Insights For Success

Strategy, Innovation, Leadership and Security

Internet

Mozilla Firefox 67 will allow letterboxing to protect your online identity

GeneralEdward Kiledjian2 Comments
fingerprint-2904774.jpg

September 2016 I wrote an article entitles “Your browser will betray your identity” that discussed the various techniques legitimate (marketers) and illegitimate (threat actors) use to keep track of your identity even if you aren’t logged into any of their sites.

The purpose-built TOR version of the Mozilla Firefox browser has (for a while) implemented a technique called letterboxing to protect users from this type of nefarious identification through browser fingerprinting.

Most browsers allow a site to send client-side javascript code that detects the display size of the browser. This technique is used to create dynamically generated webpages that are optimized for the device size you are using. This is why modern well-designed websites render correctly on large 24" desktop screens and 6" smartphones.

Would you be surprised to learn that this can be one dimension threat actors or marketers can use to start deanonymizing you?

The privacy team behind the TOR project goes to great lengths to maximize your privacy while using their anonymizing network by minimizing your data exhaust while browsing the web. We have seen the Firefox team backport some of these privacy enhancements back into the mainstream Firefox. This backport initiative is called TOR Uplift and started in 2016.

In release 67, expected in May, Firefox will bring letterboxing into the mainstream version (from the TOR one). Letterboxing is a technique of rounding the actual size of the browser window (height and width) down to a multiple of 200 pixels for width and 100 pixels for height. This means more users will have the same window size value making deanonymizing more complicated. Firefox will add grey bars on a side that needs to be padded if the rendered page isn't a perfect fit. If you are more concerned about looks, you will be able to turn off this additional protection technique using a Firefox flag.

In the Bugzilla tracker, Mozilla wrote "Window dimensions are a big source of fingerprintable entropy on the web" & "Maximized windows reveal available screen width and height, excluding toolbars; and full-screen windows reveal screen width and height. Non-maximized windows can allow a strong correlation between two tabs".

Here is a demo of letterboxing while resizing the browser window. Notice the grey added around the rendered page.

The letterboxing feature won’t be turned on by default. Users wanting this extra layer of protection will have to open about:config and enter “privacy.resistFingerprinting” in the config search box and change the setting to “true”.

Google Chrome's Spectre Mitigation is consuming 10% more RAM

GeneralEdward KiledjianComment
data-2793195.jpg

Google Chrome has always been a resource hog, but you may have noticed it's been consuming just a little bit more RAM lately (on your desktop).

This new more demanding Chrome is because of the Google's Spectre mitigation efforts.
The Google Chrome security team has enabled site isolation as a default (in Chrome v67 for desktops). Justin Schuh, head of Google Chrome Security, explained that site isolation separates each website process thereby preventing a malicious tab from stealing data from another.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes.”

Don't expect to see this update on the Android version anytime soon, the resource consumption requirements are too high (for now).

Chrome is obviously my browser of choice but I have been concerned at the amount of resources it requires and this move (although right from a security perspective) further pushes Chrome in the wrong direction. 

Additional reading:

Run a speed test from Google Search

GeneralEdward KiledjianComment
athletics-3108413_1920.png

There are dozens of sites and services that promise to test your internet speed. The most popular are:

Now you can also add Google to the list.

1 - Go to the Google Search Page (on a PC or Android device)

2 - Enter Speed Test

Capture.PNG

3 - Choose the Run Speed Test option and ignore the search results

Capture1.PNG

4 - Wait until Google delivers your speed test results

Capture3.PNG

Android Smartphones - This tool also works on Android devices. Just search for Speed Test on the Google search bar on your launcher and it will perform the same test and return results with a similar look & feel.

Some public WIFI hotspots seem to block it while allowing other services to run. Not sure why.

Does it work in other languages?

 I tried the search on the Google Canada French site using both "Speed Test" and "test de vitesse" and I was not given the speed test web applet. Looks like this may be reserved for english language searches only for now.

Capture4.PNG

 

Conclusion

Nothing special or different here but this could be one more feature in your cap. I do like the fact that Google interprets the results and explains (in plain English) what kind of video streaming performance you should be able to expect from your connection. 

    Karma releases an anonymizing hotspot

    GeneralEdward KiledjianComment
    KarmaBlack4-1.jpg

    Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

    Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

    The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

    A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
    Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

    It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

    Capture.PNG

    In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

    Is it worth it?

    I have not had a chance to test the device so everything written here is based on the documentation. 
     

    We wanted to create a product that allows consumers to feel protected while surfing the web. Karma Black is that product. Our users can freely consume internet content while knowing that no one is looking over their shoulders. Consumers do not want strangers listening to their phone calls… they deserve the same security from intrusion when going online.
    — Todd Wallace, Karma Mobility CEO

    I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

    A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

    As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

    There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here

    Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

    Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

    Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

    My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.

    Improve your internet security right now, easily and for free

    GeneralEdward KiledjianComment
    matrix-2953869_1920.jpg

    Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

    The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

    Is the Quad9 service fast?


    I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

    DNS1.png

    Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

    At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

    So how does it improve my security?

    So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

    Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

    You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

    If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

    Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

    Quad9 will continue adding features to further improve your security.

    What about false positives?


    They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

    It looks like a well designed and well thought out platform.

    What about my privacy?

    The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

    Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

    Conclusion

    I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.