They say privacy doesn’t exist on the Web — but that doesn’t mean you can’t try to safeguard your personal information. Our computers are loaded with details about our personal and business lives, and it’s definitely not acceptable to reveal them haphazardly. With hackers becoming ever more sophisticated, you have to take precautions.
One threat to privacy on the Web is the use of cookies and other technologies to track your browsing, clicking, searching, social networking and buying habits as you move from site to site. These tracking technologies build up an online profile of you that can be used not only to send you ads designed to appeal to you (useful to some, intrusive to others) but could also be used for identity theft if the information fell into the wrong hands.
Related Story: Facebook ‘Like’ button now under probe
Another threat is the vast number of files that accumulate on your hard drive — your browsing history, log-in cookies, cached pages and more — that could be accessed either by someone who gets physical control over your machine or remotely by hackers who have installed malware on your system. This information can include banking details, credit card numbers, Web site passwords and records of your visits to potentially embarrassing sites.
The current versions of all popular Web browsers offer some sort of “private browsing” feature — you activate it and surf as you normally would, but your cookies, passwords, Web history and browser cache are erased when you close the browser at the end of your session. Private browsing offers some degree of protection if you’re willing to forgo the convenience of having your Web history and saved passwords at your fingertips. But researchers from Stanford University and Carnegie Mellon University have found that no browser actually removes every trace of private browsing sessions.
In this regard, Firefox’s vast library of browser add-ons is both a blessing and a curse. On one hand, the researchers found that some add-ons, such as those that enhance searching, may store information that’s supposed to be purged after a private browsing session.
On the other hand, a number of Firefox extensions (some of which are available for other browsers) can protect your privacy to a degree that’s far above and beyond what private browsing can do. For comprehensive control over your privacy, install and use at least some of these eight Firefox extensions.
A basic security rule is that you should use a unique, un-guessable password for each site you visit. But how do you remember LV307gbH(* every time you log into your Web mail account? PasswordMaker solves that problem by generating a new password for each site — all you have to remember is your own master password to unlock the extension.
PasswordMaker uses an algorithm based on your master password, the URL of the site, your username and six other factors to generate the password on the fly every time you visit the site. That means it never needs to store passwords on your computer (or on a central server) — so even if someone gets access to your computer, your passwords are safe since they’re not actually stored on the computer anywhere.
Obviously, it’s vitally important not to forget your master password if you use PasswordMaker. It’s also important to remember or back up your account settings and configuration; the algorithm uses those settings for password generation, so you’ll need to re-create them if your system crashes. The PasswordMaker site offers some planning tips so that you can recover from a system crash.
Cookies placed by ads and Web pages can be used to track you as you move from site to site: Every time you visit a page with code from a particular ad or other tracking network, it can check to see what other sites with its code you’ve visited, what you did there and what you clicked on, allowing it to build a rather thorough profile of your surfing habits.
If you prefer more private, less customized Web surfing, using your browser’s security or privacy settings to block third-party cookies can help, but some tracking services are able to circumvent these controls.
The Ghostery extension, a part of the Better Advertising project, identifies code from 200 different ad and other tracking networks, showing you who is collecting data about you and what data they are collecting. You can decide whether to allow each service to track you or to block it.
When a Web page is first loading, Ghostery overlays a list of active trackers at the top-right-hand corner of your browser. If you want to explore further, you can click the ghost icon in your browser’s status bar to bring up a menu listing all the trackers along with links to further information.
You can even explore the particular code used to see exactly what the tracker is doing. Clicking “Block” for any tracker will prevent its JavaScript from loading at all, on the site you’re currently visiting plus any other sites that use the same service.
Ghostery is also available for Internet Explorer and Chrome.
NettiCat’s BetterPrivacy offers protection against an increasingly common kind of cookie called a local shared object (LSO) or Flash cookie. LSOs are used by the Adobe Flash Player plug-in to store the same kind of information that’s usually stored in browser cookies.
However, because LSO cookies are stored in a system folder instead of in the browser folder, they can’t be easily deleted. What’s more, unlike browser cookies, LSOs never expire, and they can hold about 25 times more information than typical cookies.
Since these objects are placed by Flash, your browser’s security settings have no effect on them. And here’s where they get really insidious — some companies use Flash cookies to duplicate their browser cookies. You may delete the browser cookie for a site, but the LSO stays — and it restores the original cookie the next time you visit the site. This reanimation capability has given rise to two more names for these objects: super-cookies and zombie cookies.
This is where BetterPrivacy comes in. The extension can be set to automatically delete all Flash cookies every time you exit your browser, or you can manually manage and delete unwanted LSOs one by one so that information can’t be accessed or used to track you from site to site.
When you install BetterPrivacy, there’s no obvious change to Firefox off the bat. When you close the browser, however, the extension checks for LSOs. If it finds any, you’ll see a dialog box asking if you want to delete them. If you hit Cancel, it doesn’t do anything; if you hit OK, it deletes them. There’s also a checkbox that lets BetterPrivacy automatically delete all LSOs every time after that.
