Proper use of browsers

24 réponses [Dernière contribution]
GNUbahn
Hors ligne
A rejoint: 02/18/2016

In another thread (https://trisquel.info/en/forum/you-cannot-watch-youtube-libre-software-computer#comment-113441) I ran into the question of how to use browsers properly.

The particular question was about scripts and cookies from youtube.com but is infact a general issue.

There are sites that I recurrently visit, e.g. this page, hence deleting cookies after each session would be rather annoying (on the next visit). But should one actually delete all cookies by the end of session?

One good grey-zone example for me is my bank's site. Would you keep cookies from your bank or would you delete them (I don't use i very often but still).

I believe I have read, that some people use different browsers for different usage. How do you use yours' and do you know of pages with good discussions and/or explanation on this issue?

And what are the really good questions to ask, regarding this issue?

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

>How do you use yours

Heh, the answer would take at least 5000 characters :)

But to answer your 'cookies' question - I allow only first party cookies and when I close the browser all cookies get deleted (private browsing mode - look for it in the options).

GNUbahn
Hors ligne
A rejoint: 02/18/2016

For any site? Even this forum, which you visit often?

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

Sure. I see no use of cookies other than the chocolate yummy ones. :P

GNUbahn
Hors ligne
A rejoint: 02/18/2016

I'll try that out to see if I can learn to live with the inconvenience.

It seems like that's one of the major battlefields of everyday privacy:

High level of convenience and low level of privacy
vs
low level of convenience (i.e. inconvenience) and high(er) level of privacy...

GNUbahn
Hors ligne
A rejoint: 02/18/2016

May I ask for an advice?

For instance I am looking at where to spend my summer vacation. I want to check out this rental house:

https://www.homeaway.dk/feriehus/p1819837#summary

But I hate to allow scripts.

How would you check it out?

onpon4
Hors ligne
A rejoint: 05/30/2012

For maximum privacy, use the Tor Browser Bundle in "high" security mode. Do not attempt to set up Tor yourself. Do not use any Web browser other than Tor Browser. Do not add any extensions or change any settings other than the security level slider. All of these things can change your fingerprint, which can easily give you less privacy than a non-Tor browser would have.

For any other browser:

1. Disable JavaScript entirely. LibreJS is not reliable; it would be very easy for someone to either make a malicious script libre, or do just enough to fool LibreJS into thinking that a proprietary script is libre. The only reason no one does that is because of LibreJS's obscurity.
2. Enable cookies, but make the browser keep them only for the session (i.e. delete all cookies when closing the browser). Disabling cookies entirely will break a ton of sites and doesn't really help much.
3. Either set your user agent string to a common one (e.g. the one that the Tor Browser Bundle uses), or use the Random Agent Spoofer extension. This reduces your fingerprint to the point where servers will have a more difficult time tracking you.
4. Install uBlock Origin. The default list blocks common trackers and advertisers.

This will give you pretty decent privacy, but a determined entity will still be able to track you.

Of course, in any case, do not identify yourself unless you must, because that of course negates any privacy protection efforts.

GNUbahn
Hors ligne
A rejoint: 02/18/2016

3. Either set your user agent string to a common one (e.g. the one that the Tor Browser Bundle uses), or use the Random Agent Spoofer extension. This reduces your fingerprint to the point where servers will have a more difficult time tracking you.

How do I set the user agent string? And how so I set it up like the Tor Browser Bundle?

I saw a discussion on whether a common setting like TBB or changing settings like e.g. the Random Agent Spoofer extension is best. What is you opinion, and may I ask why?

onpon4
Hors ligne
A rejoint: 05/30/2012

> How do I set the user agent string?

That depends on the browser.

> And how so I set it up like the Tor Browser Bundle?

In Firefox-based browsers, the option controlling the user agent is "general.useragent.override". You can just copy the value of that setting from Tor Browser and paste it into the other browser you want to use it in.

> I saw a discussion on whether a common setting like TBB or changing settings like e.g. the Random Agent Spoofer extension is best. What is you opinion, and may I ask why?

If you're using Tor, then that would easily be the Tor Browser's common user agent string, simply because it's what every Tor user uses. Servers can tell that you're using Tor, so if you identify yourself as a browser that Tor Browser has never identified itself as, then you become incredibly unique.

Otherwise, I don't have an opinion one way or the other. I think the random agent spoofer might be more effective against passive attacks (like routine tracking) since automated systems will have a hard time distinguishing your mixed up fingerprints, but a more determined adversary can probably figure this out.

One thing I will point out is that the random agent spoofer can wreck the functionality of certain websites if you set it to change your user agent string too often. Some websites (especially old forums) depend on your fingerprint to keep you logged in, rather than just using cookies like they're supposed to. In effect, they will log you out any time your user agent string changes.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

>In Firefox-based browsers, the option controlling the user agent is "general.useragent.override".

Variable: /// Value:

general.useragent.override /// Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
general.appname.override /// Netscape
general.appversion.override /// 5.0 (Windows)
general.oscpu.override /// Windows NT 6.1
general.platform.override /// Win32
general.productSub.override /// 20100101
general.buildID.override /// 0
general.useragent.vendor /// [enter variable - but leave value blank]
general.useragent.vendorSub /// [enter variable - but leave value blank]
intl.accept_languages /// en-us,en;q=0.5
network.http.accept.default /// text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
network.http.accept-encoding /// gzip, deflate

-----

Notice however that standard Firefox has become very good at defeating fingerprinting, so you can just keep that one as it is and disable javashit and be good.

GNUbahn
Hors ligne
A rejoint: 02/18/2016

Are you hereby arguing that I should leave the user agent setting of Abrowser and Icecat as they are and just disable java-scripts?

