Jump to content
Not connected, Your IP: 3.145.56.150
Laelly

browser configuration to be anonymous

Recommended Posts

hello!

 

I was wondering, is there any configuration to run a browser anonymously? such as firefox extensions etc?

Share this post


Link to post

You can consider the following extensions:
Adblock Plus

Ghostery (with Ghostrank DISABLED)

HTTPS-Everywhere

HTTPS Finder

NoScript

RefControl

Ultimately, your privacy will probably be broken by your own actions. You must ensure that you keep yourself anonymous - no personal information to be sent, do not share accounts between VPN IP and non-VPN IP, etc.

Share this post


Link to post

Fingerprint tracking: https://panopticlick.eff.org

Cookieless cache tracking:  http://lucb1e.com/rp/cookielesscookies/

 

One more Firefox addon suggestion: 

"Secret Agent", constantly rotates user agent string and spoofs several other headers

https://www.dephormation.org.uk/index.php?page=81

 

It is very difficult to stay anonymous / untrackable with a regular browser. If you are really serious about this topic, there is no way around using Tor Browser, in my opinion.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Agreed with above,  you may also want to try whonix

 

It runs through the tor network. 

 

Most will add those extensions/addons for firefox and make do with that,  if you do want to be extra anonymous and private as possible then whonix is a step further,  this way you kinda have a firefox browser with addons/extensions for most of daily and low to medium anonymous levels,  then when you want high anonymous then whonix or tor.

 

Check here for more info on browsers and addons etc ( near top of page where it says browsers/addons etc)

http://prism-break.org/

Share this post


Link to post

I was wondering, is there any configuration to run a browser anonymously? such as firefox extensions etc?

JonDoFox is the most thorough way of browsing the web anonymously. You do not have to use their recommended JonDo proxy cascade. Instead you can switch to "No Proxy" and use it with a VPN provider of your choice.

 

"JonDoFox is a profile for the Mozilla Firefox web browser particularly optimized for anonymous and secure web surfing."

https://anonymous-proxy-servers.net/en/jondofox.html

Share this post


Link to post

Considering the way networks technically work, nothing is truly anonymous, however you can make it more difficult to be tracked/spied on. If youre going to use tor make sure you configure it with bridges to make it a bit more difficult for your ISP to see youre using it, and use airvpn with it.

 

Use https://startpage.com search engine, Google is a privacy nightmare.

DuckDuckGo.com does well too.

 

 

Type in Firefox/Iceweasel/etc web address bar:

about:config

Change settings to these:
browser.safebrowsing.enabled= false
browser.privatebrowsing.autostart=true
browser.safebrowsing.malware.enabled=false
datareporting.healthreport.uploadEnabled=false
dom.event.clipboardevents.enabled=false
dom.storage.enabled=false
geo.wifi.uri=127.0.0.1
network.cookie.cookieBehavior=1
network.cookie.lifetimePolicy=2
network.dns.disablePrefetch=false
network.http.sendSecureXSiteReferrer=false
network.prefetch-next=false
privacy.donottrackheader.enabled=true
privacy.donottrackheader.value=1
toolkit.telemetry.enabled=false
media.peerconnection.enabled=false
network.proxy.socks_remote_dns = true

browser.search.suggest.enabled = false
layout.css.visited_links_enabled = false
network.http.sendRefererHeader = 0
geo.enabled = false
browser.display.use_document_fonts = 0

 

Try to have a common fingerprint for your browser:
http://panopticlick.eff.org

 

Add ons:

 

HTTPS everywhere

NoScript

Cookieculler

RequestPolicy

Modify Headers

AdBlock Plus

Certificate Patrol
User Agent switcher

Mafiaa redirector

Better privacy

 

Peerblock controls who you talk to on the web, and filters crap you don't want.
www.peerblock.com

 

Human error will easily bypass all this. Don't forget.

Share this post


Link to post

Noobie question: I've disabled geolocation on my browser, and media.peerconnection to deal with WebRTC...... Just wondering though what things are gonna break if all these other changes to the browser are made....

Share this post


Link to post

Noobie question: I've disabled geolocation on my browser, and media.peerconnection to deal with WebRTC...... Just wondering though what things are gonna break if all these other changes to the browser are made....

 

These can cause issues on 'some' sites. - not many but some. If you have issues these 3 are the ones I would look at first.

 

network.http.sendRefererHeader 0

network.http.sendSecureXSiteReferrer false

dom.storage.enabled false   -> I would never leave this on, but there are a handful of what I consider safe sites that use it. So I'll enable it for a bit then dsable it again.

