46
votes
What steps do you take to secure your online use and privacy?
I do the following:
- Use a VPN (NordVPN)
- Use Firefox with a tweaked about:config and the following security extensions:
- uBlock Origin
- NoScript
- HTTPS Everywhere
- Privacy Badger
- Decentraleyes
- Cookie Autodelete
- Skip Redirect
- CanvasBlocker
- Run Linux Mint (I know, Ubuntu-based distros aren't ideal but I'm a Linux beginner)
- Don't have any social media as of a year ago
- Don't use any Google services, including YouTube, Google Search, or Gmail
- Use a password manager (KeePassXC)
The next step would be for me to switch from iPhone to Android running Lineage OS, but money is a bit tight right now. As for day-to-day lifestyle choices, I try to use cash whenever possible and never sign up for things like store rewards programs.
What's your setup? Do you consider yourself a privacy-minded individual? Are you more concerned with protecting yourself from corporate or government entities?
I'll stop myself basically repeating your OP, and mention only where I meaningfully differ. Don't use the last three Firefox extensions you mentioned, but I do use Container Tabs + Temporary Containers + User-agent Switcher. uMatrix instead of NoScript.
I use Unbound to prevent the hassle of picking a trustworthy DNS server, plus DNSSEC is nice. PIA for certain types of web browsing.
Don't have any social media, except a recently registered Mastodon I've not touched. Growing up being socially awkward and without a phone for a good while being the main reason before I had an interest in privacy :p.
I do have a Google account tied to my Android phone, although I tried cold turkey with Lineage in the end being able to restore purchases from the Play Store was nice. But I use NewPipe/youtube-dl to access YouTube, use DuckDuckGo over Google and use ProtonMail + Tutanota for email.
I'd say I'm mostly privacy minded. Though not too invested, e.g. I'm not going to put my online messages through Google Translate twice or avoid ever mentioning my A/S/L. Not going to go down the rabbit hole of hiding from the government either. I just like peace of mind that comes from general-person privacy, so that the average Joe or marketer doesn't know everything about me.
yes. unbound + pihole is great. the dnssec and privacy of unbound with the ad blocking of pihole
Would you mind explaining your email setup a bit/how it contributes to your privacy? I was looking into protonmail a while ago, but I kept getting stuck on the idea that if I sent an email to anyone using Gmail, then a record tied to my email address (practically a unique ID) with the message I sent is on Google's servers. And since everyone I email uses Gmail, it didn't seem like I'd be getting much use out of having my email be encrypted on my end. Was I just missing something obvious about how this would work?
Oh, there's nothing wrong with Ubuntu- or Debian-based Linux distributions. If they do any collecting at all, you have to give consent (and you'll know you've given it, it's not like some websites that actively try to take away your choice).
I'm very privacy oriented. A few things I've done to protect it:
A VPN, to make my ip address isn't unique to me and to switch ip addresses whenever I feel like it
Umatrix, blocking everything but first party content
Keepass for my passwords, and pwgen (a Linux tool) to generate secure passwords
uBlock Origin
Cookie Autodelete
Bloody Vikings, which gives me easy access to temporary email addresses
Useragent Switcher
Canvas Defender
HTTPS Everywhere
Cookie Autodelete
Decentraleyes
I've installed Linux on my pc a while ago, and I've recently started using LineageOS without any Google services.
Furthermore, I've written all companies I've ever had dealings with to remove all their data on me from their database, since the GDPR has finally given me a stick to whack them on the head with. I've installed LineageOS, don't use any Google or Facebook related services (searches are done through startpage.com) and I have a different alias on all online forums I'm active on. Oh, and lastly, as a matter of principle: if for some reason I still see your ad, I will not buy anything from you.
That said, it's a hassle. Umatrix breaks sites very often, but generally those are not the ones I'm very interested in in the first place. Companies don't always react favourably to delete requests, but that attitude doesn't really impress me - so far, all have removed my data when I threatened to file a complaint with the Data Authority.
Im not super concerned about my privacy, as in Im not just going to stop using youtube and android, but I am more concerned than most people
I use firefox with privacy badger, https everywhere, ublock origin, umatrix, noscript, and duck duck goes extension. I use duck duck go to search, but still use regular youtube and gmail.
I also have a pihole setup with unbound
I work tangentially in cyber-security (not really applied, more R&D) and I can say with pretty good confidence that there is definitely a privacy/security "sweet spot" - where you've done a good job of culling the low hanging fruit without doing things which make you really stand out as someone who is trying to hide something. There is a security concept called "LPI/LPD - low probability of intercept/detection" which is arguably far more important than the raw strength of payload security.
I know this is controversial in the world of privacy ideologues, but it's also the reality of the situation. Generally, the goal is not to do things which raises the signal-to-noise ratio of your activity above a threshold which someone might find interesting. For example, local cops are not going to get a warrant for all WhatsApp traffic crossing a certain boundary, but they might get a warrant for all Signal traffic through a boundary. Blocking ads and running incognito on occasion is kosher, but randomizing your user agent and playing games with tracking cookies stands out. VPNs are typically safe, but lots of TOR traffic will definitely get your ISPs attention.
