Web Browser Basics
SURFING THE WEB EXPOSES A LOT OF INFORMATION ABOUT YOU. Even before you get a warning about a site wanting to access location information, or anything protected, your web browser is broadcasting a lot more information than you realize. Getting that under control is a step that anyone can do, regardless of how far down the path you want to go to anonymity, and will not take very much effort at all.
Here’s an exercise for you. Go to these websites and see what they say:
- https://whatismyipaddress.com/
- https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending
- https://panopticlick.eff.org/
All of that information is without even allowing location services. And it doesn’t cover what information you’re sending to websites via cookies or tracking bugs. Once you start adding those in, your web browser is just a big, sophisticated way of surveilling you, that you voluntarily downloaded. Oh, and it happens to display cat pictures, too. We can make this a little better, and it’s not going to take very much effort on your part to do it.
The first thing that you should do is install the HTTPS Everywhere Plugin from the Electronic Frontier Foundation. This is a very simple plugin that assures that if a website supports a secure, encrypted connection, that your browser uses it. Once installed, you won’t even know the plugin is there: it works automatically and doesn’t interfere with your normal activity.
Why is HTTPS important? If you’re not familiar with it, HTTP is the HyperText Transfer Protocol. This is how your web browser communicates with websites. The last ‘S’ stands for ‘Secure’. An HTTPS connection, also called SSL or TLS (Secure Sockets Layer or Transport Layer Security – they’re different things, but close enough for our purposes), means that the connection between your browser and the website is encrypted. This means that anyone eavesdropping on the network traffic can’t see what you are doing. They might know that you’re connecting to the website, but they don’t know what the content is.
Now that we’re as secure as possible (without rejecting all non-secure connections), we need to do something about all the tracking bugs. Websites use all kinds of methods for tracking you, and they share that information with a lot of people. Before we fix this, let’s take a crash course in how it works.
When you load a website, like CNN, the first thing that happens is that the structure of the page loads. This structure has some number of commands in it for your browser to load other content. Some of this is other things you see on the page, like images and videos. Then there’s the advertising. There’s also things that load invisibly and send information to systems all over the place. We call these things bugs, beacons, analytics, or tracking. On CNN’s website it tells your browser to make connections to:
- Advertising: Amazon, ChartBeat, Criteo, Google, Krux, NetRatings, Outbrain, Rubicon
- Analytics: ClickTale, Omniture, Optimizely, mPulse
- Comments Systems: LyveFyre
- Interaction Systems: Usabilla
That’s 14 different trackers, and it might have loaded more if I let it load those at all. And they’re all setting their own cookies on your web browser. A cookie is a bit of information that sticks around on your browser and gets sent back to the website every time you visit. So all of these services know you just went to CNN. And they know all the places they’ve seen you from before on other websites. It is said that “If you’re not paying for it, you’re not the customer. You’re the product.” All of these sites sell your information to anyone who wants it. That’s why you get to use so many websites and services for free: they’re selling your information.
OK, let’s get rid of them. My favorite plugin for this is Ghostery. It’s free, it updates automatically, and it’s configurable so you can allow some things (some websites break a little bit if you block everything). Don’t install it just yet, because we need to talk.
Remember what I just said about “you’re the product”? Ghostery is free. Yep, they’re making money off you too, but they’re very open about this: when you install the plugin, you see a configuration screen, and the first page is about providing information back to them to help websites make their sites more secure. Here’s what you need to do on the config screens when you install it:
- On the “Help Keep Ghostery Free” page, click “No thanks”
- On the “Notification” page, it’s your choice. I don’t show the alert bubble anymore because the information is there if I want it
- On the “Blocking” page, click “Select all”. There’s also a popup at the top that says “New trackers will also be blocked”. Click “Sounds good!”
One note here, courtesy of Alison – when you install Ghostery, there’s a feature that’s disabled by default, called GhostRank. If enabled, this sends anonymous information about your browsing to Ghostery so they can improve what they’re doing. Of course, we’re looking for privacy here, so you want to make sure that stays disabled.
Now go back to CNN. Looks a little different, doesn’t it? You can click on the ghost icon that’s up at the top of your web browser now and see all the good that Ghostery is doing for you. One thing to note is that you’re periodically going to have to use that ghost icon to allow some trackers or “whitelist” a website so it doesn’t have any trackers blocked. Do that with care. It might be nice to allow Facebook’s share icons, for example, but that means you’re letting Facebook track you.
Ghostery does a good job, but I like a little backup, so let’s also install AdBlock (NOTE: AdBlock is not the same as “AdBlock Plus” – ABP lets advertisers pay for play). The install here is simple, and it brings up a page where you can donate to them if you want to. The one thing you can consider changing is clicking on the “disable Acceptable Ads” link on that page. They’re trying to work with advertisers a little bit to allow some ads that are straightforward, because we would like these free services we use to remain free.
