
A few simple steps to vastly increase your privacy online - kaxline
https://thetoolsweneed.com/a-few-simple-steps-to-vastly-increase-your-privacy-online/
======
ekianjo
Cough, cough...

> A non-profit giving away free software makes sense. Some of the biggest
> companies in the world giving away free software is suspicious.

followed by...

> Fortunately, you can tell your computer which DNS to use. The company
> Cloudflare has a publicly accessible DNS at the address 1.1.1.1 that they
> claim is encrypted and secure.

So wait, you suddenly forgot the axiom you used just a few paragraphs back?
Clouldflare is a for profit company and they give something for free but hey,
this time it's not suspicious? Strange standards you live by...

~~~
nilkn
I don't think the author forgot the axiom; they seem to acknowledge that they
just don't know of anything better in that case:

> That's about the best you can ask for with a centralized infrastructure for
> the internet. A recurring theme in this quest for data ownership and privacy
> is that you can only take it so far before you have to ultimately trust a
> company or entity to do what they say they're doing.

~~~
rsync
"they seem to acknowledge that they just don't know of anything better in that
case"

They don't know you can run your own DNS server ?

It's technically trivial (for this audience) and it's basically free (very low
traffic and resource instance or droplet or VM ...).

~~~
DoctorOetker
how much daily traffic does running your own DNS server generate? (to keep up
to date with the domain-IP binding?)

I am really interested in trying this...

~~~
perennate
The DNS requests corresponding to typical HTTP traffic would be negligible
compared to that HTTP traffic. DNS servers generally don't generate any
traffic except when you perform a query.

Should be <512 bytes per request and after a particular domain name is queried
it doesn't need to be queried again for some time (depending on TTL).

~~~
DoctorOetker
so its really only somewhat anonymizing if many people use it? is there some
kind of distributed DNS table through TOR or something?

------
floatingatoll
There’s a reason these “how to privacy your browser” changes are all are not
bundled with browsers — because the capability to maintain them as they are
today is a one in a thousand skill or less. Maintaining this collection of
changes is a significant burden that requires an ongoing investment and a
willingness to deal with the technical fallout of these choices every day. So:

Please don’t apply these steps to non-technical people’s browsers. They will
result in an endless litany of broken banking websites, annoying support
calls, memory issues, and in general a terrible user experience for others.

Guides like these are why my most common technical support first response for
_experts_ having browser issues is to have them reset their browser settings
and remove all addons and try again. Non-experts rarely require that, unless
they tell me that an expert “made it better” for them. Don’t be that expert.

~~~
andrepd
>They will result in an endless litany of broken banking websites, annoying
support calls, memory issues, and in general a terrible user experience for
others.

This is some FUD you got going on here. Changing DNS will break notjing.
Neither will blocking referrals, blocking trackers, blocking ads. In the rare
case it does, you're one click away to disable everything! Neither will your
system get slower, much to the contrary you will save memory, network data,
and battery.

~~~
rashkov
A few minutes ago, my ad blocker broke the login form of my cellphone
provider. A non-technical user would probably not think to turn off the ad-
blocker, and would assume that the website is broken. Not being able to log
into your phone provider (or bank) is a pretty serious inconvenience which
should not be taken lightly.

~~~
gdfasfklshg4
If a login form breaks because of an ad-blocker then the site _is_ broken. Ad-
blockers have a bigger market share than most browsers!

~~~
rashkov
I agree that the website is the thing that is broken. Their code looked like
this:

    
    
      reportToTracker('userActionSubmit');
      submitForm();
    

The first line threw an exception. They should have surrounded that line with
a try/catch block. And they should have tested against popular adblockers as
well as popular browsers. But it's also within their right to not care about
adblockers, and live with the consequences of upset customers. Unfortunately,
very few customers will complain, so this becomes an externalized cost which
the website owner never sees.

Practically speaking, if I install an adblocker on my friend's computer, and
their mobile provider website stops working, then I personally feel some
responsibility for making my friend's web experience a bit worse.

------
j7k6
Whenever I come across one of those articles promoting "use Firefox instead of
Chrome" I wonder if I'm the only one having those huge performance issues with
Firefox on macOS. I seriously tried to make the switch from Chrome to Firefox
a few times in the recent years because of all the dark patterns Google is
pushing upon its userbase with Chrome, version after version. But Firefox
_feels_ significantly slower, makes the MBP fans go crazy and drains the
battery like hell.

I've come to the conclusion that at this point it's no option for me to make
the final switch to Firefox, as much as I'd like to. But I try to cut off
Google's prying eyes from my browsing behaviour as much as possible:

\- uBlock Origin + Privacy Badger is all you need to block the most nasty
privacy invaders, seriously.

\- I don't use the sync feature.

\- I don't use Gmail, so there's no reason to login to my Google account,
ever.

\- I used Youtube's thumbs-up button as sort of bookmarks for my favorite
videos, now I have a bookmarks folder for Youtube videos, which is ok for me,
but might not be for everybody.

\- automatically clear browsing data after quitting Chrome.

My dream browser would be Firefox with Chromium under the hood, but that's not
very likely to happen...

