Insights For Success

Strategy, Innovation, Leadership and Security

Microsoft Edge

Browsers and privacy

GeneralEdward Kiledjian
jason-dent-JFk0dVyvdvw-unsplash.jpg

We are going through a browser renaissance. The once stale segment has heated up with offerings from the most prominent players like Google offering Chrom and Microsoft offering Edge, all the way to small niche players like Opera, Brave and the DuckDuckGo Browser.

Browsers are typically chosen for their appearance and plug-in availability, but I believe privacy should be a more prevalent concern.

I am reminded of a 2004 BBC article that proclaimed, "More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found." hopefully, we have evolved past this now.

1- Google Chrome

Google’s Chrome browser is by far the most popular browser in the world. It has a robust ecosystem of extensions. It should come as no secret to any Chrome user that Google is tracking user behaviours such as location, web activity and other habits. These are then used to present you with relevant advertising across Google and non-Google properties (those amazon boots that keep following you).

We also know that incognito mode isn’t much better.

Recently Google announced, then pushed back, the death of the cookie. This was not an altruistic move to benefit users because they will use a new on device cohort creation model called FLoC. If you use Chrome and are curious about FLoC, check out the well written site by the EFF called AmIFLoCed?

You can ops our of third party cookies right now by clicking on Settings, Privacy and Security, select Cookies and other site data. Finally check the box that says Block third-party cookies.

Obviously anything set by a first party won’t be blocked (Google setting it on a Google property or Facebook setting it on Facebook, WhatsApp or instagram, etc). To block first party trackers, you should be using tools like uBlock Origin, although Google has slightly defanged those tools in newer versions of their browser.

2- Microsoft Edge

Microsoft’s newest version of Edge is powered by the free and open source Chromium project. Microsoft then adds layers of proprietary tools on top of it and some are to enhance user privacy. It is safe to assume that all the build in Google trackers have been removed (think telemetry). If you want a Chrome experience without the Google bits, Edge is a good alternative.

In Microsoft Edge, Tracking prevention is on by default.

Microsoft Edge has 3 pre-configured levels of privacy protection: basic, balanced and strict.

Go to Settings, then go to Privacy and services to choose your level of Privacy.

Screen Shot 2021-06-26 at 4.27.24 PM.png

I have to remind you that researchers discovered Edge was sending user IPs and location to Microsoft servers. "According to the analysis, from Douglas Leith with the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages."

3 - Mozilla Firefox

Mozilla is one of the browsers that still uses its own web rendering engine. Mozilla is a not-for-profit organization that has done a relatively good job keeping users safe on the internet. 

By default, Firefox blocks trackers, cross-site tracking and social media trackers (you may not realize that any webpage that has a Facebook button allows Facebook to track you on that site). 

Like Microsoft Edge, Firefox allows you to choose a basket of privacy settings labelled Strict or Standard.

You can check out the Firefox privacy settings by going to the menu, choosing Preferences, then Privacy & Security

4 - Apple Safari

Apple has invested heavily in improving the privacy of its users and changes made to Safari over the last 3 years have markedly helped. By default, Safari blocks cross-site tracking. Apple uses Google as it’s default search engine in exchange for a significant rent check.

The DOJ cites “public estimates” saying that Google pays Apple between $8 billion and $12 billion per year to be the default search engine on Apple products. On one hand Google uses your searches to further build an digital profile about you, on the other hand their search engine ensures you aren’t taken to known bad sides, tries to protect you from phishing and other bad websites.

Screen Shot 2021-06-26 at 4.38.40 PM.png

Unlike other browsers, Apple’s Safari provides minimal configurability of its browser. Out of the box the product does a decent job protecting users but there are still a handful of settings you may want to check out.

5 - DuckDuckGo browser

I am not writing about Brave because I still consider it a niche browser used by a small subset of my readers. DuckDuckGo browser falls into the same category but because of their privacy first stance, I wanted to include it in this list. On mobile platforms they offer their own browser. On traditional desktop operating systems, they offer extension that are interesting.

Screen Shot 2021-06-26 at 4.43.08 PM.png

.