 

I use the above settings but it took some trial and error to figure out what settings were hosing the sites I was having issues with.

 

 

These are pretty much worthless because 99% of the worlds websites don't give a crap about these settings.

privacy.donottrackheader.enabled

privacy.donottrackheader.value

 

I haven't tested this but it seems to start you in private browsing mode.

browser.privatebrowsing.autostart=true

Interesting concept. Might have unseen drawbacks, I don't know tbh.

Anyone worried about storing cache/cookies ect on disk should really look into using a ramdisk or tmpfs as the cache folder for firefox. -Or disable cookies and caching completely - which is safer.

 

Share this post


Link to post

i agree with tor broser, but unfortunately, is often blocked in many forums/websites.

 

BUT - the really cool thing is that you can still use the TOR browser bundle with TOR turned off.  This means the IP will be the same as your VPN or normal IP if you don't cloak.  However; all the special security configurations are still fully in place.  Items must don't think about like canvas fingerprinting, no script, etc.. are all conveniently assembled in the TBB package for your use.

Share this post


Link to post

I've used the suggested configuration in about:config, below, but whenever a plugin, or some update occurs in firefox, all revert back to default settings.

 

How do I prevent Firefox from resetting, or updating and changing these settings?

 

 

Type in Firefox/Iceweasel/etc web address bar:

about:config

Change settings to these:
browser.safebrowsing.enabled= false
browser.privatebrowsing.autostart=true
browser.safebrowsing.malware.enabled=false
datareporting.healthreport.uploadEnabled=false
dom.event.clipboardevents.enabled=false
dom.storage.enabled=false
geo.wifi.uri=127.0.0.1
network.cookie.cookieBehavior=1
network.cookie.lifetimePolicy=2
network.dns.disablePrefetch=false
network.http.sendSecureXSiteReferrer=false
network.prefetch-next=false
privacy.donottrackheader.enabled=true
privacy.donottrackheader.value=1
toolkit.telemetry.enabled=false
media.peerconnection.enabled=false
network.proxy.socks_remote_dns = true

browser.search.suggest.enabled = false
layout.css.visited_links_enabled = false
network.http.sendRefererHeader = 0
geo.enabled = false
browser.display.use_document_fonts = 0

 

Try to have a common fingerprint for your browser:
http://panopticlick.eff.org

 

Add ons:

 

HTTPS everywhere

NoScript

Cookieculler

RequestPolicy

Modify Headers

AdBlock Plus

Certificate Patrol
User Agent switcher

Mafiaa redirector

Better privacy

 

We do NOT use cookies to profile or track users.I understandMore information

Share this post


Link to post

hello!

 

I was wondering, is there any configuration to run a browser anonymously? such as firefox extensions etc?

 

​FIREFOX ABOUT:CONFIG

For all Firefox users out there, here is a collection of some useful about:config adjustments. For those who don't know what about:config is: it's like the heart of Firefox in which you
can change a lot of settings which are not reachable through the normal preferences. To access it just type about:config in you address bar and read the notification which might pop up. It
says that you should be careful, which is true because you can easily fuck up your whole Firefox if you don't know what you're doing.

However I tested the following changes and my Firefox 38 is still working. But I'd recommend to back up you firefox folder because in case anything goes wrong you don't lose any data. If you
have more about:config tips, list them here. It seems to include most of those outlined above.



SAFE FIREFOX 38 CHANGES i.e. won't cause major breaks in your system for those valuing privacy over security:

breakpad.reportURL;"" // default=https://crash-stats.mozilla.com/report/index/ We stop crashes being reported back to the mothership

browser.cache.disk.enable;false // disables caching on hardrive

browser.cache.disk_cache_ssl;false // same with ssl connections

browser.cache.memory.enable;false // same with cache in memory

browser.cache.offline.enable;false // same with offline cache

browser.fixup.alternate.enabled;false // disable URL keyword guessing

browser.formfill.enable;false // disables saving of form data

browser.menu.showCharacterEndcoding;false // hide encoding

browser.newtab.url;about:newtab // new tabs default to this string

browser.safebrowsing.enabled;false // disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement

browser.safebrowsing. // change variables to another database to avoid google (.enabled to true)

browser.safebrowsing.malware.enabled;false // disables malware checking with Google service on downloded files. Security risk, but privacy improvement

browser.safebrowsing.malware. // change variable to another database in order to avoid google

browser.search.defaultenginename;"%" // name of default searchengine (must be installed; use Startpage SSL, Disconnect or other privacy conscious engine)

browser.search.region;"US" // remove home country and use most generic value available

