InfoSec for TBP Readers – Part 4

Guest Post by aka.attrition

Privacy and security are not easy and especially for those of us who are not very computer literate. Coming from an information technology (IT) background with special interest in information security (infosec) I decided to write an article for the layman (don’t give me no uphill about politically correct words!) to help you increase your security and protect your privacy a little more.  This is a small contribution to this website where I spend far too much time reading the articles and especially the major commentators – you know who you are. Thanks Jim and the heavy hitters.

The full article is broken down into four parts;

Part 1

• The one thing you need to do with your browser
• Ad-blockers and anti-trackers
• Internet search

Part 2

• Email
• DNS servers
• Virtual Private Networks – VPN

Part 3

• Windows 10/11 – the boss tracker and what you can do about it.

Part 4

• Fingerprinting you

I realize that some of these topics can be a hard for the non-IT / computer oriented person and I write this article with those end-users in mind, not an IT professional audience. There are very many options, settings, and tools one can use but in this article I’m going to restrict it to just a few of the biggest-bang-for-your-buck changes, those things we should all be able to implement without too much IT knowledge. After all, we have day jobs.

Fingerprinting You

So you’ve installed a virtual private network, an ad-blocker, and other privacy tools and add-ons like Privacy Badger. And you run a privacy oriented browser like Brave. What else is there to be concerned about? Well it’s called “fingerprinting” and it works like this; when you visit a website your browser actually provides the website with a lot of information about your computer hardware, operating system, browser details, IP address (of course), and so forth. All provided under the defence that it’s all anonymous. But is it?

It’s possible to combine all the various bits of information that your browser so willingly provides to websites (without you actually being asked if that’s OK) into a “fingerprint” of you, or to be more accurate, of your computer. Now how unique this fingerprint is depends on how unique or common you’re configuration is in respect of hardware and software. Probably the most unique bit of information will be your IP address and hopefully using a VPN and/or other public IP address resolves that to a degree.

Side note: obviously if you keep using the same VPN IP address or the same public IP address then it will become associated with your computer (but not exclusively so) and will be more useful to an inquisitive website than a totally random IP address on each visit.

What is the purpose of this fingerprint? If websites can identify the computer that  is visiting them then a profile of the computer user’s  interests and surfing habits can be created and used to improve your website experience and target adverts to you, in the least nefarious case,  or track you and record your surfing habits for possibly more nefarious reasons. The debate should not, however, be about to what purpose your surfing habits or profile might be used; it’s the fact that you are being profiled in the first place and your information taken without your permission and used for profit or who knows what.

Real world example; even if you do not have a Facebook or Twitter or Gulag or similar account they still have a profile about you. How? Well one technique is via all those “Login with Facebook or Twitter or whatever” buttons you see on websites or the “Like with Twitter or Instagram” buttons. You think these are for your convenience? LOL! No, these buttons allow FB, TWTR, GOOG, Instagram, etc. to create cookies/tracking files associated with your computer fingerprint even though you are not on their website and regardless of whether you have an account with them or not. Think about that for a moment; even if you have never visited Facebook’s website (or any of the big tech company’s websites) and have no account with them they still have a profile related to you based on your computer fingerprint disclosed via the browser to 3^rd party websites…

These tracking files, associated with your computer fingerprint, can then be used as you move from website to website to website,  to build a profile and record of your surfing; which sites, how often, how long, activity on the site, what you looked at, what you ignored, what you searched for, etc. Side note: the Firefox Privacy Badger add-on removes these Facebook, Twitter, Gulag, etc. tracking buttons and replaces them with placeholders which you can re-activate on a case by case, personal choice basis. However, Privacy Badger cannot protect you if you chose to directly access the websites of those companies like Google Search.