Chrome extensions for the security conscious

GeneralEdward Kiledjian
marjan-blan-marjanblan-Hj5qdyQ2PmE-unsplash.jpg

Extensions are interesting little technical widgets. Most assume they are simply tools but some see it as art. I can learn a lot about a computer user by the browser extensions they have installed and use. As a security professional, I have a handful of security oriented extensions (in addition to the ones that make the web more usable or that save me money).

I regularly receive requests from readers to list my extensions and to be honest, they often change. I remove extensions I don’t use, deactivate extensions I sometimes use and add new ones that I learn about. So right now, here are the extensions I think you will find the most useful .They are Google Chrome extensions but they work in any Chromium browser (like MS Edge).

builtwith technology profiler

It shows the tech stack a website is built on

chaff

Generate random web browsing traffic to obfuscate actual browsing behavior to avoid profiling through 3rd party observation. Think of this as data poisoning for the companies that track you.

ClearURLs

This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing the Internet.

Click&Clean

A tool that lets you clean browser tracking tools.

Disconnect

Let’s use block invisible web trackers

Distill

A tool that allows you to monitor a webpage and alert you when it changes.

DuckDuckGo Privacy Essentials

This is a swiss army knife of internet privacy. Here are the feature this extension offers

Escape Advertising Tracker Networks — Our Privacy Protection will block all the hidden third-party trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.

  • Increase Encryption Protection — We force sites to use an encrypted connection where available, protecting your data from prying eyes, like Internet Service Providers.

  • Search Privately — You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.

  • Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available.

DuckDuckGo has said “DuckDuckGo has announced that its Chrome browser extension has been updated to block Google's new tracking technology.” You can test if your browser currently supports flock using this EFF AmIFloced website.

EFF Chrome extensions

  • https everywhere Switches you to a secure https connection when available

  • Privacy Badget Privacy Badger automatically learns to block invisible trackers.

Robots Exclusion Checker

Robots Exclusion Checker is designed to visually indicate whether any robots exclusions are preventing your page from being crawled or indexed by Search Engines. But a security person could then take those robot files, manually check those pages and find out why the organization doesn’t them indexed. Sometimes the exclusion is because they don’t want Google indexing active pages, other times it’s because those pages contain information the organization doesn’t want outsiders to easily find (pricing, org info, etc).

Social Disconnect Plus

Social Disconnect Plus is a browser extension that removes all sorts of Social Media content on webpages (i.e. the Facebook like button and other widgets).

uBlock Origin

uBlock Origin is the best ad blocker available but it does so much more. It is a powerful HTML firewall to protect you from several web attacks.

UA Spoofer for Chrome

With this extension, you can quickly and easily switch between user-agent strings. Also, you can set up specific URLs that you want to spoof every time.

Wayback machine

Easily determine if the Internet Archive has previous versions of the webpage you are on.

Is TOR Private and Anonymous?

GeneralEdward Kiledjian

One of the most frequently asked questions I receive from readers (from this blog, Twitter and LinkedIn) is "Should I consider TOR private and anonymous?" 

This question is interesting with fervent activists on each side [of the issue]. On one side are TOR proponents extolling the virtues of the platform and explaining how it will save humanity from the scourge of privacy-invading networks. On the other side of the discussion are conspiracy theorists that claim TOR is nothing more than an NSA honeypot (a data collection tool). 

Like most important topics, the truth is never as clean as we would like it. The truth is that TOR is a little bit of this and a little bit of that. Let's dive straight in. 

Who started TOR?

Conspiracy theorists love highlighting the fact that the United States Navy developed TOR. So the first question we need to tackle is regarding this origin statement.

The core privacy functionality of the TOR network, the onion routing, was developed by United State Naval research laboratory employees named Paul Syverson, Michael G Reed and Favid Goldschlag. The purpose of the technology was to protect US intelligence communication. 

The TOR Project was launched in September 2002 by Paul Syverson,  Roger Dingldine and Nick Mathewson. In 2004, the Naval Research Laboratory released the TOR code under a free license, and the EFF (Electronic Frontier Foundation) began funding the initiative. The Tor project we know and love today was started in December 2006 as a 501(c)(3) non-profit organization with support from the US International Broadcast Bureau, Internews, Human Rights Watch, the University of Cambridge, Google and  Stichting NLnet.

It is true that the majority of the funding for the free and open source project came from the US government. 

Does the government control TOR entry and exit nodes?

