Insights For Success

Strategy, Innovation, Leadership and Security

Chrome

Browsers and privacy

GeneralEdward Kiledjian
jason-dent-JFk0dVyvdvw-unsplash.jpg

We are going through a browser renaissance. The once stale segment has heated up with offerings from the most prominent players like Google offering Chrom and Microsoft offering Edge, all the way to small niche players like Opera, Brave and the DuckDuckGo Browser.

Browsers are typically chosen for their appearance and plug-in availability, but I believe privacy should be a more prevalent concern.

I am reminded of a 2004 BBC article that proclaimed, "More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found." hopefully, we have evolved past this now.

1- Google Chrome

Google’s Chrome browser is by far the most popular browser in the world. It has a robust ecosystem of extensions. It should come as no secret to any Chrome user that Google is tracking user behaviours such as location, web activity and other habits. These are then used to present you with relevant advertising across Google and non-Google properties (those amazon boots that keep following you).

We also know that incognito mode isn’t much better.

Recently Google announced, then pushed back, the death of the cookie. This was not an altruistic move to benefit users because they will use a new on device cohort creation model called FLoC. If you use Chrome and are curious about FLoC, check out the well written site by the EFF called AmIFLoCed?

You can ops our of third party cookies right now by clicking on Settings, Privacy and Security, select Cookies and other site data. Finally check the box that says Block third-party cookies.

Obviously anything set by a first party won’t be blocked (Google setting it on a Google property or Facebook setting it on Facebook, WhatsApp or instagram, etc). To block first party trackers, you should be using tools like uBlock Origin, although Google has slightly defanged those tools in newer versions of their browser.

2- Microsoft Edge

Microsoft’s newest version of Edge is powered by the free and open source Chromium project. Microsoft then adds layers of proprietary tools on top of it and some are to enhance user privacy. It is safe to assume that all the build in Google trackers have been removed (think telemetry). If you want a Chrome experience without the Google bits, Edge is a good alternative.

In Microsoft Edge, Tracking prevention is on by default.

Microsoft Edge has 3 pre-configured levels of privacy protection: basic, balanced and strict.

Go to Settings, then go to Privacy and services to choose your level of Privacy.

Screen Shot 2021-06-26 at 4.27.24 PM.png

I have to remind you that researchers discovered Edge was sending user IPs and location to Microsoft servers. "According to the analysis, from Douglas Leith with the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages."

3 - Mozilla Firefox

Mozilla is one of the browsers that still uses its own web rendering engine. Mozilla is a not-for-profit organization that has done a relatively good job keeping users safe on the internet. 

By default, Firefox blocks trackers, cross-site tracking and social media trackers (you may not realize that any webpage that has a Facebook button allows Facebook to track you on that site). 

Like Microsoft Edge, Firefox allows you to choose a basket of privacy settings labelled Strict or Standard.

You can check out the Firefox privacy settings by going to the menu, choosing Preferences, then Privacy & Security

4 - Apple Safari

Apple has invested heavily in improving the privacy of its users and changes made to Safari over the last 3 years have markedly helped. By default, Safari blocks cross-site tracking. Apple uses Google as it’s default search engine in exchange for a significant rent check.

The DOJ cites “public estimates” saying that Google pays Apple between $8 billion and $12 billion per year to be the default search engine on Apple products. On one hand Google uses your searches to further build an digital profile about you, on the other hand their search engine ensures you aren’t taken to known bad sides, tries to protect you from phishing and other bad websites.

Screen Shot 2021-06-26 at 4.38.40 PM.png

Unlike other browsers, Apple’s Safari provides minimal configurability of its browser. Out of the box the product does a decent job protecting users but there are still a handful of settings you may want to check out.

5 - DuckDuckGo browser

I am not writing about Brave because I still consider it a niche browser used by a small subset of my readers. DuckDuckGo browser falls into the same category but because of their privacy first stance, I wanted to include it in this list. On mobile platforms they offer their own browser. On traditional desktop operating systems, they offer extension that are interesting.

Screen Shot 2021-06-26 at 4.43.08 PM.png

.

