking, unencrypted traffic, ISP logs, public wifi spoofing

Partial mitigation: VPN. This is highly imperfect but not as useless as this guy thinks. I use PrivateInternetAccess; you can check the technical and legal specs of dozens of VPNs here. $30 a year. Do not use free ones.

The other problem a VPN solves, and solves optimally, is internet requests sent by non-browser apps on your machine. If you use e.g. Linux’s built-in VPN client, everything goes through it.

(NB: Modern browsers have a useful thing called WebRTC. It leaks your IP though, so if you really want to hide that you’ll need to go into about:config and set media.peerconnection.enabled to false. uBlock seems to fix this too.)

Attack: Man-in-the-Middle

Even when the URL is real, vulnerabilities in the original internet protocol mean people can sometimes insert themselves inbetween your data and the receiving site. This is lethal (think online shopping, online banking). This add-on prevents this where it can.

Attack: Tracking and fingerprinting

Here are some reputable add-ons for Firefox:

  • NoScript. Disables all Javascript by default; this stops 90% of attacks and trackers. It is the most important, but also the most costly in time by far. After about two weeks of use this burden decreases to negligible though.
  • Privacy Badger. Overlaps a bit with AdNauseam. Seems to cover the use case for Disconnect and Ghostery.
  • DuckDuckGo. The zero-tracking search engine. Not as good as Google, but it includes a built-in “use Google safely” command.
  • Cookie Autodelete. Deletes cookies (files placed on your computer to identify you) when the tab is closed. Good compromise.

Attack: Ads

This one is arguable: after all, the current web economy couldn’t exist without ads. My response is that I precommit to using any micropayment solution that people can get to work. Also to actually buy things from creators I like. In the meantime no-one gets to spam me with gigabytes of unwanted content and follow me around.

But besides being ugly, besides following you without your consent, they take your time. Two-thirds of all script execution time is due to third-party scripts, mostly ads and trackers. My own network analytics say that 12% of all my requests are to ad servers. This is hours of your life per year. 1

Everyone knows this solution, but a better solution takes a bit of work.

The best thing to do against ads at present is a Pi-hole, a tiny DNS server in your house. This stops ads at the source, for every device in your house at once. You can get a Raspberry Pi for $30, and it takes about 30 mins to set up as a Pi-hole. (Note that Chrome and Edge users need DNS-level blocking, since Google is/was going to block uBlock.)

Because the internet is a Red Queen hellscape, we should expect this to gradually stop working over the next few years. Ads can avoid your DNS block in a variety of ways, up to and including them implementing their own custom domain-over-HTTPS protocol. La lotta continua.

Attack: email surveillance

Not a lot you can do, short of undertaking the 100-hour hell of runnning your own mail server. Try a Swiss company, e.g. Protonmail (they have no public data-sharing agreement with the Five Eyes and constitutional protections for foreigners).

Attack: deanonymisation

No whois entry on your sites. People will try and charge you $10 for this but it is mandated by GDPR so shop around.

Attack: tracking over CDNs

A new clever attack: identifying you by your repeat requests to a public Content Delivery Network. The add-on DecentralEyes foils this by keeping a copy of commonly used files in your cache.

Total annual cost: $40 ($40 VPN, $2 usb drive for your password DB)

Daily time cost: 10 seconds adding particular NoScripted scripts. Once you get the KeePass keyboard shortcuts in your muscle memory it is faster than typing.

Add-on risk

Whenever you install a browser add-on, you’re allowing unknown code to execute on your machine, behind NoScript. Processes are “sandboxed” in modern browsers - that is, browser malware is unlikely to break into your main OS account - but this is still a risk.

However, you can be very confident in EFF products - HTTPS Everywhere, Privacy Badger - and relatively confident in popular open-source add-ons like NoScript, Cookie-Autodelete, uBlock, and RandomUserAgent, especially if you built from source.

More things you could do:

  • Turn off these Firefox configs.
  • Get Linux (99%+ of malware doesn’t work on it, and there’s strong prevention of state backdoors and ‘security through obscurity’ zero-days).
  • Add an additional keyfile for Keepass, on a USB. This is too far for me. You’d want it attached to your body.
  • Tor. Slow!
  • Faraday wallet for phone and contactless card. Obviously this prevents all incoming calls too.
  • Airgapping one of your computers.
  • Consider not using Chinese hardware.
  • Consider not using American hardware.
  • Consider not using Kaspersky (involuntary aid).
  • Two-factor authenticated bank.
  • CanvasBlocker: people can get a wee bit of identifying info from spying on your GPU and screen specs.
  • RandomUserAgent: changes the device and browser you’re reporting, at random. Sometimes breaks things.
  • Store a PGP key somewhere public (e.g. Keybase): makes it possible to authenticate yourself without identifying documents. (Softening the blow of identity theft, preventing chronic lulz).
  • Life / work separation. Never shop at work, never work on your home computers. This makes two of you, with two different attacks (and sets of attacks) needed.
  • Against reward hacking (that is, being distracted with push notifications and infinite feeds): Just don’t have a smartphone, or keep it in your bag and use a dumbphone for interpersonal alerts. Also ImpulseBlocker.

Here’s a good tool for seeing if this does the trick.

Note that you’re not going to stop any nation-states except via perfect paranoia, the kind which makes the above look sloppy and carefree. Luckily, that effort is not worthwhile for almost anyone.

  1. Fermi estimate: 10,000 requests per person per day (like 300 actual page visits).

    say 0.1 sec delay from ad loading and tracker execution, per request

    ~= 1000 secs ~= 17 mins per day.

    12% blocked by the normal Pihole blacklist. Rest blocked by NoScript.


Post a comment (with Markdown):

Enable submit button