browser.search.countryCode;"US" // ditto

browser.send_pings;false // stop websites from tracking visitors’ clicks

browser.send_pings.require_same_host; true // disable sending pings to 3rd party content hosts
    
browser.sessionhistory.max_entries;5 // history of each tab (back/forward buttons)

browser.sessionstore.resume_from_crash;false // prevent Firefox resuming a previous session before a crash

browser.shell.shortcutFavicons;false // prevent shortcuts being placed on desktop

browser.startup.homepage;about:newtab // homepage of browser (you could change to startpage.com etc)

browser.startup.page;1 // start up page of browser (1 = blank)

browser.urlbar.clickSelectsAll;true // to select the whole URL with a click on it

browser.urlbar.trimURL; false // don't trim "http://" prefix in location bar - you want all parts of url to show.

browser.zoom.siteSpecific;false // doesn't save zoom settings for specific sites

camera.control.face_detection.enabled;false // disable camera settings

content.notify.backoffcount;5 // limits page reloads while reciving data; speeds up the download time

device.sensors.enabled;false // disable any sensors

device.storage.enabled;false // disable sensor storage

dom.allow_scripts_to_close_windows;false //scripts cant close windows

dom.battery.enabled;false // fingerprinting due to differing OS implementations

dom.disable_image_src_set;false // disables image manipulation by scripts (note this can screw with various web games etc)

dom.disable_open_during_load;true // enables firefox built in popup blocker

dom.disablewindow* // different possibilities of scripts to modify the window

dom.event.clipboardevents.enabled;false // disable that websites can get notifications if you copy, paste, or cut something from a web page, and which part of the page had been selected

dom.event.contextmenu.enabled;false // disables website control over rightclick context menu

dom.popup_allowed_events // defines javascript events that are allowed to create popups

dom.storage.enabled;false  // can store per-session or domain-specific data as name/value pairs
on the client using DOM Storage.

experiments.enabled;false // we don't want any Mozilla 'enhancements' that sacrifice security for convenience

extensions.update.enabled;true // defines if extensions are checked for updates daily or not

geo.enabled;false // disables geolocation API to prevent websites from getting the exact location of the computer

geo.wifi.logging.enabled;false // disables firefox logging geolocation requests

geo.wifi.uri;"" // dataprovider of geolocation feature !(default Google service)!, overwrite it with a empty string

keyword.enabled;false // disable URL auto fix up

media.peerconnection.enabled;false // VPN cannot bypassed anymore (https://www.reddit.com/r/VPN/comments/2tva1o/websites_can_now_use_webrtc_to_determine_your/)

media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled

media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled

media.peerconnection.video.enabled;false // makes sure WebRTC is really disabled

media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled

network.cookie.alwaysAcceptSessionCookies;false // disables acceptance of session cookies

network.cookie.cookieBehavior;1 or 2 // disables cookies (0 = accept all cookies by default, 1 = only accept from the originating site (block third party cookies), 2 = block all cookies by default)

network.cookie.lifetimePolicy;2 // cookies are deleted at the end of the session (0 = Accept cookies normally, 1 = Prompt for each cookie, 2 = Accept for current session only, 3 = Accept for N days)

network.dnsCacheEntries;0 // number of cached DNS entries (lower number = more requests but less data stored)

network.dnsCacheExpiration;0 // time DNS entries are cached in seconds

network.dns.disableIPv6;true // disables IPv6 DNS Lookups (not necessary if your O/S or ISP does not support IPv6)

network.dns.disablePrefetch;true // to disable DNS prefetching

network.dns.disablePrefetchfromHTTPS;true // to disable DNS prefetching

network.http.pipelining;true // speeds up loading of websites; can cause Problems with some websites

network.http.pipelining.ssl;true // enables pipelining only for ssl connections; avoids problems occurring with http

network.http.pipelining.maxrequests;32 // number of requests sent at once

network.http.proxy.pipelining;true // if a proxy is used

network.http.sendRefererHeader = 0 // disable referrer headers.

network.http.sendSecureXSiteReferrer = false // disable referrer headers between https websites (note: this may break functionality when navigating between https websites).

