[Update 2018]
This guide still holds up. Read it after having read the browser stuff on https://www.privacytools.io/, and then test with https://panopticlick.eff.org.
Only news is now we have the Brave browser (which I love because it (auto) pays content creators you visit with your BAT crypto wallet) and Firefox Quantum.
But these browsers trim ad fat, don’t help you with privacy by any useful extent. Use them only if you can install the extensions and tweaks I wrote about below.
TL;DR: “Just use a vpn, https, and adblock. That should do it!” - Except it doesn’t. At all. Here are proper resources on tracking, fingerprinting, and convenience, and what it takes to actually pass tests on not being 100% unsecure in your browsing.
[Edit] You can just use Tor Browser as shu_kaze said, but that is “safe” mainly because it turns off javascript. If you want a comfy experience, whichever browser you use, read through this guide; the changes here should include everything Tor browser has + a lot of extras to deal with js and html5 etc…
Step 0. USE A VPN
Always. Unless you can’t score headshots in which case turn it off but also turn off your browsers.
IMPORTANT: If you ever browse without a VPN on that same browser, and your browser can be fingerprinted + your real location is known (and the fact that you’re not using a VPN is also known (which it will)), then all you’ve ever done or will do with that browser (fingerprint) through the vpn can/will also be known.
This also applies to Tor Browser or VPN + Tor: if you’re fingerprinted, it doesn’t matter that they (probably) don’t know where you are (now).
IMPORTANT#2: (thanks Meggerman) Sometimes when using VPN, the browser-based (video) chat protocol WebRTC is going to divulge your actual local IP. Use Disable WebRTC (firefox/palemoon) or WebRTC Leak Prevent (chrome/opera)
IMPORTANT#3: Make sure your VPN client helps protect you from DNS leaks, and that it turns off your network adapter if/when/while you loose connection to the VPN.
If you’re not using a vpn, at least use a custom DNS server (opendns, google dns) or https://dnscrypt.org/ .
Step 1a. PICK A BROWSER
One that isn’t already caressing your buttocks and licking your ear:
- Palemoon. (a privacy-oriented Firefox) (which you can customize to look better than anything)
- Opera (chromium based but safer; chromium is still chrome, still has an advertising id).
- wget.
Step 1b. Try a Portable version
I don’t really notice drawbacks and the benefit is that you can use them like virtual machine sandboxes: configure your portable browser and then save it to an archive. When you must use websites that don’t work unless you allow them and their 3rd parties to track you (e.g. glassdoor), extract a new browser for it.
Also, malware will typically only find your browsers if they are installed and in the registry.
Step 1c. ALWAYS use multiple browsers
Seriously. Do step 1b… Here’s why.
- Have one browser for authenticated browsing (e.g. gmail, facebook).
- Have another browser for non-authenticated stuff, google / search, youtube, reddit. - this can be Tor Browser. Tor can also handle authenticated pages, as long as they are https - so that eventual malicious exit nodes don’t get your passwords (they will still see which https site you visit).
- Have a Chromium only for secure official stuff like banking, and only log in to one bank site at a time.
- Have another one for p0rn.
- Have another one for the real pr0n - the first was just a decoy in case your gf/bf wants to see or finds it.
Needless to say never log in to fb on your p0rn browser or vice versa. And for ex don’t log in to Google on one browser and Alphabet on another browser (cross-browser scripting and tracker merging). Etc.
Step 2. BROWSER SETTINGS
Set them. E.g. set Do Not Track, disable third party cookies, clear all data on exit, you know the drill.
Remeber you can set firefox/palemoon and opera to disable or delay loading of background tabs.
Disable browser plugins and plugin enumeration:
You don’t want the (built-in) Flash plugin or the Java plugin to list all your system fonts, and your browser to list your plugins.
You can also play with the config flags in order to enable or disable some (privacy) features.
Clear all types of cache regularly or prevent local data from being set. According to ip-check.info “Websites may mark arbitrary pages on page load. Thereby, so-called e-tags are used. As long as the respective site remains in your browser cache, the mark is sent on any new request to the website again.” - so they know it’s you even if you’ve changed your user agent string.
Try smth like ClearCache (chrome/opera). In firefox/palemoon you can go to about:config and set browser.cache.offline.enable = false.
Step 3. SEARCH ENGINES
-
Use search.disconnect.me - You can choose between Duckduckgo, Bing, and Yahoo. It used to support Google, but google blocked them this year (they are working on a solution). It works securely for images, and tells you if/when something won’t be secure, like Bing Maps.
-
Alternative: use Startpage. It is an anonymous search engine wrapper just like search.disconnect.me. This one works for Google but has slightly outdated results.
If you can’t set them as default searches in your browser, you can either get the search engine’s extension that does it, or do something like assign a character like “/” as a search-switcher shortcut for the address bar.
Step 4. EXTENSIONS
This is the juicy part.
– Install Chrome extensions in Opera.
– List of helpful links for Palemoon-compatible extensions (e.g. privacy badger v1.1).
- uBlock Origin - best adblocker, can also fix WebRTC ip leak.
- Privacy Badger. (learns what’s tracking you and throws badgers at it until it’s badgered away permanently)
- Disconnect (ffirefox/palemoon), Disconnect (chrome/opera) - a better, open source, Ghostery. Strips a lot of known trackers from visited pages, speeds up loading.