It's paradoxical, and rubs some people the wrong way, but for the most part, you want to blend in. That way, when you do need to "go dark" for whatever reason, there is a much smaller chance that someone is watching you specifically. This is counter-espionage 101, and it sort of bothers me that so many privacy advocates dismiss the power of being another face in the crowd.
ive always thought that. if you install every single privacy addon, its got to raise some red flags and you become a target and are watched more closely. even though a bunch of companies and government are tracking everything, its not like they actually have the time to read what everyone is doing, just people on a special list
If you care enough you can use something like invidio.us (A YouTube proxy), it allows you to watch YT videos without having to run YT scripts, although granted it's probably not convenient to use on mobile. But really with that Firefox setup and Pi-hole, you're already much, much more secure than most.
Thank you so much for mentioning this. I've gotten down to only using Google for mail and YouTube, but I was having a lot of trouble finding a good YouTube proxy. This looks great, even seems fine on mobile!
I'm interested in pi-hole but heard from a friend that it requires a lot of manual updating after it's setup. What did they mean by that, and is there any truth to such a statement? I'm currently exploring solutions to ad blocking over things like Roku and Apple TV.
I've never used Pi-hole, you're better off asking SammyP6 or somebody else in the thread who has.
Pi hole is extremely easy to setup. you run 1 command and it has a setup guide where you select a few multiple choice options and it does everything for you. then you have to set it as your dns in your router settings. it comes preinstalled with a few block lists, but you can add your own. depending on what you ad, they may block sites important to you. some stricter lists block sites such as youtube or facebook for obvious reasons. if you uses thoose sites and thoose blacklists, you can just whitelist thoose specific sites. the block lists need to be updates, but the pihole automaticly does this about once a week. sometimes the pihole gets updates that you have to manually install, by running pihole -up, but its only gotten about 2 updates since I installed it maybe 6 months ago. if you want more information, they have a pihole website, and a subreddit.
I would highly recommend you at least experiment with it
You don't need HTTPS Everywhere if you're using DuckDuckGo Privacy Essentials. Duck does the same thing HTTPS does.
Same as you pretty much. Just some experiences of mine for people interested in privacy:
I definitely agree I am privacy conscious. I'm more concerned with hiding myself from corporate entities, however that also means I am concerned about hiding/overtly giving info to the gov. Also I think it is the philosophy behind it. If everyone becomes a sucker for facebook/youtube/reddit, then it becomes that much easier for those people to control the world.
I'm currently very happy with Sailfish X, but I have high hopes for the Librem 5. It would be nice to have some more choices next time I need to replace my phone.
I run Linux (Manjaro KDE) on my laptop, browse with Firefox with uBO blocking third party scripts and frames by default, HTTPS Everywhere and temporary containers.
on my Android phone:
AnySoftKeyboard
Slide for Reddit
Newpipe for watching Youtube videos
Standard Notes
Antennapod for podcasts
Signal for chatting (although I mostly use it as an SMS client :/)
Simple Calendar with calendar stored offline
Simple Gallery
MAPS.ME fork with analytics and ads removed for offline maps
I also use DuckDuckGo as my default search engine, I'm slowly moving from Gmail to Tutanota (although there are some growing pains in that regard), manage my logins with Bitwarden for unique passwords, and use 2FA codes with AndOTP.
I could probably be doing more but hey, I figure it's better than nothing ¯\_(ツ)_/¯
There's nothing wrong with Ubuntu. I'm a Linux veteran of two decades and I work primarily on Linux for productivity, and Ubuntu is definitely the way to go IMO. Anyone who says otherwise is mostly just being a snob.
Good to know.
Need an email to signup for a site but don’t want to use a real one ?
https://www.guerrillamail.com/inbox
I set up a personal domain name that references mail.mailinator.com
Most sites block mailinator and their other domains, but they only do so by domain name, not IP. Given that I'm the only person using my domain to collect spam I don't see it ever getting blocked.
FreeOTP seems to be abandoned. I'm using AndOTP and it works great.
Yubico lists services that support U2F on their website, though I doubt it's comprehensive. In addition, this site lists services that support 2FA, though you have to search for services, and you can't filter by types supported.
People who ask this question never say who their opponent is. That makes the question impossible to answer.
Most of your list doesn't make much sense, especially if your opponent is a well funded government agency.
This is just baffling.
how so? they moved from a closed source OS to open source with the ability to not use Google Play Services, and a granular permission manager that can even feed false data to apps requesting permissions, and an option to block domains via hosts and run a firewall if one wants to.
Because iPhone is much more secure than Android. iOS has far stricter permissions than Android and Apple themselves do not keep any browsing or app data on you. Safari is by far the most secure mobile browser out there.
Android is a great OS but it's permissions system is a complete mess. Also, remember that Google makes its money from ads, so Android exists to collect as much info about you as possible.
Apple was a named participant in PRISM.