Use Google Chrome's built-in antivirus to scan windows

GeneralEdward Kiledjian

As millions around the world work from home, corporate security teams have ramped up their protection protocols because the threat actors are very active. Many threat actors have also lost their “day jobs” and are relying on their nefarious cyber activities to pay the bills/

From an antivirus perspective, most users will be properly protected by the free Windows Defender included with all versions of Windows 10 . You may have clicked on a questionable link or opened a questionable attachment and you scan your computer using Windows Defender. Sometimes you may want a “second opinion” and the question is which online scanner should you use?

How about none of them. Why not rely on the free antivirus included in Google Chrome. What, you say. Google Chrome? Chrome the browser? Why yes.

Open the Google Chrome browser

In the address bar, enter chrome://settings/cleanup

You click on Find and let it run.

So what is it looking for?

  • Hijacked settings detection - It will detect if a browser extension ha changed your settings without your consent.

  • Chrome Cleanup - Sometimes you download and install the software you need and install unwanted secondary software unwittingly. Often times this is how some of the download sites monetize their service. Chrome will detect many of these unwanted installations and remove them.

  • ESET Antivirus - Google can change the AV engine anytime but right now they have partnered with ESET.



Obviously, this isn’t a complete antivirus and should be relied on as your primary protection mechanism but it is nice to know there is a second opinion waiting for you if you ever need it.

VPN Support coming to Linux apps on Chromebooks

GeneralEdward Kiledjian

It seems everyone has jumped on the VPN bandwagon these days. On Chromebooks, we can use VPN extensions, but these don't protect Android apps. We can use Android VPN apps, which protect the entire ChromeOS (including Android apps but not Linux apps).

So what happens today? Even if you have an Android VPN running, the Linux apps go our via your origin IP bypassing the VPN network adapter. If you need to use a VPN with the Linux container today on ChromeOS, you have to install a Linux VPN client in the container itself.

In Chrome 76, Google will finally fix this issue and app Linux traffic will also flow through the VPN (extension of Android app). You can test this today if you have the developer or Canary versions of ChromeOS installed on your Chromebook.

We expect ChromeOS 76 to be released to the Beta channel June 13-20 and to the stable channel around July 30.

Other cool features coming with the ChromeOS 76 release will be

  • "Picture In Picture" support for most video platforms

  • "Web Share Target Level 2" which will allow any installed application to receive a file share (using a manifest)

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Exciting new multi-monitor feature coming to Chromebooks

GeneralEdward Kiledjian

Every professional understands the power of a dual screen setup. The additional real estate enables a more fluid and productive work process.

I use a tone of platforms (mainframe & mini to Mac, Windows and Linux) and I find that ChromeOS handles multi-screen setups with ease and grace. Every time I have hooked an external display to a "good" Chromebook (something that costs $500 or more), it has worked flawlessly immediately without having to fiddle or fine tune.

I have successfully connected 2 external monitors to my Pixelbook at work using a Lenovo USB hub but this isn't something most people will have access to and therefore the 3 monitor option normally isn't used.

We know the sultan of search, El Goog, is working on an elegant solution to solve this 2 external monitor issue using a technology called display daisy chaining. This is something that is known in the industry but not currently supported on ChromeOS. The idea is to connect one USBC monitor to your Chromebook and then connect the second USBC monitor to the first one (as long as the monitor supports it).

This means you can connect (eventually) one cable to your device and everything just works. Technically this daisy chaining will be able to go beyond 2 external monitors to a larger number (as long as your device hardware can push the required number of pixels).

This is a request we have regularly seen in the Chromium forums

How do we know it is coming? We know it is coming because we can see a commit for Multi-Stream Transport Support or something called Hatch.

The commit enables a chip to support the Multi-Stream flow and there is a good chance this won’t be enabled on existing older Chromebooks. We know that generically Multi-Stream required DisplayPort 1.2 and a handful of Chromebooks already have it so… There is hope for existing customers. We will just have to wait and see.

Many of you know I love my Pixelbook and may be wondering… “Does the Pixelbook support displayport?”

The answer is that the Pixelbook does support Displayport. The USBC ports on the Pixelbook are of type 3.1 Gen1 and support PowerDelivery (PD), DisplayPort (DP) and HDMI.

We don’t know which version of ChromeOS this will be enabled in yet. That’s all for this article dear readers. Stay tuned for more cool tech news as I find them.