Apps and Containers and Clusters, Oh, My!
(Part 1)
It’s been a while since I wrote anything sensible about … well, anything sensible really, but, specifically, in this instance, about information security and privacy.
Right now I don’t have time to go into things in depth, so this is only a heads up about:
- an upcoming post (or maybe/probably posts) about ITSec/Privacy
- a couple of seriously compelling reasons to use the Firefox web browser.
The first reason for preferring Firefox over other browsers like Chrome (especially Chrome) is that, whatever might be wrong with it (and I guarantee you it isn’t a perfect solution by any means, for all kinds of reasons) it isn’t owned by Google, Facebook, Amazon, Apple or any of the other supranational corporations with a vested interest in selling you out for money (if you think there’s such a thing as anonymised data, think again) and impunity from governmental oversight.
The second reason is the number of security/privacy addons/extensions that aren’t available to you if you use Chrome. Take adNauseum, for example: ethical adblocking that Google will not allow you to use in Chrome, not because it deprives site owners of revenue (on the contrary, because it clicks every ad on the page, it generates even more revenue) but because it prevents them from profiling you.
The first thing to do is to stop using Windows and switch to Linux.
But, okay, I get that you’re unlikely to do that, so … as long as you aren’t one of those subhuman Morlocks who insist on using a S̶t̶e̶p̶f̶o̶r̶d̶ crApple Mac … instead, you should export/back-up all your bookmarks/settings/etc., uninstall any of the apps found on the following lists …
… and replace them with their portable versions (see the same lists)
Okay, that’s a huge step in the right direction — portable apps don’t create entries in the Windows registry, so malware can’t find out about their presence on your system that way and, more significantly, can’t make changes to their behaviour by altering those entries. Moreover, so long as you take regular backups, if something goes wrong with your portable app, fixing it is as easy as deleting the folder its in and replacing it with a simple copy of the latest backup — there’s none of that needing to use an uninstaller/cleaner to look for remnants that didn’t get properly removed from the registry/various weird locations on your hard-drive that nobody in their right mind would even think of.
I’ll do at least one more post on the subject of ITSec/Privacy enhancing addons/extensions for Firefox, listing those I recommend and detailing why, but, for now, I just want to mention two that will already do a surprising amount to improve matters in a manner that is pretty much ‘set and forget’ — you set things up once, at the start, and, with the odd addition from time to time, that’s basically it from there on.
‘Install’ and launch Firefox portable.
Browse to https://addons.mozilla.org and search for Firefox Multi-Account Containers (by Mozilla) … or simply click here …
… and add it to Firefox.
Click on the new FFMAC (Firefox Multi-Account Containers) icon on your toolbar and click on the ‘+’ symbol next to the words ‘Edit Containers’ at the bottom.
Create a container for Medium.
Click on the FFMAC icon again and select your new container.
A new tab opens in that container.
Type in the address of the site you want to open in that container — https://medium.com
Press the [Enter] key on your keyboard.
Click on the FFMAC icon again.
Place a checkmark in the box ‘Always open in Medium’
Close the tab.
Open a new tab with no container selected and enter the address of the site again — https://medium.com
Press the [Enter] key on the keyboard again.
Place a checkmark in the box ‘Remember my decision for this site’.
Click the button ‘Open in Medium Container’
From now on, whenever you type that address into the address bar, click on a bookmark, or click on a link on another page, the site will be opened in that container and isolated from every other site — it won’t share its data (e.g. cookies, referrer details and so forth) with other sites nor will other sites be able to see its data.
Create other containers according to need — Youtube, Amazon, Facebook¹, your email accounts (I have separate containers for Business, Professional, Public and Personal email accounts for instance) and so on.
