Comments

kinda June 6, 2012 10:00 AM

@Stas: hit send too quick…url based with wildcards so it actually blocks the connection to those domains which is better than simply hiding ads. You can use it to block things like tracking domains such as google-analytics

Michael_St June 6, 2012 10:01 AM

I use Ghostery and Adblock+ together in Google Chrome. I tried the (built-in) “Incognito” mode for a while, but it had some issues with sites I needed cookies for, so I reverted to the Ghostery/Adblock+ combo.

I also looked at Collusion, an app that visualizes your tracking cookie interaction (by examining all sites that cross-refer through them), very interesting idea, although it just visualizes at the moment.

Sean Rütschi June 6, 2012 10:02 AM

I use both plus NoScript plus Firefox’ inbuilt Do-Not-Track option. The mix does it for me.

In extreme cases I use Tor in combination with the User Agent Switcher.

Stas June 6, 2012 10:04 AM

Forgot to mention it: I also use Ghostery and AdBlock+. Additionally, I have installed NoScript, although it drives me crazy from time to time and causes unexpected behaviour on, for example, webshops.

Cliff June 6, 2012 10:06 AM

It was mentioned at end of Security Now #288 http://www.grc.com/sn/sn-288.htm

Steve had not heard about it, but Tom (was covering for Leo) mentioned it and liked it, I have been using it with Addblocker+ & NoScript for a couple of weeks now.

I like it.

lenno June 6, 2012 10:07 AM

i use firefox with adblock, noscript, request policy(like noscript for crossite requests), cookiemonster( like noscript but for cookies), better privacy (flashcookies, lso) and user agent switcher. seems i’m fairly paranoid.

Ian McDowall June 6, 2012 10:08 AM

I use NoScript and Ghostery. If you install Ghostery then it does not block trackers by default but it does show you which ones are active (and gives you the option to block them). I found it educational to see how many trackers are in use and which ones – try it and prepare to be surprised.

Scott Cantor June 6, 2012 10:10 AM

I’ve used it along with AdBlock+ for years and I love it. AdBlock really doesn’t address the tracking issue for the most part.

I will say you will find that a good chunk of modern approaches to things like site comments will break. I don’t particularly care much either, it’s a good sign it’s working. It really seems to speed up my browsing as well.

Fabrice Roux June 6, 2012 10:18 AM

I use the following extension for privacy and security reasons:
– NoScript to allow JavaScript on demand.
– AdBlock+ to block intrusive advertisement.
– Ghostery to block trackers.
– Cookie Whitelist with butttons to whitelist the current site cookies. The rest is dumped as soon as I shutdown Firefox.

Harvey MacDonald June 6, 2012 10:21 AM

I use a laptop running a live Linux CD with no hard drive. Lack of software updates is the major vuln, but the rebuild time is extremely short. This is slightly better than the VM solution as it is not subject to red/blue pill attacks. I reboot inbetween visiting sites if I visited a site that I consider to hold sensitive information about me or my transaction.

nvg June 6, 2012 10:27 AM

I use 3 browsers as follows:

  1. Firefox for most of my browsing with cookies disabled, adblock and flashblock. Works well for 90% of my browsing.

  2. Chrome for accessing Google services that require cookies (mail, reader, calendar, docs). Every other Google service including search is in Firefox.

  3. Safari for sites that require me to log in like my bank etc. Clear cookies on exit always and never store passwords on the machine (not even in Keychain).

Brerarnold June 6, 2012 10:27 AM

I’ve used AdBlock for years. Recently, I installed Collusion and Ghostery. Collusion not only gives you a visual take on how your web activity is being shared, it can block known tracking sites. Since Ghostery does the same thing, and more, I could do without Collusion. But it is interesting to see the visual representation of what is going on.

David L. June 6, 2012 10:28 AM

If you use Firefox you should consider enabling Do Not Track. I should add that Mozilla’s choice of making users “opt-in” – rather than enabling it by default – has raised debate as to the effectiveness of including such a feature.

Tim Russell June 6, 2012 10:28 AM

Be careful about the “and dump my cookies whenever I close Firefox” part, though, Bruce. I just looked more into the sessionstore part of Firefox and definitely found some things I didn’t like.

With default settings, if you have FF set to restore tabs when you close and open, it appears to also be saving a LOT of stuff to disk, including session cookies, even for SSL sites.

I haven’t delved deep as yet, but I wouldn’t be at all surprised if it’s saving ad tracking cookies in there as well, meaning they’re not really dumped when you close.

Read this and notice the “default before Firefox 4” part.

time flies like a banana June 6, 2012 10:33 AM

I use 3 separate browsers on the www

1) Seamonkey, more or less stock configuration, for trusted sites and sites I have to trust whether I like it or not. It is however set to ask explicit permission for every cookie.

2) Tor browser, mostly for posting blog comments like this. 😉

3) Firefox, with adblock, noscript, requestpolicy, https everywhere, for general surfing. Also cookies off, period. Yes the “experience” is often severely degraded, but I don’t much care about that, I can generally get at what I want.

In addition I have a hosts file that redirects a lot of nuisances to localhost.

I don’t have flash anywhere, but that’s mainly because I dislike animation, video and sound in web pages.

I don’t trust “do not track” – the people who I least want to track me are the kind who will just ignore anything voluntary.

stvs June 6, 2012 10:45 AM

I use my a privacy enhancing proxy chain with both squid and privoxy, and send all my traffic through that. Squid denies access to a bunch of http headers and Privoxy does a great job blocking all ads as well as forges HTTP_REFERER [sic] and the User Agent.

I do most of my personal browsing on an iPad with with Atomic Web Browser, which has enhanced privacy settings over Mobile Safari, and send all the iPad’s connections through the proxy chain.

I always jailbreak all my iOS devices and install the Cydia tools Firewall iP that controls all outgoing traffic (just like OS X’s Little Snitch) and allows you to block in-app ads as well as turn off in-app spyware if you take the trouble to figure out where all those connections are going, and Mobile Tor, which runs a Tor+Polipo proxy chain on the iPhone/iPad—you just proxy everything through 127.0.0.1:8118, and you have Tor on iOS. I also use VPN and ssh tunnels into my own private cloud server when on open wifi networks, after editing the iPhone/iPad’s file /etc/ssh/sshd_config to disable root logins, turn off password logins, and set up my own 2028 bit passphrase protected RSA key on the iPad using ssh-keygen, equivalent to a secure ssh setup on any desktop.

On a desktop, I use Firefox with the privacy enhancing extensions HTTPS Everywhere (of course!), NoScript, both BetterPrivacy and Beef TACO to delete all Flash Cookies every hour, and the cool tool Collusion, which shows a dynamic, labelled graph of all the sites that are tracking you. If you’re on OS X and have Flash installed, then go to System Preferences>Flash Player>Block all sites from storing information, using your camera, etc. Finally, visit this crazy Adobe Flash Player Global Privacy settings panel and max out your Flash privacy settings.