GNUbahn
Hors ligne
A rejoint: 02/18/2016

Some sites are useless without scripts. What could be a prudent way to open those pages - if there is any?

onpon4
Hors ligne
A rejoint: 05/30/2012

I just enable JS when there's no other way, then turn it off when I'm done.

I've argued before that it could be nice to add a button to do this automatically (just run JavaScript on the current page once, but otherwise keep JavaScript off), so that this is easier to do. That would make it feasible to ship a browser to regular users with JavaScript disabled.

GNUbahn
Hors ligne
A rejoint: 02/18/2016

This will give you pretty decent privacy, but a determined entity will still be able to track you.

I don't hope I have anyone running around out there with a specific target at me. I am probably quite easy to strip. But it is and interesting/necessary reflection to do: Where to set the boundaries, i.e. which balance of privacy and efforts to accept and strive for.

Of course, in any case, do not identify yourself unless you must, because that of course negates any privacy protection efforts.

This is an interesting one too. For instance I am using the nick GNUbahn here. It would not take anyone long to learn my real name, nationality and probably email address, should someone want to. And from there it would be pretty easy to find me (e.g. via my work which has a profile of me on their site).

I don't mind most people being able to know who and where I am, but there are people and entities out there, whom I think should not collect and use data about me. Thos I would really like to shut out.

In continuation of this, would it make any sense to log in to this forum via tor browser?

onpon4
Hors ligne
A rejoint: 05/30/2012

Yeah. I have a common username too, but I use it with the understanding that I am not anonymous when I use it. If I really want to be anonymous (and I have on a couple occasions), I pick a new username and log in with that username only through Tor Browser. (And if an email address is required, I get a new email address on a service that does not require me to identify myself.)

GNUbahn
Hors ligne
A rejoint: 02/18/2016

How do you approach e.g. ebay? If I go by Tor browser I will not be able to use the site due to javascript being blocked.

Do you allow jacascript for this site? Or do you have a super trick to come about this problem?

Soon.to.be.Free
Hors ligne
A rejoint: 07/03/2016

It depends on exactly what you want to do, but some of it can still be accessed. There are a few tricks though:

1. Whenever a search page comes up with a big "You should have JavaScript enabled" box, right-click on that box, and select "Inspect Element." A box then comes up at the bottom of the screen. A few lines above the highlighted one in there, there should be one starting with "" and/or "&_udlo=" to the URL, and click 'enter'.

Now, that's still not going to solve every problem- if you really need full functionality, you'll have to enable JS. However, it's worth keeping in mind that EBay isn't particularly kind to free software/anonymity, so it might be worth considering whether you really want to use the site. However, if you do, that's all I can give you.

GNUbahn
Hors ligne
A rejoint: 02/18/2016

F*ck! You're probably right about eBay. I haven't checked up upon it, but I have no doubts.

Do you have a suggestion for a better site to search for e.g. batteries, components and accessories for computers?

GNUbahn
Hors ligne
A rejoint: 02/18/2016

I am sorry, this makes no sense to me:

A few lines above the highlighted one in there, there should be one starting with "" and/or "&_udlo=" to the URL, and click 'enter'.

Will you explain again?

Soon.to.be.Free
Hors ligne
A rejoint: 07/03/2016

Sorry for the confusion. As posted below, the step you're referring to randomly switches to a completely different paragraph part way through- a correction has been provided (I hope it works that way). Also, the pop-up you see is indeed the expected object. Next time, it appears including some screenshots may be far better than leaning on sentences (which go astray).

Soon.to.be.Free
Hors ligne
A rejoint: 07/03/2016

Firstly, sorry about it not making sense- that's my fault. It appears two paragraphs got mashed together, and the second half of the sentence has nothing to with the first.

What it should have said was that, in the box which appears after you follow the steps proceeding it, one line will be highlighted. A few lines above that one (you might need to scroll up a bit to find it), there will be a line with "noscript" in it. Select that line, and press delete- the annoying pop-up should disappear. Then press the cross on the little box you've just been working in to get the screen back. It's obviously not terribly convenient, but (for now) it's the best I can give you.

In regards to alternatives, I don't know of any outside of the standard method of scrounging the Internet, local stores, and garage sales for what you want. Comparable sites exist, but they aren't much better- in terms of variety, they're likely worse. I do hope one emerges, although it isn't clear how it would build a sufficient market base to serve its intended purpose.

GNUbahn
Hors ligne
A rejoint: 02/18/2016

I got it to work as well. Thanks a lot.

gnulux
Hors ligne
A rejoint: 06/17/2015

Well, if you browse ebay with Tor Browser, you don’t need javascript (just close the annoying popup) but if you need to see somebody’s ebay-shop, or if you want to buy something you need javascript.

I use TB just to browse but I guess I’ll need to use Abrowser to register or login in order to buy something.

Using Firefox, I block all cookies and use Self-Destructing Cookies to allow them on a very few websites, I don’t bother about User Agent because I see no point in servers registering billions of Windows NT desktops or laptops.
Instead I use uMatrix to block scripts and frames by default.

As for fingerprinting, don’t forget CSS Canvas (Apple be cursed for this CSS element) can spy on you as well. You can use CanvasBlocker or forbid CSS on websites you don’t trust. Actually, blocking images, CSS and scripts makes websites lighter but sometimes totally blank.

I’m at a loss how to preserve some shades of privacy on ebay. I suppose you need to tell them your real name and address if you want to buy something, and then you need to do the same thing again if you need to pay through Paypal.

The only workaround I thought of, which is rarely possible, is to spot a vendor you can trust, go to their actual website and order from there, even phone them, order and send a check.

Ebay and AlixExpress are difficult to avoid, especially for computer or electronic stuff.