̶I̶ ̶r̶e̶c̶o̶m̶m̶e̶n̶d̶ ̶y̶o̶u̶ ̶s̶t̶o̶p̶ ̶u̶s̶i̶n̶g̶ ̶G̶o̶o̶g̶l̶e̶’̶s̶ ̶s̶e̶a̶r̶c̶h̶ ̶e̶n̶g̶i̶n̶e̶ ̶a̶n̶d̶ ̶s̶w̶i̶t̶c̶h̶ ̶t̶o̶ ̶D̶u̶c̶k̶D̶u̶c̶k̶G̶o̶ ̶o̶r̶ ̶S̶t̶a̶r̶t̶P̶a̶g̶e̶.̶ ̶T̶h̶e̶ ̶f̶o̶r̶m̶e̶r̶ ̶u̶s̶e̶s̶ ̶B̶i̶n̶g̶ ̶r̶e̶s̶u̶l̶t̶s̶ ̶a̶n̶d̶ ̶a̶d̶d̶s̶ ̶i̶t̶s̶ ̶o̶w̶n̶,̶ ̶u̶n̶i̶q̶u̶e̶ ̶s̶e̶a̶r̶c̶h̶ ̶r̶e̶s̶u̶l̶t̶s̶ ̶t̶o̶o̶ ̶…̶ ̶t̶h̶e̶ ̶l̶a̶t̶t̶e̶r̶ ̶u̶s̶e̶s̶ ̶G̶o̶o̶g̶l̶e̶ ̶r̶e̶s̶u̶l̶t̶s̶ ̶i̶n̶ ̶a̶ ̶s̶i̶m̶i̶l̶a̶r̶ ̶w̶a̶y̶.̶ ̶B̶o̶t̶h̶ ̶(̶a̶t̶ ̶l̶e̶a̶s̶t̶ ̶c̶l̶a̶i̶m̶ ̶t̶o̶)̶ ̶r̶e̶s̶p̶e̶c̶t̶ ̶y̶o̶u̶r̶ ̶p̶r̶i̶v̶a̶c̶y̶ ̶a̶n̶d̶ ̶n̶o̶t̶ ̶t̶o̶ ̶t̶r̶a̶c̶k̶ ̶y̶o̶u̶,̶ ̶w̶h̶i̶c̶h̶ ̶i̶s̶ ̶a̶n̶o̶t̶h̶e̶r̶ ̶m̶a̶j̶o̶r̶ ̶i̶m̶p̶r̶o̶v̶e̶m̶e̶n̶t̶ ̶i̶n̶ ̶t̶e̶r̶m̶s̶ ̶o̶f̶ ̶t̶a̶k̶i̶n̶g̶ ̶b̶a̶c̶k̶ ̶c̶o̶n̶t̶r̶o̶l̶ ̶o̶f̶ ̶y̶o̶u̶r̶ ̶p̶r̶i̶v̶a̶c̶y̶ ̶-̶ ̶i̶t̶’̶s̶ ̶b̶e̶e̶n̶ ̶s̶o̶ ̶l̶o̶n̶g̶ ̶s̶i̶n̶c̶e̶ ̶I̶ ̶u̶s̶e̶d̶ ̶g̶o̶o̶g̶l̶e̶.̶c̶o̶m̶ ̶t̶o̶ ̶s̶e̶a̶r̶c̶h̶ ̶f̶o̶r̶ ̶a̶n̶y̶t̶h̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶i̶t̶ ̶n̶e̶v̶e̶r̶ ̶e̶v̶e̶n̶ ̶o̶c̶c̶u̶r̶s̶ ̶t̶o̶ ̶m̶e̶ ̶t̶h̶a̶t̶ ̶I̶ ̶c̶a̶n̶ ̶d̶o̶ ̶s̶o̶ ̶a̶n̶d̶,̶ ̶i̶f̶ ̶I̶ ̶c̶a̶n̶’̶t̶ ̶f̶i̶n̶d̶ ̶w̶h̶a̶t̶ ̶I̶’̶m̶ ̶l̶o̶o̶k̶i̶n̶g̶ ̶f̶o̶r̶ ̶o̶n̶ ̶D̶D̶G̶/̶S̶P̶ ̶m̶y̶ ̶f̶i̶r̶s̶t̶ ̶t̶h̶o̶u̶g̶h̶ ̶i̶s̶ ̶t̶o̶ ̶t̶r̶y̶ ̶S̶P̶/̶D̶D̶G̶ ̶i̶n̶s̶t̶e̶a̶d̶,̶ ̶n̶o̶t̶ ̶g̶o̶o̶g̶l̶e̶.̶c̶o̶m̶!̶
I no longer recommend StartPage. Not only does it now have links to an advertising company, but it took a year for that to be disclosed, during which time that fact was obfuscated and the impression given that it was owned and run by privacy advocates. Such practices are, at best, indicative of incompetence (leaving no confidence in the organisation as a whole) … at worst, deliberately deceptive and thus dubious.
I am also no longer as happy about DuckDuckGo as I used to be either. Quite apart from the usual caveats about it being based in the US and, therefore, subject to the PATRIOT Act, gagging orders, etc. I’ve recently learned some things about it that I’m not impressed by — such as the fact that it saves your searches. Okay, it all seems aboveboard and they do declare it, but they aren’t exactly quick to inform you about it and it’s certainly not the impression you get when reading their promotional material, is it? It’s not underhanded as such, but it’s not exactly full and frank disclosure, either … and that gives me pause for thought. Searx.me (or other providers of Searx) is, for now at least, an alternative, albeit not without a steeper learning curve regarding its settings and variable in its results depending upon the provider, but, if that’s not an option for you, I’d have to say that DuckDuckGo is probably the best of an imperfect lot, but I no longer recommend it.