What is the extent of the data that your browser reveals about your computer to the websites you visit? Better sit down for this next part – here is an example taken from my test machine:

IP Address:                                                   REDACTED but was correct

Country:                                                        (US) United States

Region:                                                          REDACTED but was correct

City:                                                                REDACTED but was wrong – ISP lookup mistake

ISP Name:                                                      REDACTED but was correct

Your Browser User Agent String:              Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0

Operating System:                                       Microsoft

Platform:                                                       WinNT

Internet Browser:                                        Firefox 104.0

Beta Version:                                                No

Connection Speed:                                      7.79 Mbps

Restrictive Firewall:                                     Yes

Local Date/Time:                                         18/09/2022, 13:20:24

Language:                                                      English

System Language:                                        Not detectable with this browser

User Language:                                            en-us

Popups Blocked:                                          Yes

SSL Support:                                                 Yes

SSL Enabled:                                                 No

Style Sheet Support:                                   Yes

Supports Tables:                                          Yes

Table Cell BG Colors:                                   Supported

Table Cell BG Images:                                 Supported

CDF Support:                                                No (Channel Definition Format)

Color Depth:                                                 16.77 Million Colors (24-bit True Color)

Supports GZip:                                              Yes

Supports Cookies:                                        Yes

Cookies Enabled:                                         Enabled

Supports JavaScript:                                    Yes

JavaScript Enabled:                                     Yes

JavaScript Version:                                      1.5

JavaScript Build:                                           Not detectable with this browser

Supports VBScript:                                       No

Supports ActiveX:                                         No

ActiveX Enabled:                                          No

Supports Java:                                              Yes

Java Enabled:                                               No

Java Vendor:                                                 Java N/A (requires Java plugin, not available)

Java Version:                                                Java N/A (requires Java plugin, not available)

MS JVM Build:                                              Not detectable with this browser

Supports DHTML:                                        Yes

Supports Uploads:                                       Yes

Supports Frames:                                        Yes

Gecko Engine:                                              Yes

Screen Dimensions:                                    REDACTED but was correct

Browser Dimensions:                                  REDACTED but was correct

Supports IFrames:                                       Yes

Images Enabled:                                          No

PNG Support:                                               Yes

XML Support:                                               Yes

MS XML Parser:                                            Not detectable with this browser

Background Sounds:                                   Not Supported

Supports MouseOver:                                Yes

Windows Installer:                                      0

.NET CLR Installed:                                      No

MS Media Player:                                        Not installed

Apple QuickTime:                                        Not installed

RealPlayer:                                                    Not installed

Adobe Acrobat:                                            Not installed

Adobe SVG Viewer:                                     Not installed

Macromedia Flash:                                      Not installed

Macromedia Director:                                Not installed

Macromedia Authorware:                         Not installed

Citrix:                                                             Not installed

iPIX Image Viewer:                                      Not installed

Crystal Reports:                                           Not installed

Viewpoint:                                                    Not installed

Autodesk MapGuide:                                  Not installed

NetMeeting Build:                                       Not detectable with this browser

Using PDA:                                                    No

WAP Support:                                              No

Proxy Connection:                                       No

Font Smoothing:                                          No

Font Sizing:                                                   Yes

IE Text Size:                                                   Not detectable with this browser

Fonts Installed:                                            Not reported

Wow! It should be obvious that the more bits of information that the browser offers up the more device-specific a fingerprint can be created to track you. Some of the information is useful for a website to know simply for providing a better browsing experience, such as whether your browser supports Java or not. A website can alter its operation depending on what your browser and hardware can actually support. But some of the other information … hmm!

If you want to try this for yourself the website link is: https://mybrowserinfo.com and then click the hyperlink for the detailed report.

In a previous article I mentioned the Privacy Badger add-on for Firefox from the Electronic Frontier Foundation. They offer a website which inspects all the information your browser provides and calculates the uniqueness of your signature.

The analysis shows 3 key results which are:

• Whether you are blocking tracking ads
• Whether you are blocking indivisible trackers
• Whether you are protected from fingerprinting.

Below these 3 key results is an analysis of individual bits of information provided by your browser and how useful they are in creating a fingerprint. They do this by assigning a “Bits of Identifying Information” value to each bit of data the browser discloses.

A review of this report shows that some bits of information provided by a browser are obviously more identifying than other bits. For example, many people might use Firefox or Brave but relatively fewer might have a 2560×1440 pixel HD screen. Many people might be using Windows but relatively fewer will be using the Chromium operating system. It’s the combination of these bits of information which creates a fingerprint and the more unusual or rare each bit of information is the more unique the fingerprint becomes and hence the more identifiable the computer you’re using.