These are the only plugins I make sure are in all the browsers I use. So the next thing I want you to do is take a hard look at what extensions you have installed previously, and evaluate all of them while being paranoid. These instructions are for Mac, but they should be similar for Windows:
- Chrome: From the menu up top, select “Window” and then “Extensions”
- Safari: From the menu, select “Safari” and then “Preferences”. Click on the “Extensions” icon
- Firefox: From the menu, select “Tools” and then “Add-ons”
Do you really need it? If the answer is no, remove the plugin. The fewer things installed, the fewer things we need to worry about tracking us.
Once you’re done going through your plugins, we’re now going to wipe the slate clean. We need to clear all of our browser history, dump all the cookies, and start fresh.
- Chrome: From the menu up top, select “Chrome” and then “Preferences”. Click “Show advanced settings” at the bottom, and click “Clear browsing data”. Select everything and click the button to clear it.
- Safari: From the menu, select “Safari” and then “Clear history”. Select “all history” in the drop-down, and click the button to clear the history.
- Firefox: From the menu, select “Firefox” and then “Preferences”. Click “Privacy”, and click “clear your recent history”. Select “Everything” from the drop-down, click the little down arrow button and select all the checkboxes, then click the button to clear it.
That’s going to be a little annoying for you. You’re going to lose logged in sessions on websites, as well as some settings on those sites here and there. But the only other option is to manually go through every cookie on your browser and make a decision whether or not to delete it. Take the hit once and know that you’re restarting from a much better place with those plugins installed.
The one thing we didn’t cover here is what to do about the information that your IP address (that’s Internet Protocol address – it’s a number just like a street address that identifies your system when you connect) exposes. In a normal web browser there’s not much you can do about that. Coming up next in this series we’re going to talk about two ways where you can hide where you are coming from.
Up Next: Using the Tor Browser
[…] Up Next: Web Browser Basics […]
What are you using now that adblock plus sold out?
It’s very important to note here (and I’m going to edit the post right now to call this out) that “AdBlock” and “AdBlock Plus” are not the same thing. I’ve used ABP in the past, but now I use AdBlock. They do have the “acceptable ads” thing, but you can disable that as well.
Todd I’ll have to go look to see which one I have, and how to turn off acceptable ads. I’ve noticed the past couple of days that I have ads in placed I don’t typically see them.
Please let me know, because if AdBlock is having problems now I’ll have to revise. I will note that I run both Ghostery and AdBlock, and they cover a lot of the same things. So it may be that Ghostery is catching things for me that AdBlock is not.
Also make sure that you have all the blocking enabled in both. I noticed that I didn’t have blocking by default enabled in Ghostery the other day (the setup instructions I gave will result in it being enabled), which meant that new updates were not getting blocked.
i use 1Blocker on my iPad to block trackers, widgets, beacons, etc.
Wish I could find something equivalent for my Android that didn’t drain the battery or extremely slow down surfing.
Thanks, I’m going to take a look at that. I’m going to write a quick post on mobile security tomorrow because I completely ripped through a few secure systems today to remove the activation lock on an iPhone 🙂
Unfortunately, I don’t do Android. Right now. The way Apple’s been headed that’s looking to change
1Blocker has a small cost, but it is capable of blocking most trackers, widgets, and ads (although I supplement with Super Ad Block), it is fully customizable. you can whitelist, or create custom items to block based on the html/css classes used.
It runs on my iPad, so it isn’t routing me through a service or cloud solution in order to display a webpage.
now the only time i see ads are when i click links in the Facebook app and get the embedded browser.
uBlock Origin is one that gets mentioned a lot. Haven’t tried it personally.
I’ve saved the article – apparently you’re too racy for my work firewall to permit.
I checked it, and I had Adblock Plus. I did try to install Adblock, but it won’t download for me. It doesn’t throw me a specific error, so I’m not quite sure what to do. I do run Noscript, but I’ve not updated my addons in quite some time. Do you have any recommendations?
You might want to try disabling noscript while you do it. And you may need to disable ABP first (if you didn’t already). How were you installing Adblock? Via their site, or from whatever extension service your browser has?
Todd Palino I did not disable noscript. I did disable ABP though. Let me try that…
You may also want to let them know about disabling GhostRank. It’s unchecked by default on install, but if it ever gets enabled, you can go to the ghostery settings and uncheck it. (I know you touch on opting out of the sold data stuff, but you may want to mention what it’s called so folks know.
Yeah, I didn’t mention it because it’s off by default. But now that you’ve mentioned it, it will be a comment there (as soon as I approve it)