If you really can’t tear yourself away from Google (it’s easy though, trust me, and you won’t miss it) then set up a container for https://www.google.com and any other google sites you use (google.co.uk, google.fr, google.de, etc.). That way Google only gets to see the data inside that container — still a lot more than is good for your privacy but better than giving it free rein on every site you visit outside the container as well!
So far, so good, but it’s still not perfect. Everything outside the containers you set up is still up for grabs, so, when you visit a site it can see the data of all the other sites you’ve visited outside those containers. And not even I’m going to set up a container for every single site I visit before clicking on some random link in the search engine results only to find it wasn’t a useful one after all!
We can improve matters further with ‘Temporary Containers’ by the developer ‘stoically’ …
What TC does is isolate everything in a separate container, restricting sites from sharing data (intentionally or otherwise) between them, so opening a link from your search results no longer leaves it open to having its data slurped by trackers on other sites, nor do the trackers on the site linked to get to slurp the data from any others.
Modern tracking technology being what it is, you can bet that its effectiveness is limited by the fact that the same trackers on each of the sites feed the isolated data back to the mother ship(s) where it is pieced back together anyway, but every little helps and the more you can do to prevent cross-pollination, as it were, the better. You may not stop Facebook compiling the list of all the sites you visited in the various containers but you’ll certainly make it harder for the various sites you visit to slurp data from each other and build a profile of you they otherwise would not be able to. Moreover, if sites are unaware of each other then an exploit on one won’t be able to take advantage of the knowledge of the others.
I’ll go into how you can restrict what even the likes of Facebook, Google et al can do in the aforementioned post about ITSec/Privacy enhancing addons/extensions for Firefox but, for now at least, FFMAC and TC are a pretty good start — and, unless/until you want to add another site/service to FFMAC, it’s pretty much a ‘set and forget’ process, which means, that even the average user can enhance their security/privacy without being troubled for longer than it takes to read this post and follow the steps.
The first thing to note is that Mozilla have placed a warning that TC is not a Recommended Extension. Make sure you trust it before installing. This looks pretty scary but take it under consideration; it’s not developed by Mozilla themselves and, unlike something with a long pedigree (like, say, NoScript Security Suite) hasn’t been extensively tested and certified as safe/secure by them yet, so, it’s just a heads-up that you’re trusting an unknown third party with your data. But if you’re that worried that you balk at the idea of doing so then what are you doing trusting random employees at Google/Mozilla/Amazon/Facebook/Microsoft/Apple/Intel/AMD/Nvidia/Sony/Dell/HP/Samsung/wherever to develop the hardware, firmware, software and services you use in the first place? ³
So, yes, it’s an important point, but we’re just going to place our trust in the idea that not every member of the human race is a sociopathic criminal looking to lure us into a honeytrap and that some of us actually do things for the betterment of all mankind for no reason other than it pleases us to make the World a better place for our having been here … and just install it, okay — until we hear/read that it cannot be trusted (like, Ghostery, for instance. or AdBlock Plus, both of which have a murky history of playing fast and loose with users’ trust) we’ll place our faith in it working, if not exactly as advertised then at least intended to and any failings being just that, failings, and not the result of premeditated nefarious intent.
So, just install it now ⁵.
Right … you’re going to have to roll up your sleeves now.
Fortunately for you though, you won’t need a toolkit and TC takes its own lid off for you by defaulting to a new tab open to its settings.
So, just click on the pretty pictures below to enlarge them and make the same choices in your TC settings.
Change the container name prefix, if you want (but why bother, frankly?).
Likewise, change the container colour or set it to be random, if that’s your aesthetic. Do the same for the icon, if that’s your thing. Similarly, set the colour of the toolbar icon, if you must. But follow my settings otherwise.
You might want to quibble with my settings here … that’s up to you … but the below offer the best compromise between:
- privacy/security and sites breaking when you click on links that point to different subdomains.
- usability and overwhelming you with minutiae
If you know what you’re doing, you’ll figure all this out without my help anyway and, apart from the recommendations on how to get FFMAC and TC to play nicely together, this post will have been redundant unless you were unaware of either of them.
Under the ‘Isolation’ tab, there is a ‘General’ sub-tab.