Two highly relevant links on privacy are the EFF’s panopticlick and the WSJ series on web tracking.

Here’s the squid+privoxy proxy chain settings that can be used by any browser:

Squid squid.conf:

# Define Privoxy as parent proxy (without ICP)
cache_peer 127.0.0.1 parent 8118 7
no-query
via off
header_access From deny all
header_access Server deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all

Privoxy match-all.action:

{ \
+change-x-forwarded-for{block} \
+deanimate-gifs{last} \
+filter{refresh-tags} \
+filter{img-reorder} \
+filter{banners-by-size} \
+filter{webbugs} \
+filter{jumping-windows} \
+filter{ie-exploits} \
+hide-from-header{block} \
+hide-referrer{conditional-block} \
+session-cookies-only \
+set-image-blocker{pattern} \
}
/ # Match all URLs

{ \
+hide-referrer{conditional-forge} \
+hide-user-agent{Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3} \
}
/ # Match all URLs

Use the router June 6, 2012 10:49 AM

I use my router to block ads, doublelick, etc. It’s pretty easy to setup and it’s nice to see when browsing websites (like youtube) to have all those black square boxes where an ad would normally be.
Then whenever I do see an ad, I just right click it and get the url and add that to my list of blocked sites.

motiondemon June 6, 2012 10:52 AM

Shocked no one has mentioned RequestPolicy for Firefox. With RequestPolicy, any cross-site requests not specifically allowed are denied. Works great for stopping leaks to other websites about your browsing habits. Downside is you’ll do a lot of allowing sites to talk to their CDN sites, host for their style sheets, etc. But once you set it up for a given site, it works wonderfully.

bitmonger June 6, 2012 11:02 AM

I use dedicated site specific browsers for some sites
that have their claws into everything and I do browsing seperately from ‘apps’ that require logins. On Mac I used fluid.app for site-specific browsers, but I haven’t seen a replacement that is as capable yet for Linux. (Prism is ok).

I’ve been experimenting with xxxterm lately. It has vim like command UI. It doesn’t save cookies beyond the length of a session unless you explicitly save them to disk (thus whitelisting that site). I haven’t dug into it deeply enough to see how well it is actually working, but I find the interface nice. It also has a notion of sessions which I haven’t played with, but might ultimately handle my site specific browser use cases. Its got some rough edges still,
but I think ultimately I may switch 100%.

https://opensource.conformal.com/wiki/xxxterm

same June 6, 2012 11:05 AM

+1 for blocking at the router. That will block ADs regardless of which browser is used.

B-Con June 6, 2012 11:07 AM

Unfortunately, re-logging in every time I open my browser is a bit annoying. I use AdBlock and the “Cookie Whitelist” add-on. It makes whitelisting which domains are allowed to set and retrieve cookies very easy.

Brad June 6, 2012 11:19 AM

I use AdBlock+ and have Firefox delete all cookies when closing as well… but I also use the Permit Cookies extension to manage a whitelist of sites that get to keep cookies around through browser sessions.

It’s basically just an interface to the “Exceptions” dialog from the cookie-saving settings, but it presents a toolbar button that allows you to change the list inclusion status for the currently-viewed page (or all currently-open tabs).

Arclight June 6, 2012 11:22 AM

I use Sandboxie to keep multiple browser windows open that can’t see each other. So Facebook gets its own dedicated browser environment, as does my bank, e-commerce sites and then a couple for general browsing. I empty the sandbox periodically. Doing this ensures that all disk writes, including cookies, flash cookies, plug-ins, etc get nuked.

http://www.sandboxie.com

Arclight

Staudenmaier June 6, 2012 11:26 AM

I’m going to try ghostery because if I delete my cookies after use, my life becomes a living hell. I constantly have to login my favorite sites again and again.

Sherri June 6, 2012 11:27 AM

I use Ghostery on Firefox and love it. It shows me how many trackers are on each web page (I was surprised at the number on some!) along with a pull-down menu specifying what they are. If you turn off all tracking by default, as I do, it will break some things (like comments on sites that use Facebook for comments), but you can pause blocking and reload the page if you really need to see the comments.

Daniel June 6, 2012 11:32 AM

I’ve been using Ghostery for years and it works well. Use it with NS +Adblock.

Sandboxie is a good program but it does cost money unlike the others.

I’ve actually been giving thought to the whole multiple browsers thing recently but it seem like such a hassle. I’m also trying to move away from Google services entirely.

Michael. June 6, 2012 11:33 AM

Like many others I use NoScript, with a number of sites whitelisted. I rarely have to whitelist a site any more, as most sites I visit regularly, which I think I trust, are already whitelisted.

I also use Request Policy, which blocks all (but a few whitelisted sites) external requests by default. This blocks all trackers and similar, as well as a bunch more ads. The biggest thing with Request Policy is that you have to allow a number of requests to some domains which are used to serve static content to a family of sites (like Stack Overflow). Two other problems I have is that I can’t work out how to allow redirects by default, and something that escapes me just now.

I also use CookieMonster. I block all cookies by default, and again, only whitelist sites which I trust.

(With all these, I may occasionally whitelist a site, and all the sites it calls, just to get the darn thing working. But that’s only temporary.)

Blimey, we are a bunch of paranoids aren’t we. (Then again, is it really paranoia when they are out to get you?)

Michael. June 6, 2012 11:36 AM

I also meant to say that I used to use AdBlock+, but I removed it ages ago, when I discovered that I didn’t actually mind the few ads that NoScript let through. So long as the ads are served from the same domain (Request Policy will block ’em otherwise), and do not require JS, I’ll happily view them, and click if they are interesting.
Only trouble is, I can only think of one site I use regularly that actually does that…

BWB June 6, 2012 11:41 AM

Amusing … Tracking on the cited TED page:

Disconnect Me (Facebook);

Do Not Track Plus (Linkedin, Dedicated Networks, Neilsen, AddThis (2), Doubleclick, Netratings, ChartBeat);

Ghostery (AddThis; ChartBeat; Doubleclick; Linkedin; Netratings; Scorecard Research);

AVG Do Not Track (Facebook, Google+, Comscore Beacon, Google Analytics).

It seems each of these tracking blockers has unique elements in their lists.

Ghostery performs differently on different browsers. On some, the database should be refreshed periodically even when automatic update is selected.

Dirk Praet June 6, 2012 11:48 AM

@motiondemon

Shocked no one has mentioned RequestPolicy for Firefox

It dumped it because in practice it proved to be a major PITA. As most folks here, I’m on AdBlock+, NoScript, HTTPS Everywhere, BetterPrivacy, Certificate Patrol and the like. For even better anonimity, use a VPN combined with the Tor bundle for the OS of your choice and Privoxy. On iPad, Covert Browser supports Tor. When on the road, I mostly use a bootable flash drive with TAILS, which of course you can also use in a VM.

Johnston June 6, 2012 11:48 AM

Just a few which haven’t been mentioned.

