A few question from a noob
I recently tried to clean up my digital life. I switched to Linux and switched to GrapheneOS and made more use of my proton subscription to replace google.
But I have a few questions :
I tried coveryourtracks.eff.org/ on Librewolf on my PC and Vanadium on my phone and it say I have a nearly unique fingerprint.
Is the benefit of using a privacy focused browser neglected by the low userbase and unique fingerprint ?
I did not have a great digital hygiene before so I have a google account, meta...
How do I clean this up ? Are services like Incogni any good or is it just marketing ?
Finally I wanted to use tails with persistent storage to use as a live system if I ever need to use a PC that is not my own to connect to my accounts. However, I don't want the ISP to know I use Tor. I see it as a big "I have something to hide" flag for the ISP.
But my understanding is if I install a VPN on tails it will be Tor over VPN (bad if I understand correctly) instead of VPN over Tor. Should I use something else than tails since I only want/need always on VPN with kill switch.
Thanks a lot for your help. I want to say the journey is much easier than what I anticipated. The hardest part is making people switch around me. The lobbying has started.
TiredTiger
Unknown parent • • •"Browser hardening" is a somewhat nebulous term; I've seen it used for both privacy and security interchangeably. I continue to hear that Gecko-based browsers (i.e. Firefox and its forks) are less secure, but I do not know exactly how that plays out in the real world. Security and privacy are sometimes at odds, and your threat model should help you choose which to prioritize and when. If you don't know how to weigh them, you may need to refine your threat model.
Vanadium is a hardened browser, yes. I don't have personal experience with it so I can't make any recommendations on its settings.
Imaginary_Stand4909
Unknown parent • • •Imaginary_Stand4909
Unknown parent • • •I wonder if my one bank doesn't like Librewolf. I logged in no issue on Ungoogled Chromium, but got a "security warning" on LW. Meanwhile Discover doesn't give a fuck and works when it wants to on either (read: never). Paypal worked fine on LW. I do use a Banking container on LW and turn off VPN, but banks are making it harder to go no app...
TiredTiger
in reply to Imaginary_Stand4909 • • •I honestly don't even know what would trigger that, unless that bank just really hates you using any gecko-based browser.
I generally despise the push for separate apps for everything anyway, but the banking ones are among the worst since so many of them are tied into Google Play. If my bank were to disable its website and only function with an app that required Google Play certification, I'd change banks. I'd be tempted to go old school and do banking in person, but who knows what kind of security cameras they have in banks now.
glint
in reply to Imaginary_Stand4909 • • •Afaik, UbO will disable JS for entire tabs at a time.
With noscript you can allow the bare minimum number of servers on a given tab/webpage access to load JS, and with a little practice you'll begin to notice the common ad/tracker domains that seem to want some JS injected in just about every site you visit.
sloppy_diffuser
in reply to Username85920 • • •Firefox Nightly + arkenfox userjs + uBlock Origin + Bitwarden as my daily driver.
Been a couple years since I checked up on arkenfox still being good. I get flagged as a bot all the time and constantly get popups about WebGL (GPU fingerprinting) so I assume its working as intended for my threat model.
Tails when I really care.
Mullvad VPN as my regular VPN with ProtonVPN for torrents.
GrapheneOS / NixOS as my OS.
Proton Visionary for most cloud services except passwords and I don't really use Proton Drive. I do use ProtonPass for unique emails to every provider.
Kagi for searches / AI.
Etesync for contacts because Proton didn't sync with the OS last I checked.
Backblaze B2 for cloud storage with my own encryption via rclone (Round Sync on GrapheneOS)
Keypass for a few things like my XMR wallets and master passwords I don't even trust in Bitwarden.
jmp.chat/ for my mobile provider.
Pihole with encrypted DNS to Quad9.
onlykey.io/ for the second half of my sensitive passwords (Bitwarden, LUKS, Keypass, OS login). First half memorized.