Under the ‘General’ sub-tab, there is a section ‘Exclude Permanent Containers’.
In this section, click on the triangle on the right to expose the drop-down menu.
Select the FFMAC containers you have created.
Unless you have specific need to make changes in the Isolation/Per Domain or the Isolation/Multi-Account Containers sections, you can leave them alone.
Configure the Advanced/General section as below.
Unless you have a good reason to set cookies on specific domains (like you run your own website/blog/whatever and want to containerise it) then heed the warning not to — the image below is only for completion’s sake, to ensure clarity.
As for deleting your history, you should be doing so every time you close your browser anyway, so doing so here would be redundant. Furthermore, if your browser is configured to delete site specific data when you close tabs (which it should be, if you care about your privacy) then you don’t want to lose the ability to use the back button in cloned tabs (which, after you install TC will be in new containers and shouldn’t have access to the browser-wide history). So, again, unless you know what you are doing and have a good reason to do so, I recommend you do not make any changes in the next section and, again, the below image is just for completion’s sake.
If you need (or simply feel the urge) to collect statistical information on your container usage then go ahead and turn that feature on. It’ll probably slow down your browsing though and, if you configure your browser with the settings and addons/extensions I recommend in the next post about ITSec/privacy, it’ll be slow enough as it is — the tradeoff for that enhanced peace of mind is that your browsing experience will be impacted in terms of speed (even I curse my choices on a daily basis).
Export your settings, so that you can simply import them again later if/when things go wrong at a later date and you need to reconfigure TC (if not your entire browser). If you’ve been sensible and followed my advice about using portable apps and backing them up before making changes, in the worst case scenario, although copying back an entire previous version can be slow (there are a lot of files) it might be easier to do so and your settings will be copied over along with the rest of it but, in the event that you just made some tweaks to TC and it all went wobbly as a result, importing a working configuration is quicker and simpler, so I recommend the first thing you do after all this is export the above configuration.
Okay … this is where things get a little bit fiddly.
If you want to add new containers to FFMAC in the Future, you have to remember to inform TC of them, or it will all go wobbly and be frustrating.
So …
Create your new FFMAC container as per the above steps, but don’t browse to the target site yet.
Instead …
Click on the Firefox ‘hamburger’ menu.
Select ‘Add-ons’.
Find the TC addon, click on the three dots and select ‘Options’.
Select the ‘Isolation’ tab and then the ‘General’ sub-tab.
Click the drop-down arrow to the right and add the new FFMAC container as you did before.
Okay, that should get you a modicum of privacy that you (maybe) didn’t have before. It’s not all there is to it (as said, tracking technology is insidious) and FFMAC and TC alone won’t do more than provide isolation of sites. But they’re enough for this post and a good start that you can (pretty much) set, forget and, day to day, trust to work without intruding as they go about their business.
—
¹ Mozilla have also created a Facebook Container², but that only containerises Facebook, which is unnecessarily limited compared to FFMAC (which allows you to containerise everything … including Facebook).
That said, however, it does add functionality that you might consider worthwhile insofar as it adds extra defences against Facebook tracking you around the web … so you might like to consider it.
Similarly, whilst you can use FFMAC to containerise Google, Twitter, Amazon, etc. there are third party addons (https://addons.mozilla.org/en-US/firefox/search/?platform=windows&q=container) that you can use instead — just bear in mind that the more you add, the greater the likelihood of some mismatch (or oversight) causing problems (up to and including the exact opposite of what they are supposed to do, by leaking information across containers), so think carefully about which extra features you really need and to what extent FFMAC can’t provide a suitable solution on its own.
² https://addons.mozilla.org/en-US/firefox/addon/facebook-container
³ You should be designing the silicon and machines that will build the chips and circuits that you poke the data values into, to create the compiler that will produce the binaries for the operating system you design yourself to run on the hardware you designed yourself … with no input from anyone else (just in case you can’t trust them after all) — after all what Earthly reason do you have to think the CIA/FBI/NSA/KG-used-to-B/MI5/MI6/MOSSAD/whoever don’t have deep-cover agents posing as employees/community contributors at Google/Mozilla/Amazon/Facebook/Microsoft/Apple/Intel/AMD/Nvidia/Sony/Dell/HP/Samsung/Mozilla/Telegram/wherever … inserting backdoors into every bit of hardware/firmware/software in the entire World?⁴
⁴ Let’s face it, you can’t actually be sure of anything you didn’t create yourself and, really, you should live in a cave, only emerging after dark, to steal food and washing off lines (killing any witnesses).