MVPS is a great hosts file.

For DNS, dnscache asks the local tinydns about facebook.com, doubleclick.net and various other stalker domains, receiving NXDOMAIN.

Each time FF is loaded, a wrapper script removes ~/.mozilla and replaces it with a clean backup. This effectively prevents both FF-based malware and all possible persistent tracking.

CBM June 6, 2012 11:55 AM

One Firefox add-on I have not seen posted yet is “ShareMeNot.” It blocks cookies sent by Facebook “like” buttons and Google+ “+1” buttons.

Tinfoil 2.0 June 6, 2012 11:58 AM

Aside from the multiple browsers, browser extensions, Tor, VPN-Proxies, hosts file, router blocking, etc. that have already been mentioned, One other option with a defense-in-depth strategy is DNS.

OpenDNS allows 25 domains blocked with a free (easily anonymous) account, more with a paid account (which can still be anonymous). Of course you have to trust OpenDNS with your (dynamic) IP address, but they appear to be quite trustworthy – and it’s certainly better than trusting your ISP in most cases.

There’s also a beta option of encrypted DNS queries to thwart ISP / shared access DNS sniffing.

Or, roll your own DNS.

cipherpunk June 6, 2012 12:25 PM

I think another question to ask, is have these solutions that are being suggested been thoroughly analyzed. Can it be proven that these plugins are not collecting data on end-users while proclaiming to “safeguard” the end-user? Definitely some serious blind trust given while installing these plug-ins.

Mark von Übelgarten June 6, 2012 12:36 PM

My privacy policy: FlashBlock, delete all cookies when firefox is closed, block flash cookies (chmod 500 ~/.macromedia), and a very strict custom AdBlock blacklist to which I also added Google Analytics, Google Plus, Facebook CDN, Twitter, and all other major “social buttons” and “Share this” offenders, preventing third-party sites from loading any content from them. This seems to avoid a lot of data exfiltration.

Mark von Übelgarten June 6, 2012 12:45 PM

Also I forgot: no third-party cookies (this breaks these Disqus-like stupid comment systems, but almost all sites using them do not worth a comment and I use exceptions for the few ones who do).

For people blockign flash cookies with filesystem permissions, as I cited in the previous comment, remember to first delete all the content of ~/.macromedia (ie: rm -rf ~/.macromedia ; mkdir ~/.macromedia; chmod 500 ~/.macromedia).

Dirk Praet June 6, 2012 1:02 PM

@ Cipherpunk

Can it be proven that these plugins are not collecting data on end-users while proclaiming to “safeguard” the end-user?

Probably not, but that’s a matter of trust and reputation. When in doubt, use a vanilla stock browser without any add-ons, and from a vendor who isn’t known for being in bed with the US or other governments. Then sign up for a paid VPN and go through Tor. For the really paranoid: use a nym account to retrieve web pages by email and through a chain of remailers have them sent encrypted to the alt.anonymous.messages newsgroup. Or use wget in combination with proxy chains/tor tunnel. Add an additional level of protection by hijacking the wifi connection of your stepmothers neighbour.

Martin June 6, 2012 1:09 PM

I use adblock, https everywhere, flash block and ghostery.

Might seem paranoid, but with only deleting cookies upon browser restart the man would still get a days worth of tracking data . And I like cookies on pages that I trust.

I would love to be able to have a similar setup for android, but since there are not (useable) plugin-ready browsers I have to use AdFree-Android, which only works on some devices.

Civil Libertarian June 6, 2012 2:01 PM

Firefox with:
Adblock Plus (with the fanboy lists)
BetterPrivacy
HTTPS-Everywhere
OptimizeGoogle (though by default I use DuckDuckGo)
NoScript
ShareMeNot
User Agent Switcher

Referer disabled via Web Developer Toolbar
Do Not Track enabled
Delete history when closing
Reject 3rd party cookies, prompt to accept 1st party — those are only permitted only for current session
A little DOS script that runs at startup to delete all Flash cookies

Separate browser installation for online banking

KeeFox helps me stay sane while using unique & strong site pws

Router configured to use VPN and OpenDNS

Jann Horn June 6, 2012 2:05 PM

I’m using a little proxy I wrote myself, you can find it at https://github.com/thejh/inceptroxy . It can’t filter HTTPS (obviously) and it’s somewhat unstable, but it works relatively well (blocks requests to blacklisted domains and tags containing certain strings). Also, it displays the requested URLs on the console, with a color depending on whether requests were blocked or not.

@Martin Maybe it’d be worth a try to run it on an android device and use a proxy-forcing app? I have one, too, I think I’ll try that soon.

IcanCu June 6, 2012 2:23 PM

With firefox I use Greasemonkey to block the google tracking links. HTTPseverywhere, RefControl so when a url is clicked the site owner only gets itself as the origin of the click. Plus some that probably overlay, ShareMeNot, Ghostery, PrivacyChoiceTracker Blocker

And click the Do not track option and use FF permanently via in-cognito.

CookieMonster + GoogleSharing

The most help I find to be Multifox identity profile. So I keep any lo in to googlemail in a separate identity to my google search engine use

All browsers should isolate any new Tab, so log in’s in one Tab cannot be used for related tracking in another tab.

ER June 6, 2012 2:36 PM

Love Ghostery, which I use with
NoScript
AdBlockPlus
BetterPrivacy (deletion set to 1 second depending computer)
Request Policy
Flashblock
HTTPS Everywhere
HTTPS Finder
Browser setting(depending computer) cookies not accepted except for “Exceptions” allowed for session
Use proxies,VPN as needed (depending comptuer – diff computers diff tasks)

Bryan W June 6, 2012 2:49 PM

I’ve installed BeefTaco (provides >100 cookies for many trackers specifying opt-out), NoScript (allowing me to selectively enable javascript), and BetterPrivacy (control Flash cookies, delete on exit).

Then, to start with, and periodically afterwards, I add to my /etc/hosts file any DNS name supplied by BeefTaco. I also periodically review accumulated cookies, and add other DNS names from cookies I determine to be trackers. Then I delete, and allow BeefTaco to repopulate its opt-out cookies. The only drag is that I don’t have an automatic process for removing the BeefTaco/previously-processed cookies from (re)consideration during my periodic cookie audits.

When browsing, NoScript starts off with javascript disabled for ‘most everything IIRC. I selectively turn on NoScript’s javascript permissions as needed. This also has the side effect of reducing the likelihood of infecting my computer.

Lastly, my home page is set to about:blank — no need to notify MSN or google or whoever whenever I start my browser.

All of this has the additional side-effect that many ads are suppressed; not my intention, but I’m not complaining 🙂

hard working web dev June 6, 2012 4:07 PM

So all you folks pay for all that content you consume ad-free all the time? Because certainly securit-minded people wouldn’t violate the social contract implied in all the content that people like me give you for free, right?