~~~
kgwxd
If you care about privacy, you shouldn't be on a Mac anyway. Their privacy
policy amounts to "you can trust us".

~~~
j7k6
Privacy is always about trust. I trust Apple (more than others) because they
never gave me the impression they are doing anything shady with my personal
data behind my back. Unlike Google.

~~~
kgwxd
Privacy is only about trust when you can't know what software does. That's
only a concern with closed source software and services. Much of Apple's
software is closed, much of Apple is based on services. The one thing you can
trust is that, at some point, something they do with data they have will
displease you. Software that doesn't even try to collect data is the only
acceptable kind of software.

Using services obviously requires trust as far as data your client software
exposes, but if you choose closed source clients, you've given up on privacy
at a fundamental level.

------
khabaal
So, the dns server of my provider against Cloudflare DNS it is. That seems to
be a good idea for people in unfree countries like iran.

But since my provider knows every ip i connect to, they already have
everything they need in the first place, even if i dont use their dns.

So handing over the dns requests to a third party seems to be a rather not so
smart move to me.

edit: oh, and the cloudflare dns servers are located within the 5 eyes states?
nice...

~~~
deadbunny
> But since my provider knows every ip i connect to, they already have
> everything they need in the first place, even if i dont use their dns.

If you connect to something fronted by CloudFlare your ISP can see you
connecting to CF, if they provide your DNS then they can see what you're
connecting to that's fronted by CF. A subtle yet important distinction.

Ignoring that, switching from your ISPs DNS prevents all kinds of shit they
like to do like redirecting to ads on an unknown domain.

~~~
khabaal
> redirecting to ads on an unknown domain

I can cleary see that, in states like iran or china, getting redirected to
somewhere you did not chose to go is really problematic, but getting
redirected to ads by your own provider, does this happen in your country?

In germany, i guess, this would be quite illegal for a provider to do and be
considered as attacking the ingetrity of the dns system for personal gain.

>If you connect to something fronted by CloudFlare your ISP can see you
connecting to CF, if they provide your DNS then they can see what you're
connecting to that's fronted by CF. A subtle yet important distinction.

Well, most of the time, you would connect to ips that are not fronted by CF
servers, so theres nothing to gain there.

~~~
derefr
In the cases where I’ve seen this happen, the DNS provider is rewriting
NXDOMAIN responses. So, when you make a typo, you hit a “helpful” error page
that has ads and tracking in it.

------
lucb1e
My only remark is that changing dns to an external server is detrimental to
privacy, speed, and arguably security. I'll focus on privacy because that's
the article's focus.

The power of tracking comes from a central organisation being able to follow
almost everyone. Having a birthday calendar on your toilet that your friends
can also look at is not creepy, but a worldwide central birthday database
might be creepy depending on how private you consider the information.
Similarly, changing all our DNSes to 1.1.1.1 is giving Cloudflare, the NSA,
and anyone who hacked Cloudflare or any intermediate router (such as your
ISP's internal routers and backbone Internet routers), the ability to track
our dns requests. If you leave it set to the default, probably your ISP, then
someone would have to hack all ISPs on the planet to track all of it.

Furthermore, if you're not paying for it... I'm paying my ISP, but not
Cloudflare. Unlike XS4ALL, the ISP I have a contract with, I have no legal
guarantees regarding what happens to the data from Cloudflare.

~~~
godshatter
On the other hand, Cloudflare doesn't know me from Adam but my ISP has my
billing information. It basically depends on your threat model. I'm pretty
sure I'm way down the ladder for the NSA, but maybe I don't want an employee
at my local ISP getting in a tizzy about me because I frequent sites they
don't like. And who knows in today's world what websites might outrage them? I
live in a small town. This might actually be a thing I need to worry about.