To manage LSOs directly, open BetterPrivacy’s preferences in the Tools menu. Here you can remove them one by one or all at once; you can also add specific LSOs to a whitelist to prevent them from being automatically deleted in the future.
One of the more insidious threats bad guys can throw at you is a keylogger, a tiny piece of software that invisibly captures every keystroke you make and sends it back to its home base. Your stream of keystrokes can provide cybercrooks with personal information like your Social Security number or credit card numbers, and of course your log-in information for Web sites, applications and your computer itself.
KeyScrambler Personal Firefox extension
KeyScrambler Personal foils keyloggers by encrypting everything you type into Firefox.
QFX Software’s KeyScrambler Personal offers a clever way to defeat keyloggers — as you type, it encrypts the keystrokes at the driver level and then decrypts them in the browser. Any keystroke-logging malware on your computer will capture only the encrypted signal, which it will see as gibberish.
KeyScrambler Personal for Firefox, IE and Flock is free; there are also paid versions — Pro ($29.99) and Premium ($44.99) — that extend protection to other browsers, e-mail clients, password managers and many other applications.
Note that KeyScrambler works only with Windows; we don’t know of any comparable protection for Mac users. If you know of a similar extension for Macs, please let us know in the article comments.
The NoScript extension by Giorgio Maone prevents JavaScript, Java and other executable content from running on any Web page you haven’t expressly allowed to run scripts. This is crucial protection against cross-site scripting (XSS), where hackers insert code into Web pages using vulnerabilities in the various scripting languages the sites use to deliver content. Hackers use XSS to install arbitrary code on users’ machines for keylogging, hijacking passwords or phishing; it’s currently one of the most effective methods of delivering malware.
NoScript is also effective in blocking an emerging form of user tracking called browser fingerprinting. A recent study by the Electronic Frontier Foundation (EFF) showed that even without cookies or malware, Web sites can pull enough information about a user from the browser itself to build up a profile that can be used to track the user from site to site. The EFF singled out NoScript as an effective safeguard against this kind of tracking.
Since so much of the Web relies for basic functionality on the scripting languages that NoScript blocks, an Options button at the bottom of the browser window pops up a menu with options that you can use to temporarily or permanently allow scripts on sites you trust.
The Tor Project is an anonymizing service that tunnels your Web traffic through a network of random routers to make it virtually impossible for an outside observer to track any Web activity back to your computer. You can install the Tor program on your computer and route all your Web traffic through Tor, but because your packets are bounced off servers around the world, you will experience much slower Internet response.
Using the Tor-Proxy.Net Toolbar, though, you can choose to use Tor on a case-by-case basis, visiting chosen sites anonymously while maintaining non-anonymous connections in other Firefox tabs. Just enter the URL of the site you want to visit into the Tor-Proxy.Net Toolbar instead of Firefox’s own address bar and click “by Tor.”
The toolbar also offers two other options: You can click “by JAP/JonDos” to use the less popular JonDonym service, which offers slightly better performance but slightly weaker anonymity, or you can click “by Express-Service” to use Tor-Proxy.Net’s own anonymizing server. It’s a little quicker than the others but isn’t as secure, since it’s not an established anonymity service.
One of the greatest threats to privacy is the loss or theft of a laptop or desktop computer, giving whoever finds or steals it access to everything stored on it. Chris Finke’s FireFound extension notes the location of the network your computer is on whenever it connects to the Internet. If it has changed locations, FireFound sends a message to a central server with the new location.
So if the computer has been stolen or misplaced, you can log onto the password-protected FireFound server to find out approximately where it is. You can also set FireFound to send you an alert via e-mail whenever the computer is more than a specific distance away.
FireFound lets you remotely send instructions to delete browser passwords, page cache, surfing history, form data and other personal information from Firefox, so that whoever is in possession of your computer won’t be able to use your browser to access your online accounts or derive personal information from your cache.
The extension relies on the free service at FireFound.com, or you can set up your own open-source FireFound server. A $1-per-month premium account allows you to remotely encrypt and back up your saved passwords before wiping them from your lost computer; the premium account also lets you designate “safe areas” within which your computer’s movement will not trigger an e-mail alert.
Google offers an impressive array of services that help make the Internet useful, but all that assistance comes with a cost: your privacy. If you use a number of Google services, you’re giving the company access to your search history, your e-mail, your video and picture uploads and a wide range of other data, all of which can live on Google’s servers for months or even years.
Phlogenix’s OptimizeGoogle extension offers some neat tricks to improve your Google experience, such as adding links to results pages from Yahoo, Ask and other search engines for your searches in case you’re not satisfied with your Google results. The extension also offers a number of privacy-increasing options, most notably the ability to default to HTTPS secure browsing on all Google services and disabling tracking by ads or Google Analytics.
Logan Kugler is a frequent Computerworld contributor.