JRR June 6, 2012 4:15 PM

I use both, ad-block and ghostery. I used to use NoScript but it’s too much of a pain to get some sties working.

Tracker Watcher June 6, 2012 4:48 PM

Some research was actually done at Stanford on what is the most effective way to stop tracking, which included Ghostery.

http://cyberlaw.stanford.edu/node/6730

Ghostery is pretty good but the very best seems to be a combination of a few open source lists loaded in AdBlock.

Evidon’s business model is to use Ghostery as a user panel to populate a DB of known trackers and their practices. They then monetize that asset. As for whether they are on the side of angels, well read their blog post on MSFTs decision to turn DNT on by default and judge for yourself.

http://blog.evidon.com/2012/06/04/on-ie10/

Daniel June 6, 2012 4:54 PM

@trackerwatcher.

I’m not sure there is a dime’s worth of difference in this discussion.

MS wants do not track on by default.
Ghostery wants it off by default.

Note that on the options page of Ghostery there is an option to select all trackers and turn them off.

So are we really going fight over the click of a button. As an end-user in this debate I can’t see how five seconds of my time one way or that other is worth having a tizzy fit over.

Ghostery may not be “on the side of the angels” but they aren’t any devil in my book either.

time flies like a banana June 6, 2012 4:59 PM

@hard working web dev: So all you folks pay for all that content you consume ad-free all the time?

What social contract are you talking about? The one where you are so secretive about the price that you extract from us that it is actually impossible for us to calculate it? What kind of contract is that?

Yes, for myself, I have donated to websites that I approve of.

You mention adverts and content as if that was all that need be considered. But it’s the tracking that comes with the ads which is most controversial. Separate the ads from the tracking and you might have a business model with longevity.

I use duckduckgo search engine. I do in fact click their ads, because rightly or wrongly I trust them not to exploit me in sneaky ways behind my back.

Think about it.

Civil Libertarian June 6, 2012 5:01 PM

@hard working web dev
So all you folks pay for all that content you consume ad-free all the time? Because certainly securit-minded people wouldn’t violate the social contract implied in all the content that people like me give you for free, right?

You deliver content to me presumably in exchange for the extraction of my online profile and probably personally identifiable information — an arrangement in which I have no opportunity to negotiate the deal. There is no “social contract” here; we only have the fine-print, take-it-or-leave-it contract that you dictate and often don’t even disclose. If you are willing to negotiate reasonable terms, and be transparent about what you do with my information (property), I bet we can meet in the middle. In the meantime, I meet your one-sided business model with a one-sided business-blocking model.

P.S. I’m a hardworking web dev too. One who accepts projects only from responsible clients who respect their customers.

Brandon June 6, 2012 5:21 PM

I guess this is a tangent / rant, and not answering the question posted by the author, but …

While it’s interesting the hoops we’ve chosen to jump through and the diverse, brilliant, complicated solutions we’ve found … it’s frankly rather sad at the same time. In some ways I suspect it frankly doesn’t matter because while we do all this, we’re also not normal. Sure, we’re more secure than our grannies, cousins, and neighbors, but if 99.95% of the world is insecure or doesn’t know what’s going on, that doesn’t leave me hopeful.

It’s not a matter of education, either. You can’t tell me you’re going to educate even 50% of internet users about the finer points of cookies, https, certificates, etc … and that’s just a start. How many VCR’s just sat there blinking 12:00 all the time? I know that’s a dated question, but it proves the point all the same.

Dirk Praet June 6, 2012 5:23 PM

@ stvs

Muchas gracias for the Privoxy match-all.action config. Excellent idea to spoof your UA with an iPad passport.

bugmenot June 6, 2012 5:33 PM

Never register at websites using your actual email address. Always use a disposable email provided by mailinator.com. It used to be that bugmenot.com-provided registrations worked, but a lot of registration required sites became wise, and block bugmenot. But disposable email addresses are a great way of protecting your online privacy and avoiding spam.

PJO June 6, 2012 6:38 PM

I don’t have time to read all this but it looks like there’s good advice here, much of it is familiar but not all.

I have been followed around the web by adverts lately by adverts targeting a woman of 55 and an expatriate. Wrong on all counts, though I did recently move country. I am not sure where this came from but I have decided to add to the confusion when I can by polluting the data. This is easier than trying to nail down everything living a paranoid life.

I do use many of the things listed above.

Mangix June 6, 2012 6:46 PM

I use Adblock as well as ScriptNo on Google Chrome. I also block third party cookies(setting found in Chrome’s settings). Also I set plugins as click on play(again in Chrome’s settings).

Tracker Watcher June 6, 2012 6:46 PM

@ Daniel

You assume that every user is knowledgeable about implementing browser options like you, me and everyone else in this thread. My 13 year old daughter doesn’t even know that there is a button to turn on or off.

To me there is a huge difference between opting out by default and opting in by default. The latter is the world we live in today and the average user doesn’t even know it.

Omar June 6, 2012 8:06 PM

I use Linux Mint with Firefox. I use LastPass, Https Everywhere, AdBlock and Ghostery. I have Do Not Track checked, always use private browsing set. I also have Geo Location disabled. Go to about:config type geo in search box than double click on geo.enabled to make it false. I know this works because because Facebook and other social websites report my location 300 -500 miles from where I really am.

I use a Live Linux CDs or VMs do my banking and pay bills.

jammit June 6, 2012 8:12 PM

Take this with a grain of salt (like Linkedin should have done):
I’ve been using a few plugins plus Collusion for a while. I just heard about Ghostery a few days ago and thought I’d give it a try, but first I wanted some sort of baseline. Before I installed Ghostery I opened Collusion and cleared it. Then I decided to open all of my favorites at the same time. After they loaded in I looked at Collusion to see what sites were sharing stuff. I then cleared Collusion, installed Ghostery, and re-opened all of my favorites at the same time again. This time Collusion showed even fewer sites sharing data.

Steve Shockley June 6, 2012 8:22 PM

IMO Adblock Plus is in the process of jumping the shark. They whitelist too much by default, and are now setting up a model where ad networks can buy whitelisting (https://adblockplus.org/en/acceptable-ads). The author tried to sneak it in, too, but people noticed. I’ll keep using it until one of the forks takes over, but now I have to go over the whitelists on every update.

I also use Ghostery, and block Flash cookies by setting Deny perms on the folder used to store them (I forget the folder offhand). I run the bleeding-edge version of Firefox though, so I’m probably nearly unique based on my browser string. I also use Privoxy for apps that use IE to render.

Thanks above for the tip about RequestPolicy, that looks interesting.

Jenny Juno June 6, 2012 10:01 PM

Don’t forget RefControl which lets you zero-out or spoof the referring URL that your browser ordinarily sends to tell the webserver what page you were on previously.

As a secondary benefit, setting RefControl to spoof the referrer as google.com will let you bypass a lot of paywalls.

Nick P June 6, 2012 11:05 PM

I appreciate everyone’s comments and suggestions. I might add Ghostery to my list. I typically use Firefox, Adblock+, NoScript & SSLEverywhere. (Some things I’m probably forgetting, too.)

