Is firefox really private?

Photosynthesisdog · March 1, 2016, 8:12am

Firefox is a good platform for privacy-conscious browsing, but it's not geared for privacy out of the box.

The "do not track" setting is a farce, you're probably better off not setting it.

Without going into the details of each extension, I use NoScript, Cookie Monster, Request Policy, uBlock Origin, HTTPS Everywhere and Random Agent Spoofer to reel in the browser's behaviour. By using the former three in a whitelist configuration, you can explicitly manage permission to execute scripts, store cookies and send HTTP requests, much in the same way you explicitly give permission to contact a server when typing a URL into the address bar.

Encryption serves to guarantee that nobody but the intended recipient can decode your traffic, but HTTPS Everywhere is not really an encryption tool as it does not guarantee encryption. Also, Firefox uses your system's DNS settings so your DNS has to be secured separately. Therefore, beware what, and to whom, you send.

It shouldn't have to be said, but none of this protects you from explicitly sending personal information to parties wishing to exploit it. For example, it doesn't prevent you from explicitly supplying Google with your life story through their search engine.

If you want anonymity, it must also be provided separately. Servers you contact know your IP address, which can be used to either build a profile on you (marketers like Google do this) or uncover your identity through legal action. If this is an issue for you, a VPN or Tor can be used to provide anonymity if used carefully.

The FOSS nature of Firefox and its active ecosystem probably makes it the best choice for private browsing, but the same could be possible for other browsers. Just make sure to use a FOSS browser as your base platform.

HK-47 · March 2, 2016, 2:19am

Nope, but what it provides is plausible deniability.

Photosynthesisdog · March 2, 2016, 3:10am

It clearly does not. There's a variety of VPN protocol configurations in use but none of them pretend to be anything but encrypted traffic.

Screamapillar · March 3, 2016, 2:07am

Let me put it this way, I don't care because I have better things to worry about than someone snooping in on my stuff. I also don't yet possess the capacity to understand all there is to know about Security. So until then, I'm going to worry less. Now if I had actual confidential stuff coming from a company and I was actively developing something, or giving input into a secret project of sorts, then I would be more apt. You can't plug every hole in a sinking ship.

As for your question, nope. I don't want to have the government sniffing up all data, and same goes for would be criminals digging into my accounts. However, all this argument is about balancing convenience and security. I prefer to be more lax in my home environment.

Cameron69 · March 3, 2016, 7:25am

i don't think so. Don't trust on it.

HK-47 · March 3, 2016, 9:54pm

I'll just leave this here

Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.
- Glenn Greenwald, Why privacy matters

Walter · March 3, 2016, 10:00pm

I could not have said this any better.
Now give me your password.(kidding)

Screamapillar · March 4, 2016, 5:17am

Honestly, I wouldn't give a damn if Glenn went through and published my stuff. I do not have enough going on in my life to care. All you guys talk is prevention, when security/privacy itself is a revolving door. What we really should be focusing on is crafting laws for our government that punishes ad agencies from targeting, and keeps the NSA off our networks. Including foreign state agencies. I've looked through all the steps taken, it is not worth to hassle to have a second job monitoring your own network. If someone really wants in, they'll find a way. You can all keep your tin foil hats and beards.

Walter · March 4, 2016, 5:24am

Then can I have all your passwords?

Screamapillar · March 4, 2016, 5:27am

No, I rather it be Glenn.

Walter · March 4, 2016, 5:29am

So then you do care about your privacy...

Screamapillar · March 4, 2016, 5:32am

Oh my christ dude. You are using an all or nothing argument. If I don't use your special tools, I'm fucked. That's what all of your are saying. I'm done arguing. Everyone has their own set of security measures to take. I'm not going to go above and beyond, because you don't think it is enough.

HK-47 · March 4, 2016, 11:58pm

OK, send them to Glenn then. Please screenshot the email and post the pic here.

cam.bankord · March 5, 2016, 12:42am

I never ever ever ever use firefox. I find it very slow and buggy.

Chrome with a vpn and tor running is more than enough privacy.

You don't need all those crappy addons cluttering your screen.

Walter · March 5, 2016, 2:13am

Even while using a VPN your Public and Private IP address can be seen.
WebRTC is a new communication protocol that relies on JavaScript that can leak your actual IP address from behind your VPN.

WebRTC IP Leak Test - Is your IP address leaking?
Test your browser and let me know your resultings while using your VPN.

How to fix the WebRTC Leak in Google Chrome?
From my understanding there isn't a fix.

cam.bankord · March 5, 2016, 2:36am

TOR encrypts your communication further. It has no idea who I am and doesn't have my IP address. WebRTC only has my vpn ip address and the local IP address is totally wrong.

Sudo service tor start

sudo service tor status

Walter · March 5, 2016, 2:40am

You did not mention that you use TOR as well.

cam.bankord · March 5, 2016, 2:47am

Yeah I wasn't so sure at first that it was working. So I disconnected my VPN and TOR and then went to the web rtc. I got the correct info.

I then shut down my browser, connected to my VPN and then connected to TOR. The information on both were totally different afterwards. So it works.

I'm using PIA as my vpn.

There's also proxychains that can be added onto this which will even further anonymize yourself, although professionals say that if you use a limited set of proxies, it can harm your security. Proxychains are expensive because you want to use good ones and they cost $, so it can cost upwards for $40 - $60 / month for unlimited bandwidth and something like 10,000 IPs SOCS5.

It's also worth noting that you should be connecting to VPN first and then TOR because if you do it the other way around, it will flag your ISP that you're using TOR. You should also shutdown tor before you disconnect your VPN. Just little rules you have to remember when you use this method.

It's not that using TOR is illegal, it just looks suspicious and your ISP will scrutinize your traffic more.

Photosynthesisdog · March 5, 2016, 9:16am

This is simply not true. There's a reason governments are so fervently anti-cryptography - strong cryptography is a force of nature that even the most powerful entities in the world cannot break. It is mathematically proven. Security/privacy is not a "revolving door" and it's no longer a cat-and-mouse game as software implementations have caught up with the theory.

If everyone used cryptography (and with the wide adoption of HTTPS during the last decade, despite its flaws as deployed today, everyone already is) then it puts less pressure on those who really need it, such as journalists and political activists. Others, who simply wish to protect their privacy without walking the path of the luddites, can also employ strong cryptography. Nobody is forcing you to use it, but it is a new power waiting to be harnessed by anyone who is willing.

Yes, others may still compel you to reveal critical information like passphrases using the threat of violence. But the threat of violence is a giant leap from eavesdropping or simply reading your digital storage without your permission; it shifts the power balance significantly in your favour.