- Decentraleyes (firefox/palemoon). [TODO: Find chrome/opera alternative!]. - replaces web-hosted resources (like google scripts) with locally cached versions so you don’t get tracked through others seeing which external resources you’re loading when visiting a page.
- Self Destructing Cookies (firefox/palemoon). [TODO: Find chrome/opera alternative].
- Random Agent Spoofer (firefox/palemoon) or Random (Hide) User-Agent (chrome/opera). Use to disable or randomize your browser’s features.
- RubberGlove (chrome/opera) and a Violent Monkey (chrome/opera) or Greasemonkey (firefox/palemoon) script. This is to prevent fingerprinting with fonts, plugins, other mime types.
- NoScript or ScriptSafe or Just Disable Stuff. - will disable some of the js, which is always good, but this guide aims to pass panopticlick (almost as well) even without disabling js.
- HTTPS Everywhere (chrome/opera), HTTP Nowhere (firefox/palemoon).
- CanvasFingerprintBlock (chrome/opera), CanvasDefender (firefox), CanvasBlocker (palemoon) - Replaces, randomizes, or removes the Hash of Canvas and Hash of WebGL fingerprinting while keeping WebGL / HTML5 Canvas functionality
- WOT: Web of Trust
Nice to have extensions:
- Certificate Patrol (firefox/palemoon). [TODO: find chrome/opera alternative] - shows you when SSL (HTTPS) certificates change while browsing, to figure out if anybody’s slipping you a bogus certificate.
- Terms of Service; Didn’t Read
- Omnibar for firefox/palemoon.
- Tabs Outliner (sorts your windows and tabs in groups and trees)
- The Great Suspender (suspends inactive tabs)
- Greasemonkey, ViolentMonkey, Firebug etc (inject or change scripts)
- Stylebot or Stylish (set custom css for webpages, share with others)
- Enable Right Click
- vGet Extension (Video Downloader, DLNA caster)
- WhatFont
- FB Purity
- Katamari Everywhere (naaa nanana nana na na)
Obviously go ahead and whitelist Teksyndicate, because they’re not evil/idiots.
Step 5. FINGERPRINTING
Most of the extensions above block or manage domains, the locally set data, cross-domain tracking. So now for ex Facebook doesn’t know what you visit on your favourite news site.
But you can still be identified with your browser’s User Agent string data, and based on its available (or unavailable) features / plugins, and if js is on even tiny things like how it renders a specific font on a html5 canvas will contribute to ID-ing you.
So let’s test your browser for how hard it is to identify you:
- https://panopticlick.eff.org
- http://witch.valdikss.org.ru
- individual tests and how they work: www.browserleaks.com
- https://www.privacytools.io/webrtc.html (see VPN section)
- http://ip-check.info/?lang=en
- https://www.dnsleaktest.com
- Note that stuff like NoScript, Disconnect, Canvas blockers, may stop the tests, if so whitelist the test pages accordingly.
HAHAHAHA, YOU FAILED. In the results page, expand the “fingerprinting” table. The way panopticlick works is the column of “bits of identifying information” sums up to around or greater than 32.6, then you are ~100% fingerprinted.
Or did you?
If you used a NoScript extension and if you used a RandomAgentSpoofer extension and configured it to randomize enough things, then it will show as identified, but check the Values - it’s not you.
If javascript is on then plugins will be on (or plugin availability querying will be on) and the System Fonts section and Browser Plugin Details sections will get filled up good. But if you used this guide your plugins should show “undefined”. And the fonts will be limited to the default OS fonts (will exclude your own fonts but will “prove” that you are on your actual OS family and that you’re somehow definitely lying (by using RAS)).
YOU ARE WELCOME. Now you’re reasonably safe from everything other than resourceful and very targeted attacks (e.g. good old fashioned digital police work). And remember kids, just because you’re paranoid, it doesn’t mean they’re not behind you trying to lick your ear.
Say if you have anything to add or change and I’ll probably update this post.
For Android I recommend always-on Orbot, running as system wide VPN (root required) - but remember that a malicious exit node will see your password if what you used didn’t have SSL. Using any chat app other than Signal will get you located. Use XPrivacy and McAfee’s Devasive. Generally, apps will know your phone’s IMEI and/or Serial and/or Android ID and/or Advertising ID. You can spoof the latter 2 but not the fist 2 unless you’re really good (if at all possible). And if they have these it won’t matter what other attempts you make to stay private. You can try AFWall+ to force all apps to go through VPN, but if it cocks up once, all you’ve ever done in the cockup location will be revealed. Also remember the mass StingRays. But this is for a different post altogether.
Additional reading:
- http://donttrack.us/
- www.privacytools.io/
- http://www.thewindowsclub.com/browser-fingerprinting
- security.stackexchange.com/…/whats-the-best-way-to-make-my-internet-traffic-anonymous
- more tests: http://browserspy.dk
- https://www.ssllabs.com/index.html
- HowTo: Privacy & Security Conscious Browsing - great guide - includes virtual machine setups.
Do you guys know of any extensions that prevent fingerprinting via your keypresses and mouse movement? (press rate and press patterns, move patterns)