I switched to Chrome on Linux because Google is the only group that will be maintaining Flash on Linux, AFAIK.

John David Galt June 6, 2012 11:54 PM

I use several: Ghostery, BetterPrivacy, Beef Taco, DoNotTrackPlus, ShareMeNot, and my favorite, RequestPolicy.

RequestPolicy is the one everyone should use. It lets you view a web page while disabling some or all (all by default) of its external references. Pages that are so heaped with ads and junk that it takes 10 minutes to load them load much faster with RequestPolicy. The only drawback is that you have to tell it which references are OK the first time you visit each site.

Not that I’m against all ads, but after all, my time and connection belong to me, not the advertisers.

NoScript Forum Thread June 7, 2012 12:08 AM

The NoScript Support Forum had an entire (O/T) thread discussing the many possible methods of increasing security and privacy, aside from NoScript itself. It got a little O/T to itself after a while, but should make interesting reading for all here, including Bruce. Link is in the “Name” field here.

Those who think that ScriptNo is a sufficient substitute for NoScript may be unpleasantly surprised at the developer’s comparison of the various wanna-be’s. Not sure if allowed to link inside messages here, so sanitized, it’s

forums.informaction dot com/viewtopic.php?f=8&t=7020

FUD June 7, 2012 1:01 AM

@Steve Shockley, most of what you claim about AdBlock Plus is false. The release announcement for version 2.0 mentioned the change to allow non-intrusive advertising. The first-run page mentions it in bold and even links to the preferences dialog where you can turn it off. There’s only one whitelist, and the setting sticks across upgrades. (Maybe your problems are with third-party lists? Not the developers’ fault.) Whitelisting is currently free, although in the future companies may have to pay in addition to following the rules.

greg June 7, 2012 2:02 AM

Important to note that having supposedly provacy enhancing stuff like adblock, flashblock and AVG do not track may not help that much. Apparently.

I just went to the panopticlick think linked to above in a comment, and it tells me my browser, which has all those things listed above installed, leaks 21.8 bits of info already. Combined with my IP that’s plenty to uniquely identify me (for short term use, fingerprints change over time).

When i installed noscript just now though it goes down to 12.5, interesting.

Apparently most privacy enhancing stuff sucks lumps. We need a project to get something worked out, a little plugin for firefox, that actually works, maybe a little control panel that lets you see what’s enabled what’s not, current sites actively tracking you (since you will need to enable cookies etc. sometimes) and the total number of bits your leaking to account for passive tracking.

walter June 7, 2012 2:11 AM

I was looking at Ghostery and other plugins for tracking and ad block about a year ago. I noticed that Ghostery used to be open source, but now it is no longer open source. I saw that it was owned by a company called Evidon (another commenter says Ghostery was sold to company called Better Advertising). It seems like Evidon was collecting data which they claimed to be anonymized about people’s privacy desires for business intelligence. This all seems sketchy to me.

EvilGenius June 7, 2012 2:37 AM

I use Firefox with :
* NoScript (block javascript & xss)
* AdBlockPlus (block ads)
* Ghostery (block trackers)
* CookieCuller (cookie manager)
* BetterPrivacy (LSO manager)
* HTTPSEverywhere (makes sure you use https where possible)

Perseids June 7, 2012 3:38 AM

NoScript + FlashBlock + a shell script to remove the Flash directory in my home folder (flash cookies).

@Tracker Watcher
I actually got my parents to use NoScript (although they do not use it as effectively as you could if you actually knew how it works). Nonetheless, I totally agree with your point.

nwm June 7, 2012 3:48 AM

I want to emphasize Disconnect (the others have been mentioned often enough), as it is in my experience the best way to remove the visual privacy invasions like the omnipresent “like” buttons.

I use it in combination with Ghostery and ABP, on Chrome.

NZ June 7, 2012 3:56 AM

My five cents:
Certificate Patrol
Flashblock
Ghostery (block everything by default, delete Silverlight and Flash cookies)
HTTPS-Everywhere (development version, enabled some rules which are off by default)
Perspectives

Dave Page June 7, 2012 4:20 AM

I don’t know much about Mozilla extensions, but given that Ghostery is proprietary software, has anybody been able to audit its functionality and make sure it’s not doing anything underhanded?

Winter June 7, 2012 5:59 AM

Here is some CEOspeak why Better Advertising bought Ghostery. It does not really make me any wiser. Maybe simply refusing calls to third party sites would be better.

http://blog.evidon.com/2010/01/19/better-advertising-acquires-ghostery/

Why did we buy Ghostery?
Better Advertising will use data shared voluntarily by Ghostery users to understand the compliance and non-compliance of companies with the industry’s self regulatory principles. With Ghostery, Better Advertising can provide companies and industry associations with a complete view of OBA usage. This makes complying easier for companies, and furthers our mission of providing a more transparent, trusted environment for consumers and advertisers.

qwerty June 7, 2012 6:38 AM

“Ghostery is proprietary software”

And there, my friends, is the deal breaker.

Go open, always.

Grr June 7, 2012 9:26 AM

Note that Ghostery doesn’t work consistently in Chrome. Chrome makes any sort of blocking very difficult. I wouldn’t trust anything but a proxy at this point.

-B June 7, 2012 9:45 AM

AdBlocker+ and NoScript user here, too. I also edit my HOSTS file to nul for many of the known tracking sites.

123 June 7, 2012 9:47 AM

If you just want to protect your privacy against the most common commercial spies, I guess Ghostery is enough. I used to use NoScript too, but unlike Ghostery it really makes you less productive because you spend a lot of time dealing with whitelisting sites, because not allowing any JavaScript simply breaks a lot of them.

Sure, it offers more security and privacy, but I had usual problem that you end up whitelisting too much because you can’t really figure out which scripts are legitimate and which might be harmful. And given the fact that JavaScript is just an essential web technology nowadays, it’s probably going to become even harder to figure out which scripts you need to use a website properly.

It’s a trade-off. I think Ghostery and AdBlock+, BetterPrivacy for flash cookies and HTTPS-Everywhere increase your privacy at a low cost of functionality.

-B June 7, 2012 9:49 AM

Oh yeah… and I enable Do Not Track as well as user LastPass for password management (more secure than letting ANY browser save your ID/PW combos).

-B June 7, 2012 9:58 AM

“So all you folks pay for all that content you consume ad-free all the time? Because certainly securit-minded people wouldn’t violate the social contract implied in all the content that people like me give you for free, right?”

As others have said, advertise to me without tracking me. Then make those ads quick and fast to load (no flash, et al) so they don’t impact the performance of my on-like work. Once you get those 2 issues under control, then we can talk “contracts”.