This discussion is prompting me to look into dnscrypt as a short-term
solution.

~~~
DavideNL
your ISP can see your internet traffic regardless of which DNS server you use.

By using Cloudflare you are sharing your internet history with _yet another_
company.

------
floathub
Install a PiHole ([https://pi-hole.net/](https://pi-hole.net/)) and redirect
all port 53 (DNS) traffic to it. One of many guides:

    
    
        https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/
    

Every device on your network now fails to resolve any
advertising/tracking/etc. URL. Great system, and "just works".

~~~
HashBasher
I did this a while ago, but don't see a huge difference with ads. I confirmed
that around 13% of traffic is getting blocked.

~~~
lostlogin
Add some more lists, I’m slowly ramping up my blocking and sit a little higher
than you in terms of %. I see a big spike in blocking when other users are
around - obviously it depends heavily on where you go. Are you using an ad
blocker on your device too?

------
janlaureys
Switched back to Firefox since the Quantum release and I'm very happy with it.
On mobile I still use Chrome, but I'm gonna check out how FF works on mobile
:).

~~~
jak92
Firefox mobile on android is a vastly better experience. The number one reason
is you can run adblock which turns many mobile sites from ad-filled disasters
to readable sites.

------
captn3m0
This misses out on the fact that ISPs regularly employ Transparent DNS Proxies
and your DNS requests may never actually reach CloudFlare.

Using something like DoH or DNSCrypt is the only real solution for now till OS
support for DoH or DoTLS rolls out.

------
bo1024
This is very solid advice (although I'm not familiar with all those browser
extensions and can't endorse them).

To go a step farther, I make two suggestions:

(1) using the uMatrix extension and disabling javascript by default. This
completely blocks fingerprinting. If a site doesn't work, you can always re-
enable JS in two clicks.

(2) Use a VPN or Tor Browser to better hide your site browsing behavior from
your ISP.

Not completely related, but

(3) Be very careful what software you install on your computer, tablet, and
phone (especially apps).

------
kgwxd
"Be sure to turn off uBlock Origin and Smart Referer for sites that you value"

No. Anyone that cares are privacy should have a strict no-whitelisting policy.
Find a way to advertise without third-part scripts, find some other way to
make money, stop trying to monetize all together, or just stop existing.

~~~
LocalPCGuy
I believe this is a personal choice to potentially give up privacy for sites a
person values and/or trusts. It's fine for you to believe that no site should
make money via advertising, but others can have a different view and act on
that opinion.

------
tareqak
Here is a quote from the Smart Referer section:

It's kind of a dick move to the sites you like since it removes valuable
analytics for them, so you can (and should) whitelist domains that you want to
keep sharing data with.

Why removing that information a "dick move"? When I visit a bank, restaurant,
or grocery store, those places don't know where I came from before entering
the store unless I have merchandise from other places. The most they can
gather is that what clothing I'm currently wearing and if they keep tabs on my
previous visits.

~~~
kaxline
I'm thinking more of media sites that rely on ad dollars to pay the bills.
Unless they have a direct subscription option or other way to pay for the
service, you're eating into their bottom line. The real world analog would be
newspapers and the ads they run.

~~~
tareqak
Even then, newspapers either run ads without needing to know who their
customers are, or solicit this information from their customers voluntarily.
People like my parents don't know that a referer is involved unless it is
explicitly pointed out to them.

------
nrjames
I've been using the Brave browser for the past week or so. It feels like
Chrome, without the ads and spying. This article recommends Firefox. Are there
good reasons to choose one over the other?

~~~
fidrelity
Brave uses Chromium under the hood, so if you're paranoid you could assume
that Chromium has some kind of backdoor integrated.

Also, to my knowledge Brave Software Inc. is a For-Profit organisation.

Despite those facts I am personally using Brave. In my opinion you already cut
out most of the "bad stuff" of Chrome with this choice.

~~~
xyclos
If you're paranoid, you could read the source of Chromium and confirm it
doesn't have a backdoor integrated.

~~~
redleggedfrog
I take your point, but it's really not practical.

Any large codebase is nearly impossible to scour for this kind of thing,
particularly a web browser which is an immense mound of source. There's so
many ways to build in a backdoor, so many ways to build a way for you to later
load a back door, that it's not plausible, even for a seasoned developer, to
reliably find it.

