Use Tor Browser, or harden Firefox, for privacy?

Welcome 2016! This is my first post of the new year, and my first post from Germany and from Europe (following an amazing #32C3).

I routinely see people concerned about their personal privacy and computing security as it relates to web tracking. If you are one of these people, thank you for taking the first step toward a world that designs its information systems with privacy and security first. Asking which browser plugins to install is asking the right type of question, but it is not the right question to ask.

From Quinn Norton’s The Hypocrisy of the Internet Journalist:

I could build a dossier on you. You would have a unique identifier, linked to demographically interesting facts about you that I could pull up individually or en masse. Even when you changed your ID or your name, I would still have you, based on traces and behaviors that remained the same — the same computer, the same face, the same writing style, something would give it away and I could relink you. Anonymous data is shockingly easy to de-anonymize. I would still be building a map of you. Correlating with other databases, credit card information (which has been on sale for decades, by the way), public records, voter information, a thousand little databases you never knew you were in, I could create a picture of your life so complete I would know you better than your family does, or perhaps even than you know yourself.

In this context, advertising agencies are no different from the NSA. From NSA Turns Cookies (And More) Into Surveillance Beacons:

[S]py agencies are keen to find any available way to recognize a particular user by their devices’ behavior on the Internet, and that cookies sent with unencrypted web requests are one of the easiest and most straightforward ways of picking out an individual device even as it moves from network to network.

Thinking that you can simply install an app to solve your privacy and security problems is wishful thinking. Have you tested your configuration? Not just once in an ideal scenario, but also when you allow Javascript because you need it?

A better question to ask is, what do trackers track?

Can your browser change your public IP address? Can your browser change or lie about your internal IP address? Can your browser change or lie about your browser resolution? Can your browser hide or lie about your screen resolution? Can your browser hide which browser and version you’re using, the browser plugins and versions you’re using, and the browser extensions and versions you’re using? Proably not, nor can plugins.

These are the types of things that Tor Browser fixes when you use Tor Browser correctly. The right answer to “what plugins support my computing security and personal privacy?” is to not install any plugins and to use Tor Browser.

The default installation of Tor Browser is the most anonymous way to browse the web because it holistically addresses most of the hardest problems to solve when it comes of web tracking.

And don’t go and install more plugins into Tor Browser thinking you are safer. Changing the configuration in any way makes it easier to re-identify you. Get to know the “security slider“, it will be your best friend when using Tor Browser. Learn and understand how and why Tor circuits are used.

Fundamentally, when you install a plugin into Firefox or Chrome, you make your fingerprint more unique, because most people don’t add pugins let alone a unuqie combination of them. Most people also don’t change their public IP address, so most tracking mechanisms can trivially track you based on IP and the subnet of your IP address that your ISP likely dynamically assigns you. Most people sign into de-anonymizing services, and linking your session data to de-anonymized data is trivial. Even if you visit your personal web page via Tor Browser, and you continue to access other sites in the same session, it is probable that it is you visiting and thus probable that the other session data is yours.

From Whonix: Things NOT to do

It’s best not to visit your own personal website where either real names or pseudonyms (which have ever been tied to a non-Tor connection/IP) are attached. Because how many people are visiting your personal website? 90% of all Tor users, or just you, or just very few other people? That’s weak anonymity. Once you visit a website your Tor circuit gets dirty. The exit relay knows that someone visited your website and if the site is not that popular, it’s a good guess that ‘someone’ was you. It wouldn’t be hard to assume that further connections originating from that exit relay come from your machine.

This gets down into operational security. Privacy is not just a matter of information security. You must conciously choose to help yourself by installing and using Tor Browser for nearly 100% of your browsing. You must take the responsibility of telling your service providers not to censor Tor users. You must change your habits if you wish to maintain privacy and thus autonomy. If you need Windows for your work, install an afforable Tails Linux or Whonix laptop next to your main workstation. Don’t give up.