Doug June 7, 2012 10:41 AM

I gave up on Firefox after Mozilla went on the arrogant, nutty rapid release cycle and started hiding version numbers. There’s no way to QA code that fast – breaks far too many things, and who knows how many new zero-day exploits are created.

zeruch June 7, 2012 11:00 AM

I have long been using NoScript/AdBlock/Flashblock/RIP (Remove it Permanently)

I added Ghostery recently and so far jury is out.

Mark June 7, 2012 12:05 PM

Since Ghostery and Add Block Plus are just about talked out by now, I thought I ought to mention that I’ve set my default seach engine to DuckDuckGo. Their buisiness model is centered around users who dislike the tracking that the major search engines do. I’ve been happy with it. The search results often seem a bit more useable and less clutered than Google’s. Also the Android app ties in nicely with Android’s built in search.

sij June 7, 2012 1:05 PM

I have used ghostery, but I find that it greatly slows my browser performance, and continues to chew up CPU in the background. I have tried twice and given up on it both times for this reason.

I do use NoScript. It is more manual to use, but it works well and provides very fine-grained control over what you want to allow or block.

ajitaM June 7, 2012 3:44 PM

Ghostery is availible for all popular browsers (IE, Opera, Firefox, Chrome and Safari).

Another option for blocking ADS and data leakage is to make smart rulset and packet fingerprints for IDS/DPI firewall.

Alex June 7, 2012 7:01 PM

I use Ghostery, Adblock Plus, NoScript, HTTPS Everywhere and WOT… and Collusion still shows tracking cookies #fail

trapspam.honeypot June 7, 2012 7:52 PM

AskForSanitize
BetterPrivacy
Ghostery
HTTPS-Everywhere
WOT
(Used Beef Taco Now Conflicts With Ghostery In Firefox 15 and 16 vers.)
PurgeFox
PurgeIEPro
CCleaner
EasyCleaner
Evidence Eliminator (beta tester from ver 1.0)
FlushDNSCache
Unlocker
FileAssissin
WinPatrol Pro

Firewall and Antivirus

MustBeDoingSomethingRight June 7, 2012 9:59 PM

@ Gábor Gulyás:

I tried the test you linked. With NoScript in its usual default-deny mode, the test wouldn’t even start. So, much sniffing is done via scripting. Minimise the whitelist as much as possible, and minimise temporary permissions also.

Then I temporarily allowed the site’s scripting. It started the test, and got only this far:

Loading script, initialising…

Collecting general attributes…

Detecting installed fonts…

and stopped there.

NoScript showed a blocked Flash object. So, this must be necessary for maximum sniffing as well. Therefore, use NoScript’s default-deny policy on Flash and other plug-ins, even at whitelisted sites.

Note to those using FlashBlock: It’s redundant to NoScript’s Flash-blocking capability, and may cause conflicts between the two.

Then I temporarily allowed the Flash object and re-started the test. It still stalled out at the same point. End of test.

Apparently, whatever I’m doing is preventing the fingerprint test from succeeding.

One interesting piece of comment in the code of their fontdetect.js:

” * Actual function that does all the work. Returns an array with all the info.
* This test will fail for the font set as the default serif font.

Conclusion: Use the default serif font.

Anyway, I’ve been sitting here for 20 minutes, and the test is dead in the water.

tOM Trottier June 8, 2012 2:03 AM

Ironically, http://fingerprint.pet-portal.eu/index.php doesn’t work without turning on javascript, nor can you tell them about it without javascript on…

A good hosts file protects all browsers, and Spybot Search and Destroy adds more sites to protect from as well as crunching some cookies and addons.

Other firefox addons to consider are:
– “redirect remover” which takes away some site cloaking;
– “refcontrol” which controls what firefox tells destination sites about what page you are coming from

And as well as antivirus and anti-rootkit stuff, you might want to consider Autoruns from Windows Sysinternals to check what starts automatically, and Winpatrol to actually control that. Internet security is more than just a browser addon.

Gábor Gulyás June 8, 2012 2:41 AM

Thanks for the feedback.

The Cross-Browser Fingerprint test is an experiment, therefore it may contain errors, and your bugreports/feedback are very appreciated.

Our test focuses on exploiting the font list as its main entropy source, and it relies on JavaScript solely. (If the tester allows, it uses evercookie to link fingerprints – this is where Flash is loaded. However, it should not stop there: please send us related bugreports!)

@MustBeDoingSomethingRight:
Using generic fonts only works well against font based fingerprinting (until you allow a Flash or a Java object which can list your fonts directly), but this leads to pretty bad user experience. Try it out for yourself, you can find a related checkbox in the Firefox settings window. This setting is also enabled in JondoFox by default.

malcolm June 8, 2012 5:55 AM

Flashblock of course, don’t want to load anything unless I might want to see it.
I’ve been using Adblock for years. I noticed firefox waiting for a reply from google-analytics, so I blocked that as well, to speed up page loads.
And other analytic sites, anytime I saw firefox waiting for them.
Then I installed ghostery: more cookies & 1-pixel images to not download.
Out of curiosity, I installed donottrack plus, and was pleased to see how much useless overhead is being blocked by that.
I tried noscript, but that blocked so much stuff by default that instead, any time a page has annoying features, I search out the offending script and block it with Adblock. Privacy is one thing, but my primary concern is to get web pages without all the crud and overheads.

Jamie June 8, 2012 6:13 AM

I use:

All browser history, cache, cookies etc deleted when I close Firefox.

NoScript

RequestPolicy (this addon alone pretty much reduces ABP to being a second line of defence)

Adblock Plus. Without any “acceptable ads” being allowed.

Web Developer Toolbar (solely for the Disable Referrers functionality)

A Hosts file, 127.0.0.1-ing quite a lot of domains – mainly in case I need to switch to another browser, which won’t of course be protected by my FF addons. And it acts as a third line of defence.

CookieMonster, allowing only the cookies I whitelist.(Firefox is also set to delete all cookies as soon as I close it)

I’ve also got a shell script which clears/deletes/VACUUM/REINDEXes a lot of Firefox’s sqlite databases when I boot up, and then deletes any Adobe and Macromedia folders that might store Flash cookies before replacing them with read-only folders with identical names.

Also HTTPS-Everywhere, and View Dependencies turns out to be helpful in finding out what obfuscated domain a tracker has been trying to come in from.

Finally, several tweaks to about:config – too many to list here, but geo.enabled should be set to false, as should IMO browser.urlbar.trimURLs.

Anonymous hero June 8, 2012 7:28 AM

I use Firefox, configured to delete all persistence each time I exit. To fill in the gaps, I use ghostery (to prevent trackers from loading) and betterprivacy (to clean up Flash LSOs). When Internet banking, I close browser, reopen, bank, close. No probles with any of this, except for sites which depend on features that ghostery blocks.

