Threats to your personal privacy are everywhere, from satellite imaging and street cameras to advertisers and governments, the world we live in is becoming more Orwellian at every turn. The internet is no exception, but with just a little bit of knowledge and effort you can easily implement some basic security and privacy enhancements to deter those with less than ethical motives. This guide will focus primarily on how to harden the Mozilla Firefox version 3 web browser against basic security and privacy threats, but information contained here may be of use to other browsers as well.
Cookies, which are nothing more than small text files, are often beneficial. For instance when you join a forum a cookie is usually set (downloaded by your browser) that identifies you and keeps track of what topics you have and haven’t read, your custom settings for the forum, such as the display theme you chose to use, and perhaps some other beneficial information. Whether there is any personal information such as your name stored in the cookie may be up to you. If you didn’t use your real name to join the forum (and why would you), then your name shouldn’t be contained in the cookie. Even if you did use your real name it still may not be stored in the cookie. Often it will be a string of letters and numbers that are unique that will be used to identify you when you return. Such a cookie can be used to log you on automatically the next time you visit the forum instead of having to enter your credentials every time, or to mark which topics have been created or updated since your last visit. On the other side of the fence are cookies set by advertisers and profilers, such as Google, DoubleClick and many others, that may be used to track where you go, where you’ve been, what you’ve been searching for and what kind of ads to display based on your browsing habits. It is these kinds of cookies that you may want to concern yourself with.
Assuming you want to allow the benign cookies, but disallow the ones which track you, then it’s simply a question of finding an easy way to control cookie behavior. Most every browser has preferences for handling cookies whereby you can usually disallow all cookies, disallow 3rd party cookies only, allow all cookies, or allow cookies only from sites you trust. It is the latter we are interested in and there’s various ways to achieve the control we desire. In the case of Firefox, we could always go to: tools > options > privacy and set our preferences from there, choosing to disallow all cookies except for the web sites we make exceptions for. This can quickly become a rather annoying method though since we’d have to invoke this lengthy process for every site we wish to allow. An easier method is to install CS Lite which is a lighter version of Cookie Safe (a few others are available if you want to search the Mozilla add-ons site).
Before or after installation we’ll go back to: tools > options > privacy and uncheck “Accept cookies from sites” which will set a policy that will disallow all cookies. We’ll white list the sites we want to accept cookies from as we visit them instead. You should also look at the next section with the heading “Private Data” and consider removing any cookies that may already be stored, but be aware that doing so may cause you to have to re-enter your logon credentials when you revisit sites you’ve joined in the past (you did save that information, yes?). You can use the “Settings” and “Clear Now” buttons to clear all your cookies.
With CS Lite installed, open the Firefox add-ons manager (tools > add-ons), find CS Lite and we’ll configure it. There are 3 tabs to be concerned with as far as cookie handling and the first is the “Behavior” tab, where i suggest checking the “Disable cookies globally on startup” option. Next is the “Global” tab where i suggest selecting “Deny cookies globally” in the “Global cookie behavior” drop-down. Last is the “Blocklist” tab and you can disable the updates and uncheck the “Block untrusted hosts” option because the list is no longer maintained.
Depending on what options you set in the appearance tab you’ll have access to the extension from your context menu and/or a status bar icon whereby you can easily allow, allow for session, allow temporarily, block or remove cookies on a per-domain basis. A word about “domains”: a web site may have the address “http://www.my-exciting-website.freewebs.com” but the domain is “freewebs.com”. The “my-exciting-web site” part is actually a sub domain of “freewebs.com”. This permissions available can be a bit confusing, so i’ll explain in a bit more detail:
- Allow – allows the domain you are visiting to set cookies. When they expire, if ever, is determined by information contained in the cookie. Some may expire when you close your browser (session cookies), some not.
- Allow for session – allows the domain you are visiting to set cookies, but only per browsing session, which lasts until you exit your browser. In other words, when you exit your browser, session cookies will be removed but will be allowed again during your next browsing session if you visit the same domain.
- Allow temporarily – works the same as session cookies above, except that the cookies will not be allowed again the next time you start your browser and visit that domain.
- Block – if you set the preferences for CS Lite according to my suggestions, this will be the default policy and all cookies will be blocked for every domain you visit except for those you have specifically allowed. You can also use this option to temporarily block cookies from a domain you previously allowed without deleting the cookie (maybe you want to see how a web site acts if it cannot access your cookie).
- Remove – available for domains that you’ve already allowed to set cookies, this simply deletes them.
LOCAL SHARED OBJECTS:
A Local Shared Object, or LSO, is a less known method that a web site may use to store data on your computer. This technology may be more controversial than cookies but is only available to web sites that utilize Flash and you have to have installed the Adobe Flash plugin for your browser (which almost everyone does, knowingly or not). You can read more about LSO’s on the Wikipedia page, but as far as we’re concerned LSO’s are a potential threat to our privacy, just as some cookies are, and therefore we need an easy way to handle them.
Firefox does not provide an easy method of controlling what is stored, for how long, or by whom. Adobe does allow some control of Flash preferences through their Global Storage Settings panel but having to visit their web site every time you want change preferences or delete stored data is not very convenient. Furthermore, if you configure the settings incorrectly, you can suffer side effects and lose desired functionality (such as no audio when viewing videos). Enter BetterPrivacy, a Firefox extension that auto-deletes Flash “super cookies” when Firefox starts, exits, or at timed intervals – your choice. You can also protect the LSO’s you want to keep, though i have yet to run into a problem by letting BetterPrivacy delete them all automatically when Firefox exits.
Once installed, there isn’t allot to fiddle around with in the settings for BetterPrivacy. Just open it’s options and, if you have Flash installed, it should’ve auto-detected the directory where Flash data is stored. On the “Options” tab you can configure when you want to delete LSO’s as well as disabling DOM storage and ping tracking, both of which i’d suggest sticking a checkmark next to. After that you can probably forget about it as it will happily go about it’s business while you go about yours.
CustomizeGoogle offers a ton of preferences that affect not only how Google search results are displayed, but also how to handle Google’s cookies and click tracking. It is also a set-it-and-forget-it extension so once you’ve configured the options, you’re done with it.
When you open it’s options you’ll see a list of Google services including Web, Images, Groups and many more. I’d suggest going through each one and disabling click tracking. In the “Privacy” section i’d suggest placing a check next to “Don’t send any cookies to Google Analytics” and “Anonymize the Google cookie UID” (unique identifier).
Another issue that some may see as a threat to their privacy is the fact that most browsers will tell the web site you visit where you came from. For instance, if you were shopping for a new rifle over at Sig Sauer and then decide to visit the Department of Homeland Security, their server will probably know where you came from. Is it really any of their business? If you don’t think so, check out RefControl, a little extension that can alter the referrer that your browser sends to the site you’re visiting.
Once installed you’ll need to configure RefControl because by default it does nothing. Make sure it’s enabled and then click the “Edit” button next to where it says “Default for sites not listed” and select “Forge – send the root of this site”. In my opinion this is the best option as it won’t break very many sites yet still offers a privacy boost. Now when you visit Sig Sauer and then go to Department of Homeland Security, the DHS server log will see you as having come from the root of their own site, which is dhs.gov. And while we’re on the subject, maybe this extension will interest you.
- If you still have trouble, try disabling RefControl or white listing the domain.
Also check out all the other privacy and security related extensions at Mozilla.
article by atomMan