Insights For Success

Strategy, Innovation, Leadership and Security

Firefox

Browsers and privacy

GeneralEdward Kiledjian
jason-dent-JFk0dVyvdvw-unsplash.jpg

We are going through a browser renaissance. The once stale segment has heated up with offerings from the most prominent players like Google offering Chrom and Microsoft offering Edge, all the way to small niche players like Opera, Brave and the DuckDuckGo Browser.

Browsers are typically chosen for their appearance and plug-in availability, but I believe privacy should be a more prevalent concern.

I am reminded of a 2004 BBC article that proclaimed, "More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found." hopefully, we have evolved past this now.

1- Google Chrome

Google’s Chrome browser is by far the most popular browser in the world. It has a robust ecosystem of extensions. It should come as no secret to any Chrome user that Google is tracking user behaviours such as location, web activity and other habits. These are then used to present you with relevant advertising across Google and non-Google properties (those amazon boots that keep following you).

We also know that incognito mode isn’t much better.

Recently Google announced, then pushed back, the death of the cookie. This was not an altruistic move to benefit users because they will use a new on device cohort creation model called FLoC. If you use Chrome and are curious about FLoC, check out the well written site by the EFF called AmIFLoCed?

You can ops our of third party cookies right now by clicking on Settings, Privacy and Security, select Cookies and other site data. Finally check the box that says Block third-party cookies.

Obviously anything set by a first party won’t be blocked (Google setting it on a Google property or Facebook setting it on Facebook, WhatsApp or instagram, etc). To block first party trackers, you should be using tools like uBlock Origin, although Google has slightly defanged those tools in newer versions of their browser.

2- Microsoft Edge

Microsoft’s newest version of Edge is powered by the free and open source Chromium project. Microsoft then adds layers of proprietary tools on top of it and some are to enhance user privacy. It is safe to assume that all the build in Google trackers have been removed (think telemetry). If you want a Chrome experience without the Google bits, Edge is a good alternative.

In Microsoft Edge, Tracking prevention is on by default.

Microsoft Edge has 3 pre-configured levels of privacy protection: basic, balanced and strict.

Go to Settings, then go to Privacy and services to choose your level of Privacy.

Screen Shot 2021-06-26 at 4.27.24 PM.png

I have to remind you that researchers discovered Edge was sending user IPs and location to Microsoft servers. "According to the analysis, from Douglas Leith with the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages."

3 - Mozilla Firefox

Mozilla is one of the browsers that still uses its own web rendering engine. Mozilla is a not-for-profit organization that has done a relatively good job keeping users safe on the internet. 

By default, Firefox blocks trackers, cross-site tracking and social media trackers (you may not realize that any webpage that has a Facebook button allows Facebook to track you on that site). 

Like Microsoft Edge, Firefox allows you to choose a basket of privacy settings labelled Strict or Standard.

You can check out the Firefox privacy settings by going to the menu, choosing Preferences, then Privacy & Security

4 - Apple Safari

Apple has invested heavily in improving the privacy of its users and changes made to Safari over the last 3 years have markedly helped. By default, Safari blocks cross-site tracking. Apple uses Google as it’s default search engine in exchange for a significant rent check.

The DOJ cites “public estimates” saying that Google pays Apple between $8 billion and $12 billion per year to be the default search engine on Apple products. On one hand Google uses your searches to further build an digital profile about you, on the other hand their search engine ensures you aren’t taken to known bad sides, tries to protect you from phishing and other bad websites.

Screen Shot 2021-06-26 at 4.38.40 PM.png

Unlike other browsers, Apple’s Safari provides minimal configurability of its browser. Out of the box the product does a decent job protecting users but there are still a handful of settings you may want to check out.

5 - DuckDuckGo browser

I am not writing about Brave because I still consider it a niche browser used by a small subset of my readers. DuckDuckGo browser falls into the same category but because of their privacy first stance, I wanted to include it in this list. On mobile platforms they offer their own browser. On traditional desktop operating systems, they offer extension that are interesting.

Screen Shot 2021-06-26 at 4.43.08 PM.png

.

How to install Firefox on a Chromebook

GeneralEdward Kiledjian

There are many reasons why you may want to install Firefox on a Chromebook (could be for security, privacy or just as a technical challenge). You could install the Android app but that isn’t a full featured browser. Here are the instructions on how to install it in the Linux container.

Go to Settings

Search for Linux and Turn it On.

You will get the installation window. Continue and let it complete.

Prepare Linux

You will then be presented with the terminal window, run an update then an upgrade.

sudo apt update
sudo apt upgrade

Install Firefox on ChromeOS

Now we are ready to install Firefox.

Got to the terminal and enter sudo apt install firefox-esr

Now you can start Firefox by entering the firefox-esr command to invoke the app.

If you want to invoke Firefox-Esr but also need your terminal to work (at the same time), use the command firefox-esr &

Send large file via the internet securely and for free

Edward Kiledjian

I wrote about the original test version of the free Mozilla Firefox Send service in July 2018.

Mozilla Firefox Send is a free service open to any user, accessible with any browser, that allows you to securely send a large (up to 2.5GB) file to another internet user. The process is very simple, you upload a file, they provide a unique link that you share with the intended recipient.

The file can be expired after one to one hundred downloads or 1 to 7 days.

You can also protect the file with a download password

There are other services but most charge for add on features like download password protection or expiry configuration. Firefox Send is completely free and comes from the fine folks over at Mozilla that we trust.

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Review of the free Mozilla Send service

GeneralEdward Kiledjian

As a citizen of the digital world, you probably transfer large files daily. Sure you could use Google Drive, Dropbox or OpenText Core but Mozilla believes there is a better way (Mozilla Send). Mozilla Send is a web experiment that allows you to easily transfer large files up to 1GB in size.

Mozilla Send can be used with any modern browser.

How to use Send

1 - Go to https://send.firefox.com/

2 - Upload a file

3 - Decide how many downloads you want to allow in a 24-hour window. Determine if you want to enable a download password.

4 - send the link to the recipient of the file.

Mozilla Send Security

Mozilla send uses AES-128 (AES-GCM algorithm) to encrypt and authenticate the file. Encryption is performed on the client before the file is uploaded to the Mozilla Send servers. Mozilla Send also uses the Web Cryptography API. This Web Cryptography API is the magic that performs hashing, signature verification, encryption, etc). All the security is performed without requiring any user intervention.

It is important to highlight the fact that anyone that intercepts the URL can download the file. The encryption key is appended to the URL.

Sample URL : https://send.firefox.com/download/2f3eea2e0f/#6kUB9cj4gXgTZWgDXrPEZQ

 

Important security notes:

  • Once 24-hours has elapsed or the maximum number of downloads has been reached, Mozilla Send deletes the file from the server
  • You can manually delete the file using the Delete button. An important note is that the Delete button only shows up on that initial download page. If you think you might need the delete button, keep that original upload confirmation page open. 

Web Experiment

Mozilla send is a Web Experiment and Mozilla is gathering usage statistics to determine if this is something they want to keep as a permanent offering. Right now it is a great example of solid design and engineering.