When talking about TOR privacy and confidentiality, there are 2 distinct question most astute users ask:

  1. Can someone "see into" my traffic?
  2. Can someone tie TOR traffic back to me? 

The first theory I read about consistently was that world governments (particularly the 14 Eyes Countries) control the majority of the TOR Exit nodes thus can "see into the traffic." Looking strictly at the Exit node piece, governments have no deterministic way of knowing where a suspects traffic will exit from the network. As long as they don't control all of the TOR Exit nodes (which we believe they do not), they can't be sure the suspect traffic will flow through their nodes. Additionally, if the site you are visiting is using cheap and easy to implement security (like TLS) then even if the government controls the exit node, they won't be able to "see inside the traffic." Traffic that joins the TOR network to access a TOR hidden service never exits the network so it wouldn't even pass through an Exit node.

What if a government controls both the Entry node and Exit node you use? Assuming you are using TOR to browse the "normal" internet then you will hit an exit node. If the government(s) control enough of the entry and exit nodes, they can use statistical correlation tie traffic back to you. 

If you are browsing a site with well-designed security, they still would not be able to see "inside your traffic" but would know that you originated the traffic flow (aka collect metadata). 

It is important to remember that the TOR Project isn't just idly sitting on the sidelines watching the government violate its technology. They are actively working to harden the platform and work tirelessly to make it more secure every day. Some of the techniques used by the TOR platform include:

  • Switching TOR circuits regularly and unpredictably. Thus making long-term data mining more difficult. 
  • Ensuring that the TOR nodes used are as randomized as possible. Thus making predictability of route near impossible.
  • and more 

Has the TOR browser been hacked?

The answer is yes but hold on before you install the TOR browser from your computer. I would submit that almost every commercial or free software has exploitable bugs that would compromise a users privacy and confidentiality. The question isn't whether a product has these types of exploitable bugs but rather what the software "vendor" does about them. The TOR project has been an incredibly honourable steward of the TOR platform. They quickly patch any discovered vulnerability. 

The other "trick" for the extra paranoid is to switch the security level in the TOR Browser to high. This will break some sites, but you want strong security don't you? 

Can I be tracked using the TOR Browser?

I wrote an article in 2016 talking about browser fingerprinting techniques and referred readers to the EFF's Panopticlick site to test this on their own devices. Browser Fingerprinting is a technique that leverages information your browser gladly provides to sites to uniquely identify you and then track you as you browse the web. 

To illustrate the power or browser fingerprinting, I ran the Ponopticlick site on my "normal use" machine using different browsers. 

  • My reference browser will be Google Chrome (same results with or without UBlock Origin): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • The Brave "privacy" browser (default configuration): Your browser fingerprint appears to be unique among the 1,747,235 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.
  • Microsoft Edge (Win 10 latest update): Within our dataset of several million visitors tested in the past 45 days, only one in 218410.63 browsers have the same fingerprint as yours.
    Currently, we estimate that your browser has a fingerprint that conveys 17.74 bits of identifying information.
  • Microsoft Internet Explorer (Win 10 latest update): Your browser fingerprint appears to be unique among the 1,747,285 tested in the past 45 days. Currently, we estimate that your browser has a fingerprint that conveys at least 20.74 bits of identifying information.

  • Tor Browser with safest security option: Within our dataset of several million visitors tested in the past 45 days, one in 92.3 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 6.53 bits of identifying information.

So in safest mode, the TOR browser does dramatically reduce information leaking about your browser but the fact you are using a low popularity browser is in fact itself a tracking tool. The short answer to this question is that tracking is still possible.

Should I trust the TOR Browser?

I've addressed some of the most common questions I receive, but the only reason you read this article is for this one question alone. You want to know if the TOR browser is safe enough for you. 

Unfortunately for you, I'm a security professional, and I believe security is never black or white. The question of whether the TOR Browser is safe enough for you is the real question and that depends. 

It depends on the types of activities you are performing. 

On the low end of the spectrum is a general user that wants to use TOR to browse questionable websites from work without leaving traces in the company proxy logs or without being stopped by a URL filtering tool. For this type of user, the privacy and anonymity afforded by TOR are probably sufficient. It is unlikely that a nation state will target you for deanonymization and tracking. 