I'm not sure about OP's exact setup but yet again, LineageOS can be used with no Google bits whatsoever, and their Privacy Guard is much more granular than Android's default permission system,
and almost to a fault - you can even set it so it asks you every time an all is trying to use a permission instead of granting it once and forever.
Here’s a question, I used Lineage with Micro G in the past without thinking about this. What DNS server does it use by default? Can it be changed?
sorry, no idea. the last time I used a custom ROM was when it was still called CyanogenMod and was based on Kitkat. I know Android Pie allows you to change your DNS server and some ad blocking/VPN apps let you do that too (Blokada and Adguard, for example), but I'm not sure if LOS offers a similar setting out of the box.
It happens to be defaulted to google DNS on mobile, so if you’re concerned about moving away from googles services, it probably doesn’t make sense to send them all of your DNS queries.
I'm on Lineage with MicroG right now, I think the default DNS server is the same as the one your router or mobile carrier (for data) tell it to use? When I resolve example.com in Termux using dig it uses 8.8.8.8.
I haven’t used Lineage in a few years, and I’m sure you can change it, but this was part of the reason I moved off the Android platform. The other main reason, was even with a “de-googled” ROM with Micro-g, Cloud messaging goes through them as well. Anyway, I’m not saying it’s good or bad, simply that they’ve got their fingers in so many places it’s very hard to determine what is being siphoned off to them.
GCM can be disabled in MicroG, however if you don't want to use GCM you should probably not use MicroG in the first place, as apps such as Signal don't allow you to login without enabling MicroG's GCM if it detects GApps. There might be a workaround for this, but I'm not sure.
There is and it's within the app. If you download the APK from their site and don't have a Google login (or disable micro), it defaults to using web sockets.
Oh I see, thanks!
Open source gives you almost no benefit. Here's one example (that lasted 2 years), but there are others: https://www.schneier.com/blog/archives/2008/05/random_number_b.html
>says open source gives no benefit
>links to a blog post about vulnerability that could possibly not be discovered or found much later if the package in question was closed source
hmmm.
Of course it could have been discovered. It would have been discovered by cryptography of the weak keys.
I'm not sure what you meant by this. Any amount of tracking protection helps. I would be far worse off if I was browsing Facebook on Chrome on Windows 10.
Why?
I'm going to jump in the middle of the discussion just to add a bit that wasn't considered.
Do you know what else has (most likely) an unlocked bootloader? Your laptop and your desktop computers. An unlocked bootloader just means a bootloader that you have access to and lets you replace the stock operating system, and that can be upgraded too. This means that if your bootloader is unlocked it can also receive security upgrades, something a locked bootloader can't. It also means you can install unofficial updates to your operating system. For example, I could upgrade from Android 4 (very insecure version, latest officially supported on my device) to Android 7 thanks to an unlocked bootloader and Lineage OS. This means that my old hardware is now more secure than it was before.
The equivalent to that on a computer is replacing the Windows bootloader with GRUB and installing Linux, bootloaders are software that may have bugs and vulnerabilities, and also require upgrades.
Because you haven't defined who your threat is.
I use UBlock Origin because ads are annoying, 2FA for what accounts offer it for mild protection, and a password manager because remembering dozens of passwords is a pain.
It's very limited as compared to everyone else in this thread, but to me it feels like the right balance between useful and irritating.
I really should be more careful, but I'm just too lazy. Plus, they already know so much about me that I wonder if it would make much of a difference. I use Ublock Origin and Disconnet with Google Chrome, but I'm more concerned with my browsing experience. I should, of course, be using Firefox, but it's so hard to configure it to my liking, specially keyboard shortcuts. I do have a Protonmail account that I wish to transition to, but Protonmail is too expensive. Tutanota is cheaper, but I wonder how much time it will be on.
I love talking with you English speakers, but I have a Facebook account because around this parts it's essential to be a part of society. From professional contacts to family and political discussions, it is just unavoidable.
So I guess what I should say is: don't be like me, kids.
I use Linux, though, so I guess this helps a bit.
Among other things, something that might be a bit unusual is I've started using the reader feature on the Edge browser, especially when I get to a site that asks for permission to use cookies with a super annoying popup - the reader mode just has the text and relevant images and removes the rest of the site, its really nice.
What are you trying to accomplish with the steps you have taken?
Minimize the data (and therefore power) corporations have on me. It's mostly a principle thing.
There's really no way of knowing considering the closed-source nature of the iPhone. But considering Apple is a named participant in PRISM, assume all activity is logged.
That seems like a pretty big assumption to make, in my opinion. Apple does things like make iMessage end-to-end encrypted at the device level by default, and openly and loudly refuse to create backdoors for active FBI cases. There's not much reason to think they would even have the infrastructure to log the kind of activity that Google does, because why would they? They gain nothing from it; they don't sell you ads. They don't have any interest in having a software model of you as a person. Google already has that infrastructure and data, so something like PRISM would absolutely mean the government has access to everything you've ever done in Google's presence. But Apple simply doesn't, and being a participant in PRISM doesn't magically give them the billions of dollars worth of software and hardware infrastructure necessary for that level of mass surveillance.