You have to stop such things with source control. The surface area of a new
fix or feature is much easier to analyze for vulnerabilities, intentional or
not. I do this on a daily basis, and it takes work.

~~~
modzu
well if you don't trust chromium, as a consequence you cannot trust any apps
built on electron (slack, github desktop, etc) and you can't trust a single
thing on android. that's pretty steep.

------
OrgNet
How does switching to a third party DNS increase privacy? might as well use
your ISP's server since they already know what sites that you visit (unless
you use a VPN and this article doesn't talk about that)

------
tomglynch
> You don't have someone following you around from store to store writing down
> every product you touch or look at, and then block you from entering other
> stores until you watch an ad.

Great point. Online advertising is creepy.

~~~
everdrive
> You don't have someone following you around from store to store writing down
> every product you touch or look at, and then block you from entering other
> stores until you watch an ad.

Give this time, honestly. Stores are explicitly moving towards this to the
extent that it's possible.

------
chillingeffect
Also recommend facebook container for firefox, for those using facebook. i've
been using it for a long time and it hasn't intefered with my browsing.

------
3xblah
"Firefox is developed by a non-profit company, Mozilla, explicitly dedicated
to users' needs. Google and Microsoft make money off of users in different
ways and we can never be sure that their business decisions are going to align
with what we would want as users."

This gives short shrift to what is a complex set of interdependencies.

All these browsers rely on the existence of web advertising, including
Firefox.

Are web ads among "users' needs"? Who decides what comprise users' needs?
Users?

The reality is that whatever Mozilla defines as "users' needs" will also, at
least in part, represent the needs of the company authoring the competing web
browser. That is because the Firefox authors are paid indirectly from the
coffers of their competitor.

Mozilla Foundation cannot take a stand against web advertising because its
competitors rely on web advertising to make money. And Mozilla Foundation in
turn relies on money from its competitors to pay its employees. Mozilla is
aligned to some extent with the business decisions of its competitor.

Ideally employees of Mozilla Foundation would be volunteers and Mozilla
Foundation would pay them solely from donations from users. This is not what
happens.

Mozilla Corporation (for-profit) can, e.g., sell access to Firefox users'
searches to Mozilla's competitors. e.g., Google. The profits might then be
used to pay Mozilla Foundation employees. Some of those employees might leave
and go to work for Google to start a competing browser.

Firefox may be the lesser of multiple evils, but let's be honest it is not
solely dedicated to users' needs. It has its own needs -- paying 100's of
employees -- and, given the current arrangement, it must to some extent serve
the needs of its competitor in order to meet them.

If for example there was a user who did not wish to support the web ads
business then Mozilla's decisions could never align 100% with what that user
would want because she does not want to support the web ads business. Mozilla
is paying employees by doing business with a competitor that gathers user data
and sells access to users to advertisers.

I am not downplaying the value of Mozilla. I am only pointing out that they
are probably not 100% aligned with all users. They are also partially aligned
with their competitor who is selling ads in order to make money.

~~~
kaxline
Great points, thanks for posting. I'll try to incorporate this nuance in
future posts.

------
kaxline
There were a lot of questions about VPNs in response to this post, so I
addressed them here: [https://thetoolsweneed.com/one-sorta-simple-way-to-
vastly-im...](https://thetoolsweneed.com/one-sorta-simple-way-to-vastly-
improve-your-privacy-online/)

------
pqs
I tried to switch to Firefox several times, and each time I go back to Chrome
because I use Google Sheets and it doesn't work offline on Firefox, which is a
must for me. :'( I guess I should quit Sheets, but my spreadsheet cannot be
easily converted to Excel or LibreOffice.

~~~
gardnr
I run both. They allow me to mentally partition things on desktop.

On Android, FF is my default and I open Chrome when I need to. Firefox on
Android supports uMatrix / uBlock.

------
0xCMP
If you're going to install uBlock Origin then I recommend looking at uMatrix
(same author) which does all the same thing but gives you much, much more
control.

It can be annoying and force a lot of refreshes, but it blocks a lot more
things more consistently than anything else.

------
superkuh
The most important and easiest step is installing NoScript and going temporary
whitelist only.

------
pard68
> DNS > Cloudflare

How about dnscrypt? The DNS servers offered through dnscrypt are much more
trustworthy IMHO. Also it is trivial to setup n DNS servers and to randomly
select a different server on each request, removing a bulk of that centralized
nature of DNS.

------
ggm
De-install all your X509 trust anchors and only re-install the ones you
understand.

