But why don’t you also do all this in a disposable VM? Then AFAIK only fingerprinting would work to track you and you don’t really need to block all those cookies. This is what I do (and this is why this topic was created in the first place).
Agree with you.
Is there no other simple way of disabling the Tor nextwork proxy on torbrwoser. Does anyone know which modifications the SecBrowser did?
But why don’t you also do all this in a disposable VM?
I do in part. Most of the non-login links work just fine via torbrowser.
It is actually very rare that I need to open something via
clearnet/firefox … I can’t even think of a recent example. Some US
news sites refuse to allow connection over Tor. In that case: f**k them,
I don’t need to read them.
dvm-anon --> whonix / torbrowser
dvm-clearnet --> kicksecure / firefox-esr + plugins
But there are a few use cases where I don’t worry about fingerprinting,
since I login anyway. So they have my name, address and credit card
number and I only use those sites in a dedicated qube … what
additional harm could fingerprinting do?
app-web --> github
app-work-web --> teams, webex, salesforce ... you get the idea
app-shopping --> amazon, instacart ... etc
app-streaming ---> prime video, disney+ ... etc
Besides in all of those I use the plugins outlined in my previous post.
I recommend researching them and what they do. Firefox also has some
fingerprinting protections but not as complete as torbrowser.
Then AFAIK only fingerprinting would work to track you and you don’t
really need to block all those cookies. This is what I do (and this
is why this topic was created in the first place).
That is only true if you open each link/site in a dedicated dispVM,
otherwise it’s tracking galore
Is there no other simple way of disabling the Tor nextwork proxy on
torbrwoser. Does anyone know which modifications the SecBrowser did?
Hi all. I think I’ve been more or less doing what others have described. I’ve broken my online “world” into 3 categories:
Sites where I always log in: A dedicated AppVM for each with Debian’s default Firefox-ESR with no plugins installed. They already know who I am and they already know what pages on their site I visit.
General browsing: Whonix with Tor Browser on Safest and accessibility refresh disabled. If a site doesn’t work, then (in general) it’s their problem and I move on.
In-between the above: This is the hardest case, to me. Sites where I occasionally log in, buy stuff, need to have scripting on, etc. These are always visited via a new DispVM for each. I have used Firefox-ESR, Firefox, Secbrowser, Tor Browser over clearnet, & sometimes Chromium. Haven’t done Kicksecure just 'cause I didn’t want another bit of complexity to manage. Also don’t do plugins, since they decrease anonymity and using DispVM I don’t worry so much about it being compromised. With Secbrowser deprecated, I’ll probably go back to Tor Browser over clearnet, Firefox, and Chromium (using whichever as the mood strikes - wouldn’t that make me harder to correlate?!)… I know Whonix says Chromium is more secuire, but again, in a DispVM does it matter that much?
Lastly, my threat model doesn’t include state actors, TLAs, etc. I’m too boring. Just believe in privacy and want to be identified when I want to be, not otherwise. And I really like DispVMs automatically getting rid of cookies, history, tmp, and everything else!
Appreciate any comments!
Do you also use many different GNU/Linux distributions as templateVMs: Arch Linux, Devuan, Ubuntu, different versions of Debian and Fedora, CentOS, Gentoo? They should all have different fingerprints (but I did not check them all).
I guess what you are doing already significantly increases the price to track you for the state actors.
P.S. Secbrowser has been deprecated.
You might want to look at Brave Browser (Chromium based but with strong
focus on tracking prevention and anti-fingerprinting). It’s what I use
when Chrome is required (M$ Teams meetings etc).
I don’t trust Brave browser after they did this:
This thread started me down a rabbit hole and I don’t like at all what I
am discovering.
At this point I would like to retract all advice I have given in this
thread until I had time to reevaluate my previous assumptions/decisions.
I highly recommend starting here, in case you want to see for yourself:
I don’t trust Brave browser after they did this:
The Brave web browser is hijacking links, and inserting affiliate codes – Attack of the 50 Foot Blockchain
Holly s**t!
At this point I would like to retract all advice I have given in this
thread until I had time to reevaluate my previous
assumptions/decisions.
Ok, I stand by my original statements. Firefox / TorBrowser are better
in terms of privacy (topic of this thread).
When it comes to security / sandboxing we may rely on Qubes OS and
proper compartmentalization to mitigate Firefox/TorBrowser weaknesses.
Chromium greatly amplifies Google’s influence and ability to impose
their custom standards and protocols, web standards and freedom be
damned.[7] They repeatedly snub and bypass the W3C standard body
especially when improvements to user privacy are proposed.[8] The
features they design makes performance notably worse in competing
browsers.[9] As currently planned, when released, new API limitations
will prevent current and even possible future rewrites of adblockers.
No attempt to address these concerns have been made by the Chromium
devs.[10][11] Every Firefox install gives Mozilla a bit more leverage
and ad money from Google. The less people use Firefox, the less
website creators will care to invest into developing websites for
compatibility, thus killing it off indirectly. If Mozilla’s revenue
dies and they close shop, Tor Browser goes with it, destroying a key
component of the privacy ecosystem. The Chromium engine as is now, is
not usable by privacy projects to give equivalent protections as
Firefox nor are they willing to change their design to accommodate
such initiatives.
General Threats to User Freedom
I have used Qubes, Syswhonix, DispVM, Tor browser, and all required plugins.
But then, why I still unique ? ( according to amiunique.org )
Look at the detail, and you should be able to identify why you are
unique.
I don’t use Whonix so cant comment on it. If you are using Tor Browser
with “all required plugins” then it may well be that *that * is what is
making your fingerprint unique. Be aware that Tor browser ships with
Javascript enabled, and that can leak a large amount of information
about you and your system.
@fsflover : No, just Qubes’ Debian (migrated from Fedora - too frequent updates). No time (& no threat need) to take it any further.
Read the beginning of this thread and you will see the answer. This was my original question in the first post here.
Tor browser though should not make you unique. At least here it says otherwise: https://coveryourtracks.eff.org/.
Although the safest mode on tor browser may be the thing that makes the biggest difference in terms of security (especially the disabling of javascript). But that happens at the expense of increased fingerprintability (very few tbb users change that, I’m guessing)
Just checked https://coveryourtracks.eff.org/ with the safest level in Whonix and got
Our tests indicate that you have you have strong protection against Web tracking, though your software isn’t checking for Do Not Track policies.
Is your browser:
Blocking tracking ads? Yes
Blocking invisible trackers? Yes
Protecting you from fingerprinting? Yes
Perhaps fewer users use the safest level indeed, but you are still anonymous among them, which should be fine for most cases.
I think not having it enabled is ideal (especially if not using Tor Browser). Telling someone you don’t want to be tracked makes you more fingerprintable… The irony.
Tor’s safest security level, it makes us anonymous, but also not many website we can open.
How about this idea, can we create a script, or tor extension maybe,
that can generate random 100 requests to any random website,
for each time we make 1 request,
so our actual request is hidden between other 100 requests,
good idea ? or useless ?
or maybe this kind of extension is available already ?
Or maybe, if we may have a shared account,
for example shared google account,
that can be used together by thousands of user,
for browsing and so on,
so user could not be tracked,
good idea ? or useless ?
or maybe this shared account available already ?