network.http.spdy.enabled;false // we don't want protocols running that form persistent connections across sessions

network.http.spdy.enabled.http2;false // ditto

network.http.spdy.enabled.http2draft;false // ditto

network.http.spdy.enabled.v3-1;false // ditto

network.http.use-cache;false // disables caching of http requests

network.prefetch-next;false // disables automatic download of linked sites which are recommended by the website

permissions.default.image 3 // 3 = loading images from original server only (loss of aesthetics on many websites though, choose your poison), 1 = load all images

places.history.enabled;false // disables recording of visited websites

plugin.sessionPermissionNow.intervalInMinutes;15 (default 60) // you don't want to give the plug-in permissions to a domain for long periods

plugin.persistentPermissionAlways.intervalInDays;1 (default 90) // "allow and remember" for plug-ins on a domain shouldn't be ridiculously long

plugins.click_to_play;true // click-to-play for plugins

plugins.notifyMissingFlash;false // block Flash notifications from appearing in the browser

privacy.trackingprotection.enabled = true // this is Mozilla’s new built in tracking protection.

security.ssl3.dhe_rsa_aes_128_sha;false // cipher is susceptible to the logjam attack and will be disabled/fixed in FF39

​security.ssl3.dhe_rsa_aes_256_sha;false // as above

 

security.tls.version // defines minimum and maximum of allowed SSL/TLS versions (0:SSL3.0; 1:TSL1.0; 2:TSL1.1; 3:TSL1.2)

security.dialog_enable_delay;0 (or to another value in milliseconds) // changes the delay time for the installation dialog of a new addon

toolkit.telemetry.enabled;false //don't send performance profile data to outward bound destination

webgl.disabled;true // WebGL involves running code directly on the video card, and exposing APIs that provide direct access to video card APIs. The browser does attempt to sandbox this code (to a certain extent), and browsers do enforce a number of security restrictions designed to prevent malicious behavior



ADDITONAL KEY ADD-ON AGAINST DIGITAL FINGERPRINTING

The Firefox addon Random Agent Spoofer takes care of a lot of these privacy issues under their (Extras) setting, as well as doing more. https://github.com/dillbyrne/random-agent-spoofer/
Double-click the XML file to install the latest version with even more options.

Here's the RAS (Extras) list:

Option to limit local dom storage

Option to disable browser cache

Option to limit fonts to a standard set (monospace, serif, times new roman)

Option to limit tab history to two

Option to disable geolocation support

Option to disable dns prefetching

Option to disable link prefetching

Option to disable webGL

Option to disable webRTC

Option to disable canvas element support

Option to set referer header

Option to set do not track header

Options to send spoofed headers including via, x-forwarded-for and if-none-match.

Options to spoof the accept headers: documents, encoding and language (US English) so they match the spoofed profile.

Option to override timezone offset to a random timezone, send nothing, specify one from a list or use the default one.

Option to spoof screen and window sizes to a specific size or set at random

Note: It is advisable to spoof headers, but remove uncommon desktop browsers and mobile browser types from the spoofing list, given Panoptoclick will otherwise give you a very close to unique signature.

Check your score at Panoptoclick, with and without javascript running, to see the danger of javascript and how much more identifiable you can be be. To be really sure, also check using the tools
at Browserleaks, and be sure to block the new threats e.g. canvas image data extraction, supercookies e.g. LSOs, E-tags and so forth. Also run checks at the free JonDoNym website and IPleaks.
Check you are also not leaking Ipv6 anywhere with online checks.

 

Note also that the Eddie client won't prevent IPv6 leaks in Linux, if I understood the guys correctly. ​So, it must be turned off at the operating system level, and specific checks run.
 

 

KEY FIREFOX EXTENSIONS

Also strongly consider as default extensions:

- uBlock (replacing need for Adblock Plus and other derivatives when auto-filter and every category is selected and updated)
- HTTPS Everywhere
- Privacy Badger (EFF) - block invisible trackers, also uses algorithms in preference to blacklist/whitelist approach
- No script (block scripts globally; temporarily allow only trust websites. Also disable i-frame; font@face etc for paranoid users)

Other notables:

- Better Privacy
- Request Policy
- Blur
- Disconnect
- CanvasBlocker
- Calomel
- DNSSEC/TLSA Validator (which reminds me, Airvpn.org could implement this for their website i.e. compliance). I also note that airvpn.org is not susceptible to the logjam attack... ;-)
- Click&Clean
- Self-destructing cookies
 

 

OTHER CONSIDERATIONS

Run Firefox in private browsing mode also. Try to limit the use of Flash (use HTML5 where possible; uninstall Flash if paranoid) and other assorted plug-ins. Use native players where possible. Disable
themes and go with the Firefox default (remove an additional fingerprinting mechanism).

Under preferences in Firefox, you may also want to remove the options for blocking reported web forgeries and attack sites, as these OSCP checks require cross-reference with Google servers. Not good.

Run a linux distro in preference to back-doored, proprietary crap e.g. Mac OS/X and "Windows" (into your home; your life). Encrypt your drives, swap partitions, home folders and key data.