Its a lot. I burned myself out a couple years ago keeping up with optimizing privacy and this setup has served me well for 2 years without really changing anything. The cloud services are grey areas in terms of privacy but the few ads that leak through uBlock have zero relevance to anything about me.
GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
GitHubchris
in reply to sloppy_diffuser • • •Voxel
in reply to Username85920 • • •coveryourtracks.eff.org/
Is very inaccurate and misleading. It is a shame that EFF is still promoting it; I would recommend looking up the videos from Techlore and PrivacyGuides about fingerprinting; they explain it very well without any misleading or highly inaccurate information. You can find them on YouTube and PeerTube.
Regarding cleaning up your stuff, in what jurisdiction do you live in? Under the EU you can make use of your rights as seen in the GDPR. Noyb.eu is a good resource for learning how to excersise your rights as an EU citizen.
Tails is by design not made to be used with a VPN service of any kind, if you want to hide your Tor usage, use the built-in Bridges instead.
If you need further advice, feel free to contact me, I would love to point you into the right direction rather than leaving you in the dark.
Cover Your Tracks
coveryourtracks.eff.orgVoxel
Unknown parent • • •Voxel
Unknown parent • • •Don't forget to mention that Mullvad Browser is supposed to be used with a VPN to provide full protection
Source: Direct conversation with a MB developer
N.E.P.T.R
in reply to Voxel • • •It still gives metrics. And yes, Creepjs is not very useful against randomized values, though I noted it still because Brave fails (resulting in a persistent fingerprint) whereas Cromite succeeded to fool Creepjs. Both have many methods of fingerprinting protection.
Checking the fingerprinting protections of Mullvad and Tor is better done with TorZillaPrint test page by Arkenfox. It is optimized to tell you whether you blend in correctly with RFP normalized values.
TZP
arkenfox.github.ioVoxel
in reply to N.E.P.T.R • • •The Brave browser has much better blocking capabilities with the goal of offering all of the uBlock Origins features, while Cromite has an ABP integration which has weaker and less support for advanced filterlists. The default filterlists selection is also quite questionable. A blocked script can no longer track you.
Brave's fingerprinting protection measures are technically speaking superior than Cromite, the only reason that CreepJS can't be fooled by it all the time (I've done my own tests and it fails sometimes) is that it has specifically been designed to adapt to its protection mechanisms, which hasn't been done for Cromite.
You can also harden Brave to increase its level of protection:
privacyguides.org/en/desktop-b…
privacyguides.org/en/mobile-br…
Privacy Respecting Web Browsers for PC and Mac - Privacy Guides
Privacy Guidesken
Unknown parent • • •Konform Browser also provides stronger protection against fingerprinting compared to vanilla FF or LW. Similarly (and in no small part thanks) to Mullvad Browser and Tor Browser.
Identification via enumeration and rendering differences of fonts is a major factor that's often overlooked. Those three browsers bundle and enforce the same fonts and fontconfig to make that less reliable as fingerprinting method.
Konform Browser
Codeberg.orgken
Unknown parent • • •Is that true? I think it's not that much of a fundamental difference in strategy as you say. While LW (like MB) does randomization of e.g. WebGL and Canvas fingerprints, in general other fingerprintables are also kept static. From my perspective it's more a difference in degrees than direction. Have you checked how your font fingerprint persist?
Not exactly. LW comes without the addon but is configured to download and install uBlock Origin from
addons.mozilla.orgthe very first thing it does. This is in contrast with Mullvad Browser (which does bundle the addon) and Konform Browser (which will load locally installed system uBO from known path if installed from distribution package manager).Konform Browser is intended to support that use-case and also worthy for consideration. Would be curious to hear if you agree or how you think it falls short!
Font Fingerprinting
BrowserLeaksTiredTiger
in reply to ken • • •I think the main difference is that MB is geared for every user to look the same, whereas with LW every user is presumably unique, but not persistent between sessions.
I haven't heard of Konform, so I'll have to look into it. Thanks!