One thing I noticed using great addons like NoRedirect, which prompts me before letting the browser redirect, is causes dropped sessions on banking sites, Google. I assume this is because those sites are using Silvertail (q.v.) or similar, and the delay makes it suspect tampering and drop the session.

sheenyglass June 8, 2012 1:19 PM

CookieCuller, mentioned above is nice in that it allows you to whitelist particular cookies (not just sites) so, for example, I can whitelist the cookie which marks my computer as authorized for google’s two-step authentication without whitelisting all google cookies. The downside to this approach is that it requires a bit of poking around and trial and error for opaquely named cookies (Protip: look at the expiration date for the cookie to narrow the field). But if you are using something like lastpass to autofill your passwords, that will take the edge off the site login hassle, so you only have to do this for a few sites.

Also I use
-Ghostery (quick comparison using a few sites with one enabled and the other disabled, had Ghostery block everything DoNotTrack+ did, while DNT+ blocked about 80% of what Ghostery did).
-Adblock+
-noscript (the temporary permission feature makes it usable in the wild, especially once you learn what you need to enable and what you don’t have to)
-https everywhere
-flashblock
-betterprivacy (no LSOs)

Spellucci June 8, 2012 6:58 PM

I unplug my router, turn off the firewall on my tower, and plug it directly into the cable modem to see fast the tower is taken over and turned into a bot. Oops, sorry. Off topic.

JohnP June 8, 2012 7:32 PM

I do mulitple things. As security isn’t a 1-thing only solution, neither is privacy.
* I use Linux for web browsing. No MS-Windows.
For Firefox – my day to day browser:
* router blocks about 12K ad-network hosts, but those filters don’t help when I’m out like the /etc/hosts file does.
* /etc/hosts – about 12K entries on all devices. It is amazing how much this actually blocks, even an old one. Blocking facebook.net/.com is fantastic!
* NoScript – on by default. Whenever a website starts adding ad-networks I don’t allow them. A few Gawker sites have gotten so bad that I can’t login there anymore. Oh well – I was a starred commenter and wrote a few articles for Lifehacker – too bad. NoScript doesn’t just block Javascript. It blocks Java AND Flash too.
* AdBlock Plus – Most ads don’t get seen anyway, thanks to NoScript, but is my belt.
* I use Chromium inside a banking-only VM. This VM is never used for anything except banking and to access brokerage accounts. I type in the URL.
* Email is 7-bit ASCII text filtered.
* My email server blocks most attachments. Anyone who really needs to send an attachment can change the extension to something else.

Then we all add in the common-sense parts to security.

I received yet another PayPal “limited account” email phisher today.
a) I don’t have a paypal account – perhaps I do, but it isn’t connected to a credit card or bank account of mine.
b) the attachment was a .pdf.html file – sure, paypal sends those out.
c) the “FROM” was from my personal domain. Not likely. I know how to spoof email FROM fields too.

You know I really wanted to click on that attachment, but didn’t have time to screw with those folks … by running a few sql-injection commands on their phishing DB.

qwerty June 9, 2012 2:18 AM

@SJ
Panopticlick simply measures how common your combination of browser, plugins etc. is, so because the Tor browser has a relatively small userbase, that’s why it conveys a relatively high number of bits of identifying information. But, the point of it is to make it impossible to tell different Tor browser users apart and to connect different tor browser sessions together. Purely using Panopticlick as a measure would mean it would be probably be best to use something like IE6 on Windows XP, which being the most common configuration (I guess), would provide the fewest bits of identifying information. However I doubt many people would advocate that configuration for web privacy.

MustBeDoingSomethingRight June 9, 2012 6:09 AM

@ Gábor Gulyás:

“Using generic fonts only works well against font based fingerprinting (until you allow a Flash or a Java object which can list your fonts directly), but this leads to pretty bad user experience. Try it out for yourself, you can find a related checkbox in the Firefox settings window. This setting is also enabled in JondoFox by default.”

I didn’t say that I used generic fonts. I tried it, and agree that pages look ugly. Please re-read what I quoted from the comments inside your own code for the fontdetect.js script:

“Actual function that does all the work. Returns an array with all the info.
* This test will fail for the font set as the default serif font.”

I read that to mean that it cannot detect the default serif font, or that if I leave the default serif font setting in the browser, the sniff fails. If I’ve misunderstood this code-comment, please explain, thanks.

Re:

“The Cross-Browser Fingerprint test is an experiment, therefore it may contain errors, and your bugreports/feedback are very appreciated.

“Our test focuses on exploiting the font list as its main entropy source, and it relies on JavaScript solely. (If the tester allows, it uses evercookie to link fingerprints – this is where Flash is loaded. However, it should not stop there: please send us related bugreports!)”

I don’t consider that a bug report. I could be mistaken, and I probably am, so please forgive me, but I believe the technical term is “defeated your POC”.
😉

blubb June 9, 2012 3:51 PM

Glad to see there are people using similar configurations. Now I wonder whether I should feel that I am less or even more paranoid.

I just don’t feel comfortable browsing without:
Firefox
+ BetterPrivacy (Flash Cookies/Storage)
+ RequestPolicy (Cross domain requests)
+ NoScript (Javascript, Flash, Java and more)
+ Setting to clear everything on exit
+ UserAgent Switcher
+ Certificate Patrol
+ Adblock Plus (not really needed with the above in use, so it is really only blocking the few ads left over)
+ a few GreaseMonkey Scripts (like no Google redirect or rewrite twitter to mobile so it works without javascript,…)
In fact those Addons are the main reason for staying with Firefox.

I’d say NoScript covers the most and is essential. Using NoScript and RequestPolicy, especially in conjunction, can be a bit tedious for random websurfing, but you also get to see some of the craziness behind the curtain.

valaki June 11, 2012 8:24 AM

AdBlock Plus
BetterPrivacy
BlendIn
CookieMonster
Ghostery
GoogleSharing
NoScript
Redirect Cleaner
RefControl
RequestPolicy
TrackMeNot

The problem is that there is a lot of overlapping features in the extensions above which makes the browser somewhat bloated and they also break the functionality of most websites at the first visit but most of the annoyances can be solved with whitelisting and configuring the extensions properly. So in the end, my browsing experience is acceptable for most of the websites. I would definitely happy with a browser providing these features out of the box and in a better integrated way.

Ian Marsman June 11, 2012 11:36 PM

I use Adblock and Vanilla on Chrome, which allows me to get rid of cookies not on my whitelist on demand and also at configurable intervals.

Cowardly Anonymous June 13, 2012 12:22 AM

Request Policy [CSRF]
NoScript [XSS, click-jacking]
Certificate Patrol [MITM Certificiates]
HTTPS Everywhere [SSL]
Cookie Monster [Cookie Block]
BetterPrivacy [LSO Cookie Block]

Paul H June 15, 2012 10:40 AM

One of the key things I have done for web privacy is to remove Adobe Flash from all the browsers but Chrome.

(Flash cookies are a lot more persistent than browser cookies, and cross domain too).

I use google products far more than I am comfortable with, but I’m working to reduce and sandbox my use of them.