The website can be found using the following link. Click the “Test Your Browser” button to start the analysis: https://coveryourtracks.eff.org

What can be done? There are at least 3 solid steps one can take. They are:

• Use the add-ons I have previously written about, namely uBlock Origiin and Privacy Badger, or an equally good alternative.
• Add the NoScript add-on to prevent scripts running in the web pages you visit. If you are not using Firefox you can use the uMatrix add-on which is cross-platform and will work on most any Chromium based browser. Warning: this may prevent some websites from not working correctly but you will have the option to allow/disallow a website so you can whitelist any website you trust.
• There is another very powerful add-on called Trace, read on …

Hampering the Fingerprinters using the Trace Add-on

Below I copy the text from the Trace add-on page under Firefox:

Trace is an advanced extension that can protect many different types of browser fingerprinting such as Canvas/Audio/WebGL Fingerprinting. Trace also offers URL cleaning and header editing features such as the tracking cookie eater and Google header remover.

Trace is an extension to stop multiple advanced tracking techniques employed by websites all over the web.

Trace provides the following features:

• Canvas Fingerprint Spoofing
• Audio Fingerprinting Protection
• WebGL Fingerprinting Protection
• JS Crypto Currency Mining Domain Blocking
• WebRTC IP Leakage Protection
• WebRTC Device Enumeration Protection
• Client Rects Protection
• Screen Resolution Spoofing
• User-Agent Spoofing
• Battery API Spoofing
• Browser Plugin Fingerprinting Protection
• Hardware Fingerprinting Protection
• Beacon/’Ping’ Request Blocking
• Blocks Malicious Top Level Domains
• Hyperlink Auditing Prevention
• HTTP Referrer Header Controls
• Chrome Header Tracking Controls
• E-Tag Tracking Mitigation
• Removal of URL Tracking Parameters
• Removal of specific Tracking Cookies

It has a 4.3 star rating under Firefox and is used by 34,000+ users. Not bad and quite a good recommendation. However a warning: this may prevent some websites from not working correctly but you will have the option to allow/disallow a website so you can whitelist any website you trust.

This add-on can mask or otherwise provide false information about your set-up, for example, you can tell it to provide a fake and randomized screen resolution. It is very powerful but can break some websites. For example, I like to read articles on Seeking Alpha, the investing research website, but it will not load properly if I use Trace. Fortunately it is quite easy to add a website to Trace’s whitelist and all works fine again. So if you use this add-on (or the NoScript add-on) be sure to familiarize yourself with how to whitelist websites you need or trust. Tip:  I would definitely disable this add-on for all online banking websites and shopping websites which require online payment. You don’t want to prevent those payment systems from working properly and many need scripts to run and/or cookies/tracking files. For these websites it is better to just clear your browser cache whenever you are finished with browsing for the day.

How to apply Whitelist Security

The correct approach to take when dealing with whitelists and blacklists is to default to blocking websites from being able to run scripts and the like. In other words, by default you do not trust a website. Then one by one you whitelist the websites you do trust. The downside is that there will be an initial period during which some websites you visit don’t work until you whitelist them but this is  a more secure approach than defaulting to all whitelist and manually adding the ones you don’t trust to a blacklist.

For those with an interest in reading further this article is quite informative with various links and tests you can do. The website also provides a lot of research and discussion about online privacy and security: https://vpnoverview.com/privacy/anonymous-browsing/browser-leak-test/

Thank you for reading. There might be Part 5 depending on interest. And remember, if you’re using a service for free on the internet then it’s probably you that’s being sold.

-----------------------------------------------------
It is my sincere desire to provide readers of this site with the best unbiased information available, and a forum where it can be discussed openly, as our Founders intended. But it is not easy nor inexpensive to do so, especially when those who wish to prevent us from making the truth known, attack us without mercy on all fronts on a daily basis. So each time you visit the site, I would ask that you consider the value that you receive and have received from The Burning Platform and the community of which you are a vital part. I can't do it all alone, and I need your help and support to keep it alive. Please consider contributing an amount commensurate to the value that you receive from this site and community, or even by becoming a sustaining supporter through periodic contributions. [Burning Platform LLC - PO Box 1520 Kulpsville, PA 19443] or Paypal

-----------------------------------------------------
To donate via Stripe, click here.
-----------------------------------------------------
Use promo code ILMF2, and save up to 66% on all MyPillow purchases. (The Burning Platform benefits when you use this promo code.)

Click to visit the TBP Store for Great TBP Merchandise