Use open-source everywhere and everytime. Valuable personal/financial information would be stored with strong encryption on an air-gapped drive.

Run Apparmor or SELinux, alongside bleachbit and other key tools e.g Snort, Aide, rootkit hunters. Consider further hardening with recompiled kernels or firejail (kernal restrictions on running programs).

One-hop VPNs are trivial for passive adversaries with global reach (most governments these days) to do end to end correlation given their computing power. Don't be fooled into thinking this is adequate if you are wanting to be truly anonymous.

The paranoid user will also chain VPNs via virtual environments to distribute risk of VPN honeypots.

​They would also run a JonDoNym mixer in there, use Tor with an obfuscated bridge, and probably run their
connection via a host Qubes system (using Xen isolation), with Whonix running in VirtualBox. A clean image would be used for each internet connection (what meta-data/browsing history?). And these extreme measures only MAY provide reasonable defence against aggressive passive surveillance, not active surveillance I'm afraid i.e. your screwed.

Know that all standard email is backdoored, leaks a ton of meta-data, and using PGP email will make you instantly interesting to the Stasi, due to low statistical use of it. Also, friends/family
aren't going to use experimental software. Therefore, get them to install opensource VOIP and chat software instead that goes across all platforms.

 

Jitsi is perfect for this - military grade encryption (ZRTP) for VOIP + OTR for chat. Start shifting electronic contact to this medium instead of emails, given we live in a global police state (just remain logged in, ready to chat with friends who have been verified with secret Q&A and verification of their digital fingerprint).

Separate your browsing modes e.g. 'normal' Youtube, reading, and so on versus your 'private sessions' using Tor i.e. don't mix the two sources. Behavioural correlation is a dead give-away otherwise.

Don't use any identifiable information, logins or comments when using Tor. Never keep a same handle across sessions. Change circuits regularly and re-set clickjack protection with No-Script settings (we
can live with false positives). If you must go to HTTP sites, use Startpage's proxy service to retrieve the data for you, or to avoid Cloudflare notices or CAPTCHAS. This will also prevent
Tor-unfriendly websites from blocking you access to content.

New tracking techniques are constantly evolving, so one must be diligent e.g. E-Tags, tracking via screen size & resolution, date/time stamps, TCP/IP stack fingerprinting and so forth.

While none of the above changes to Firefox will come even close to using Tor Browser (digital signature-wise; 2 million+ users with similar fingerprint), its a lot better than a standard install of Firefox
for privacy and security.

 

HOWEVER, if you leave an extremely small digital fingerprint, this also makes you stand out from the sheeple, because they aren't blocking much except cookies and some ads/trackers.

Thus, to the govt, you will appear sometimes more obvious e.g. "There's that guy with an exceptionally small entropy on his digital signature again".

Runnig a christmas tree of extensions & plug-ins also makes you stand out from the crowd.

So choose your poison. Be a corporate bitch or stand out to the spooks. I'll take the latter.


FINAL NOTE

This list is not exhaustive. Privacy 'extremists' would spend time looking at settings for privacy, auto data-reporting, gfx font rendering, other network and plug in settings, security, toolkits and whitelists.

 

However, they would need to be aware that screwing with everything can make your browser both unstable, and not very useable. Back your data up first, and if it all goes bad, re-set the browser to
default settings and start again (just be more careful).

Firefox is also limiting the ability of users to check/change some key settings over time e.g. DRM, Websockets and other session-persistent tools, some experimental features and so on.

If you really need privacy, use Tor, with default settings, no additional add-ons, run security slider in highest position, use HTTPS everywhere, use latest version to protect against keyword typing
tracking and advanced forms. Use bridges if you have a hostile IP. Run an additional SSL/SSH tunnel with the VPN to protect against deep-packet inspection if you must.

However, always know that end to end correlation can identify a host of users, particularly via malicious nodes in the Tor Network; the so-called Sybil attacks.

Further, how disguised you are depends on how much Tor traffic is flowing over AirVPN servers, which we have no statistics on. You must remember if you run VPN -> Tor, then the AirVPN servers provide
a limited subset of entries into the Tor system. If you are the only one running Tor off some obscure server, and they are watching you end to end because they think you are a bad-ass, then you can be identified. Latest studies were identifying a large % of users in this fashion.

Unfortunately, this requires the improved circuiting system planned for Tor, which specifically guards against end-end correlation, and greater Tor traffic in general, along with a big boost in VPN customers to 'hide
in the crowd'.

Keep up the good work guys! The paranoid types hope and trust that you aren't simply a NSA honeypot, although you are doing a wonderful job if you are ;-)
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...