From time to time Little Snitch (Mac OSX) will block a website’s attempt at tracking when it tries to connect to an unusual port. (e.g. not 80 or 443)

Arjen July 31, 2012 5:06 PM

I use Abine DoNotTrackPlus and that is much safer then Ghostery. Ghostery collects your what you block/browse for the Advertisement Industry. Abine DoNotTrackPlus doesn’t.

tweakedffhatesnetstat August 6, 2012 8:17 AM

@hard working web dev
Internet would be nothing without Latin alphabet, Arabic numerals and USERS, connecting is not free, what about Internet with business people only?

Have installed Modify Headers, maybe going to FireGloves and ipFlood, hope they work well together, by now running AP, BP, GS, HE, NS, RP (more AP Pop-up, Disable clipboard manipulations, FoxyProxy), guess DownloadHelper and LivDic are off-topic, unfortunately couldn’t find a simple addon for KeyScrambler, Threatfire is updating fine BTW (Smart Update), have also blocked some netstated phone calls in Comodo (included AVG related), esetsmartinstaller for on-demand scans, regards.

Mike Edward Moras (e-sushi™) August 19, 2012 10:03 AM

Hey Bruce,

knowing you’re a pro on security, I’m wondering about your “general question”. Nevertheless, I’m able and willing to share some information about the two addons you mentioned/questioned:

  1. Adblock (plus) DOES NOT block every resource as you might expect it to do. In fact, it hides most stuff rather than blocking it. Besides this rather important security fact, you should remember that it’s made to “hide/block advertising” and not to “enhance security/privacy”.

From a security and privacy point of view, it should be noted that there are still DNS requests getting transmitted when using Adblock (Plus).

Also, it’s highly dependent on rules that are created by 3rd party community efforts. The quality of their work is directly related to the knowledge range of the contributors. From my experience, most of them are merely “ad-hunters”, yet far from real “privacy/security experts”.

  1. Now let’s talk about Ghostery.

If you take a look inside, you’ll quickly notice that Ghostery relies on the same “blocking” attempts as Adblock (plus) does.

Looking at the implemented filters (which get updates via the Ghostery website), anyone can see they don’t fight cookies either. What they do is block the most “well known” scripts out there with rules that can easily translated to Adblock (plus) if you invest some time. But it is what it is: a “don’t load that resource” addon. Nothing more, nothing less.

The privacy impact of Ghostery is something completely different though, as it’s made to transmit hit-stats back to Ghostery (unless you explicitly opt-out of this). Fun thing is: even if you’ve opted out, some of that “aggregate data” is transferred as soon as the addon updates it’s rules.

I think this is presents a privacy impact which is comparable to the impact the resources blocked by the addon would have.

Conclusion:

If you’re looking to really lock down tracking and protect your privacy, neither addons will do the job perfectly.

You’ld have to think about blocking resources on a DNS level if you really want to lock down the “bad stuff”. I do and I know many out there doing the same.

Even a smart HOSTS file on your local machine can do wonders. But since there are subdomains which are bound to be “privacy impacting” too, you’ll want to implement something smarter which allows wildcards or regex while filtering DNS.

There are ample of minimal but perfectly working local DNS-server and DNS-filter sollutions out there to take a look at. Not only for Linux-based systems (which I think has the most coverage) but also on Windows.

Anyway, if you really want to use an addon to do the job, adblock (plus) will be the better choice. There’s nothing in Ghostery that Adblock (plus) won’t be able to cover, yet there are plenty of things Ghostery won’t block while Adblock (plus) enables you to nail it down.

Wrapping it up, I notice this has become a rather long comment… but I’m pretty sure you’ll appreciate some usable feedback from someone who doesn’t only know it’s way around infosec, but also has “dived into the code” of the addons to analyze their functionality and potential ability to protect privacy and/or enhance security.

Best,

Mike

noid September 19, 2012 5:03 PM

Has anyone ever seriously looked into how Noscript comes with an ever greater number of clandestine whitelistings covering the worst stalking sites?

Just go to about:config in Firefox and filter for “noscript”. (Lately I’ve replaced all these URLs with 127.0.0.1 in one installation.) I’m not any longer guessing that author is playing honest with the public. First thing I do with every and any install of NoScript is try and retaliate by emptying noscript.mandatory and blacklisting noscript.net, informaction.com and maone.net, as well as the stalking sites included in the NS installation welcome page.

I’m not saying this helps with the really worst privacy breaches in NS, which you don’t get to see unless you browse NS’s own (addon) code. Not to mention scrutinizing it. Good question why I still use NS at all. Answer is it just speeds up my browsing “experience” and I’ve become sick of fretting about what it’s doing behind my back. Once I thought about writing an addon simply called “honesty”, specifically to contrast what I think about some personality traits of some addon developers. Too bad this rather turns out to be an arms race with big business at the other end if you don’t simply put up with all-passive-HTML web page reads. So there.

maxx January 1, 2013 10:20 AM

After a long period I used Ghostery, I just uninstalled it (and found this discussion as I want to understand better).

The reason I uninstalled Ghostery is that I happened to have wireshark open and I noticed that ‘something’ was connecting to an amazonaws server even when I was opening a new (empty) tab on my Firefox.

After some research, it was Ghostery connecting to l.ghostery.com and sending a GET for /api/page/?d=about%3Anewtab&l=83&s=0&ua=firefox&rnd=7780639 (numbers vary from time to time).
Pretty inoffensive query per se, but I don’t like to be tracked even when I open a new (empty!) tab.

Nick P January 1, 2013 11:27 AM

@ maxx

I believe that news articles after this one showed that Ghostery was spyware. An antispyware program spying on users is quite offensive indeed. 😉

V August 19, 2013 1:45 PM

@maxx

Vasily is right. Ghostery’s “GhostRank” module needs serious refurbishing. Un-check it or remove it and install these addons:

NoScript
RequestPolicy
Masking Agent
CleanLinks
OverBrite FF
OpenNIC Dns
DoNotTrackMe
Adblock Edge

max May 4, 2014 4:40 AM

Using Self-Destructing Cookies instead of Cookie Monster (my former favorite), cause deleting cookies after closing all tabs for a site is even better.

max May 4, 2014 9:08 AM

By the way, all users of Firefox should be aware of the fact that Mozilla, the creator of Firefox, is intentionally exposing all users to malware by not implementing the plugin checker functionality directly into Firefox!

They even don’t care to respond to anyone telling them about that fact.

Does that ring a bell?

JJ December 29, 2015 9:23 PM

Ghostery’s database is becoming less effective, as tracking sites try to blend into obfuscated, constantly changing cloud urls. Disabling javascript has some good effects, but not quite the same effect as Ghostery – in reducing tracking connections.

One thing to note about masquerading the user agent: the associated http-accept browser header has to be in sync with the user agent string. Many of the custom user agent extensions do not alter the http-accept browser header, causing the combination of the two disparate strings (linux versus windows, for instance) – to make a fingerprint that is practically unique. See panopticlick.eff.org to see what I mean.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.