With all recent brouhaha surrounding Cambridge Analytica, Facebook, internet profiling, and the advent of GDPR, the debate around security online shows no signs of abating.
Out-of-the-box browser configurations can leave you open to scrutiny by a wide range of tracking scripts, cookies and beacons. And that’s before the risk of remote code executions using vulnerabilities in the browser itself. But that’s another story.
If you’re having a think about how secure your browsing environment is, have a look at this site published by the Electronic Frontier Foundation to quickly check how exposed your browser is.
So with all this additional attention on security, how has the industry responded? We took a look at the big hitters as well as some of the more niche browsers out there to review what your privacy options are.
Secure browsing
Being a ‘secure browser’ is obviously something of a sine qua non. It’s not a new thing and accordingly, every browser has a certain level of security features built in.
Almost every browser will take some proactive steps to warn you if a website is a known attack vector, fake or if an SSL certificate is not valid. There are also raft of user configurable settings that give you options to control what data you share.
Here’s a checklist of the main ones you should be aware of:
Cookie management
Delete cookies, block third party cookies, block cookies entirely, or blacklist certain sites. If you are concerned about the effects of remarketing and retargeting, where your browsing history on one site is used to display related ads on others, then third party cookies are the ones to block.
In reality, it takes a lot of effort to block cookies on a per site basis using browser settings. There are many plugins and cookie blocking browser extensions available to help minimize the effort of this.
Javascript
Choose whether you want to allow sites to run JS or not. If your are very security conscious, this is a good way of stopping sites using tracking scripts when you visit their sites.
The downside is that JS is so entrenched in web development that it may render many sites unusable.
Do not track setting
This is a web standard that allows you to specify in the headers of your web request that you do not want the website to track your browsing.
It’s available in most browsers to use, but the level to which it will be respected depends on the website you are visiting. The ones you need to be worrying about are probably unlikely to support it.
Popup blockers
Perhaps something of a hygiene factor at this stage, blocking pop ups certainly helps the web to be a less annoying place, particularly for a certain class of website where you’ll be enticed to click through to claim a free iPad for being the millionth visitor that day.
Password security
Many browsers come with built-in password managers. Whether or not you trust these is another question. A level of risk will always exist. Check out this hair-raising post on hacking password managers to decide your level of comfort with this.
You may be better off with a open source password manager such as Pass or one of the many variants of Keepass.
Private browsing
Use the browser without your viewing history being recorded! Google’s Incognito mode (or ‘porn mode’ as it was euphemistically dubbed on release) is 10 years old this year. Widely welcomed at the time, Google purposefully avoided using the word ‘privacy’ when naming the feature.
Originally intended to temporarily pause a browser from recording search history on a shared computer, it wont stop your ISP, your employer or your mobile operator from tracking your behaviour though.
Websites will still be able to track you for that session, so it’s only really useful to hide your browsing history from people you might share a computer with.
Recent Developments
Google Chrome
Dodgy Chrome extensions have regularly featured as a route for security vulnerabilities and risks to privacy. Chrome has recently announced that Extensions will no longer support inline installations, meaning you will need to head to the Chrome store to install the extension.
For many users this may not seem much of a change, but it should help reduce casual downloads of extensions from links which are free from user reviews and feedback. This follows the banning of Crypto currect mining extensions back in Spring.
Mozilla Firefox
Firefox has prided itself on its ready extensibility and open source street cred. And it’s no slacker in the security stakes either. Being open source, there is less potential for conflicts of interest since it isn’t developed by a company with a vested interest in tracking your browsing.
As well as the usual brace of user configurable controls mentioned above, Firefox’s Tracking Protection feature identifies sites that track you across multiple domains using a list maintained by disconnect.me. The browser also includes ad and tracker blockers even when you are using Firefox’s private browsing feature.
Of the mainstream browsers out there, it is probably the best choice. On mobile, Firefox Focus offers a privacy first option in addition to the regular mobile version.
Apple Safari
“We believe that your private data should remain private, not because you’ve done something wrong or you have something to hide, but because there can be a lot of sensitive data on your devices and we think you should be in control of who sees it.” Craig Federighi, Apple
So sayeth Craig Federighi, Apple’s SVP of software engineering at their recent Worldwide Developer’s Conference earlier this month. Apple’s Intelligent Tracking Prevention enables users of the browser to block social media widgets that can track users without user interaction. The example used in Federighi’s presentation? A Facebook comment thread.
This provoked a response from Facebook’s CSO who interestingly enough, took exception to what he saw as the singling out of Facebook, rather than the idea of blocking third party includes.
If this is about protecting privacy, and not just cute virtue signaling, then they should block all 3rd party JS and pixels.
— Alex Stamos (@alexstamos) June 4, 2018
Apple launched Intelligent Tracking Prevention as part of iOS 11 to control the period of time that third-party cookies could stay active, deleting them if the user had not visited the third-party site in the last 30 days.
Opera
Earlier this year Opera improved their ad blocking technology first introduced in 2016. It builds on added security against cryptojacking with the NoCoin Cryptocurrency Mining Protection feature, an issue we covered on mobiForge late last year.
Opera claim their ad blocker is faster than Google Chrome thanks to its string matching algorithms, which has the knock on effect of delivering faster page loads. Also noteworthy is Opera’s domain highlighting feature which makes it easy to see if you are on real site, or one masquerading as the real thing.
A range of mobile apps are available including Opera Mini, Opera Touch versions.
Niche Security browsers
Tor
Tor is the big daddy of the non-mainstream built-for-security browsers. Its biggest advantage is that is runs on a distributed system of nodes to bounce your request around before it lands at the resource you are trying to access, making your IP address harder to track.
That also means that it’s slower. It’s not bullet proof of course.
Originally developed by the US military, some fear there may be some backdoor surveillance built in. If you are looking into Tor you are really serious about being anonymous on the web, not just avoiding add tracking. Nevertheless it does provide an option. An Android version is available.
Epic
Epic is another privacy specialist bowser that promises to block techniques like fingerprinting scripts and image canvas data access that can be used to track and identify you even if your IP address is blocked.
Based on a stripped back version of Chromium, it has a built-in encrypted proxy and deletes all local browsing history on close so that an IP address cannot be linked to a search. On the flip side, the proxy means sluggish browsing. Desktop only.
Brave
Brave offers a an open source browser that has advanced ad and script blocking shields which are easily accessible when browsing a site.
As well offering a pretty slick UX, it has native support for HTTPS Everywhere – another EFF initiative which will rewrite your browsing to ensure that you are using HTTPS. It works by being fed data from TOR and other sources.
Brave also announced a beta version of “Private Tabs with TOR” on June 28th.
Available for mobile.
This list is by no means exhaustive and offers just a flavour of the browser options that are available out there to take control of where your data goes on the internet. The choice of options may seem bewildering but there are certainly options if you don’t want to be tracked.
Of course, once you start using services which you log in to such as Facebook or Google, all bets are off.
If you are really serious about privacy on the Internet you’ll want to look into VPNs as well as educating yourself on the do’s and don’ts of browsing in a secure way.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” Edward Snowden
Image by David Lofink
Leave a Reply