On the other end of the spectrum is a hardened criminal trying to sell nuclear secrets to the highest bidder. You would probably be classified as a high-value target by the global intelligence community, and thus they would use the full arsenal of tools to identify and track you. If you are a criminal mastermind hellbent on world domination, you probably need better tools than TOR. 

A tweet by Edward Snowden explains it best:

Security is a complex system of risk management and mitigating controls. There is no magic bullet where everyone is safe and anonymous all of the time. True security is a complex architecture of different technologies implemented in very particular ways, to achieve the protection level you desire or need. 

If you are browsing adult content from home and want some level of anonymity, TOR is perfect. 

If you want to browse it while at work, know that most companies have agents installed on your workstation to track your browsing regardless of the browser used. 

Therein lies the real risk. Whether you are using TOR or the end-to-end encrypted Signal messenger, the tools themselves are often secure.  However, if someone compromises either of the endpoints, you can still be de-anonymized. This is why true security must be done in layers.

Maybe you need to run a secure Operating System, like Qubes OS that routes its traffic through TOR (booted from read-only media and hash checked to ensure it has not been tampered with). Additionally, even if you have a safe and secure computer, operating system and connection, you must still be careful not to involuntary divulge clues about yourself when online, so security hygiene is also very critical. 

Security is though. Perfect security doesn't exist.

Microsoft takes aim at Google Chrome vulnerabilities

GeneralEdward Kiledjian

July 2014, Google launched it's project zero initiative to identify Zero-Day vulnerabilities in commercial software thus making computing generally more secure. 

Google's modus operandi is to inform affected vendors and give them 60 days to release patches. After the 60 day window, they go public even if a patch is not yet available. 

Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch
— Google

There have been situations where Microsoft has not been able to release a public patch within that 60-day Window and obviously this has created a tense relationship between Google and Microsoft. 

Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

You can read this Microsoft blog entry about their disappointment with google. not wanting to take the hit and move on, it looks like Microsoft security research has been looking for flaws in Google's products and found 2 bad ones. Realizing security is now a major differentiator, they decided to play Google's game and disclose the vulnerabilities after an elapsed wait time. 

Here is a sentence that takes a jab at Google's Chrome while praising their own Microsoft Edge security architecture :

This kind of attack drives our commitment to keep on making our products secure on all fronts. With Microsoft Edge, we continue to both improve the isolation technology and to make arbitrary code execution difficult to achieve in the first place. For their part, Google is working on a site isolation feature which, once complete, should make Chrome more resilient to this kind of RCE attack by guaranteeing that any given renderer process can only ever interact with a single origin

Microsoft justified the release of the detailed vulnerability information with this sentence:

it’s important to note that the source code for the fix was made available publicly on Github before being pushed to customers.

I think large well-funded companies should be doing general security research and helping improve the overall security of the entire ecosystem. I wish they could agree on a more friendly approach to vulnerability disclosure, not leaving their customers open and unprotected. This should not become a marketing tool but more of a commitment to societal improvement.

A guy can dream, can't he?

Chrome for Windows helps recover your browser from hijacking

GeneralEdward Kiledjian

Google Chrome, Microsoft Edge, and Mozilla Firefox are all mainstream browsers that work extra hard to keep you safe in cyberspace. Each company has taken a different approach, but users are more protected than ever before.

Nothing is foolproof though. What happens when badware gets through those defences and takes over your browser making your leisurely stroll through cyberspace painfully slow or dangerous by stealing your passwords?

In the latest version of Chrome for Windows, Google adds more tools to the arsenal. 

Hijacked settings 

Recently we have seen a surge in companies selling reputable browser extensions to other companies and these new owners leveraging the installed base to do bad things like stealthily changing your browser settings.

Chrome now looks out for this type of attack and offers to restore your settings. 

Chrome cleanup

Many companies bundle crapware in their product installers as a source of additional revenue. In some cases, the user may not even be aware that the crapware was installed. 

Chrome cleanup looks for this type of attack and offers to clean up Chrome (thus returning Chrome to a known good state). 

Google redesigned Chrome cleanup to be more powerful and more straightforward to use.

Rolling out now

The new version will slowly roll out to users over the next few days and you will benefit from these improvements automagically. 

 

Google blog post