------
BadassFractal
Never heard of Startpage before. How trustworthy is it compared to DDG?

~~~
timbit42
At least they're not Google. So even if they are collecting data about what
you're searching for, they have less data to link it to and probably less
power to use it than Google does.

------
alkonaut
The canvas and referrer plugins are new to me. This is great. I always
wondered why canvas is enabled by default. The ratio of useful to tracking
uses has to be 1:10.

------
iagooar
How safe is using Cloudflare from a EU perspective? Is it a big improvement,
if some day the American government might just request it to hand over all the
logs?

------
jancsika
What's the current state of the art (i.e., lowest setup time and least
maintenance) for downloading the entirety of Wikipedia and browsing it
locally?

------
known
[https://www.opennic.org/](https://www.opennic.org/) DNS servers are better
than 1.1.1.1

------
brookhaven_dude
Use Apple devices and software as much as possible?

~~~
bovermyer
Apple's walled garden is not one I want to play in. I will not trade one
corporate master for another.

~~~
neuronic
You are conflating two completely independent points due to personal
preferences, which of course are very valid.

The point still stands - with the current and known track record, Apple
devices are likely more trustworthy than Google, Microsoft or <insert Asian
manufacturer here>.

~~~
bovermyer
Ignoring my personal preferences and acknowledging that Apple is the most
privacy-conscious for-profit corporation in the arena:

_Apple is still a for-profit corporation._

~~~
neuronic
Exactly, but purely in terms of privacy it seems to be the best bet unless you
would like to manufacture your own smartphone.

Apple's profit, to date, relies less on user data than any of the other
companies.

~~~
bovermyer
You're assuming I need a smartphone.

~~~
lostlogin
I think the comment applies to other off-the-shelf hardware too. What do you
use?

------
auslander
For DNS, Quad9 is a better choice than Cloudflare, as it is a not-for-profit
public-benefit organization, CF is for profit company

~~~
Tecuane
I believe that at one stage the Quad9 resolvers were owned by IBM. A brief
look at the site indicates it was transferred to CleanerDNS, which is a
501(c)(3). Do you know how much involvement IBM still has in the project, if
any?

------
parliament32
The guide was fine until "Switch DNS to 1.1.1.1".

The real solution is to use your own DNS resolver (I've been running Bind on
my laptop for years with no issues). If that's not an option, it's still far
better to keep using your ISP's resolvers -- yes, your ISP may be evil, but at
least you're their customer. When a separate for-profit company provides a
"free" service, how can the product be anything but your personal data?

------
doctorRetro
The argument for switching to Firefox seems weak. I don't doubt there are very
solid reasons to do so, however the author's argument comes down to "I,
personally, just trust this one more, and I'm lazy and don't want to worry
about it." Okay.... that's nice.

~~~
timbit42
Chrome tracks you even if you're not logged into your Google account. Another
good reason to support and use Firefox is that we don't want to end up with
only one browser engine, giving Google complete control over the future of the
web and the rest of the internet.

~~~
doctorRetro
See, that's a perfectly valid and logical reason right there. Unfortunately,
the author didn't go into that and just left it at personal preference.

------
ibm5100
I always assumed Mozilla has too much of a little brother relationship with
Google to trust that they are truly independent.

I use Brave and it's good enough for my browser expectations.

------
renholder
> _The company Cloudflare has a publicly accessible DNS at the address 1.1.1.1
> that they claim is encrypted and secure._

For it to be "encrypted and secure", the client would have to be configured to
use DNSSEC, yeah? As far as I'm aware, most clients don't come with DNSSEC
enabled (in OOBE configurations), so isn't this a bit misleading?

~~~
xfitm3
I don’t think so. Instead you would want DoH (dns over https). DNSSEC is
designed to protect against MiTM and is not really effective at anything else.

~~~
renholder
Fair enough. Cloudflar's promotional site for 1.1.1.1 seems to tout DNSSEC
pretty heavily and only mentions DoH once, I believe.

Still, clients still need to be configured for DoH, yeah?

~~~
acdha
You do need client support but these days that’s not uncommon: Android Pie,
Chrome, Firefox, and curl all have built-in support and there are apps for iOS
and Android, and once you’ve enabled it it will work almost everywhere. I
believe most clients default to dual resolution so it won’t break if you’re on
a network which interferes (e.g. a ton of Cisco captive portals used that
address in error) unless you’ve enabled hard-fail mode.

