Insights For Success

Strategy, Innovation, Leadership and Security

Browser

How to install Firefox on a Chromebook

GeneralEdward KiledjianComment
red-panda-505146.jpg

There are many reasons why you may want to install Firefox on a Chromebook (could be for security, privacy or just as a technical challenge). You could install the Android app but that isn’t a full featured browser. Here are the instructions on how to install it in the Linux container.

Go to Settings

Screenshot 2019-09-16 at 1.40.24 PM.png

Search for Linux and Turn it On.

Screenshot 2019-09-16 at 1.41.30 PM.png

You will get the installation window. Continue and let it complete.

Prepare Linux

You will then be presented with the terminal window, run an update then an upgrade.

Screenshot 2019-09-16 at 1.48.14 PM.png
sudo apt update
Screenshot 2019-09-16 at 1.48.40 PM.png
sudo apt upgrade

Install Firefox on ChromeOS

Now we are ready to install Firefox.

Got to the terminal and enter sudo apt install firefox-esr

Screenshot 2019-09-16 at 1.53.08 PM.png

Now you can start Firefox by entering the firefox-esr command to invoke the app.

Screenshot 2019-09-16 at 1.54.59 PM.png

If you want to invoke Firefox-Esr but also need your terminal to work (at the same time), use the command firefox-esr &

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian2 Comments
fingerprint-2904774.jpg

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Google to protect users from IDN Homograph Attacks

GeneralEdward KiledjianComment
fire-and-water-2354583.jpg

What geeks call an International Domain Name Homograph Attack, the general public calls typo-squatting. This is when threat actors buy domain names that are close to popular ones hoping to trick users, examples:

  • gma1l.com instead of gmail.com

  • paypa1.com instead of paypal


To help protect users from these tricksters, Google is launching Navigation suggestions for lookalike URLs. Think of this as an AI powered auto-correct for URLs. This feature is in active experimentation in Canary 70 and should enter the mainstream version in the coming months. A google engineer even spoke about it at the Usenix conference.

usenix.PNG

If you are one of the courageous experimenters running Canary, you can enable this feature now using this flag:

chrome://flags/#enable-lookalike-url-navigation-suggestions

Improve your internet security right now, easily and for free

GeneralEdward KiledjianComment
matrix-2953869_1920.jpg

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?


I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

DNS1.png

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?


They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.

Chrome for Windows helps recover your browser from hijacking

GeneralEdward KiledjianComment
samuel-zeller-336980.jpg

Google Chrome, Microsoft Edge, and Mozilla Firefox are all mainstream browsers that work extra hard to keep you safe in cyberspace. Each company has taken a different approach, but users are more protected than ever before.

Nothing is foolproof though. What happens when badware gets through those defences and takes over your browser making your leisurely stroll through cyberspace painfully slow or dangerous by stealing your passwords?

In the latest version of Chrome for Windows, Google adds more tools to the arsenal. 

Hijacked settings 

Recently we have seen a surge in companies selling reputable browser extensions to other companies and these new owners leveraging the installed base to do bad things like stealthily changing your browser settings.

Chrome now looks out for this type of attack and offers to restore your settings. 

reset-prompt-screenshot.width-1000.png

Chrome cleanup

Many companies bundle crapware in their product installers as a source of additional revenue. In some cases, the user may not even be aware that the crapware was installed. 

Chrome cleanup looks for this type of attack and offers to clean up Chrome (thus returning Chrome to a known good state). 

Google redesigned Chrome cleanup to be more powerful and more straightforward to use.

Prompt_dialog.width-1000.png

Rolling out now

The new version will slowly roll out to users over the next few days and you will benefit from these improvements automagically. 

 

Google blog post