Paranoid browser test - is there privacy in FOSS?

[heyjoe]

I'll put this in the nicest way I can;
No one cares about you or your browsing history, habits or anything else for that matter.

If nobody cares about all that - why were things like PRISM, XKeyscore etc. created? Has the world become more secure due to those "security" measures? Or on the contrary?

No, there are no monsters under the bed or the closet and no evil h4x0rz or big corporations don't care about you specifically because you have no interesting data to give out.

It is not about protecting one's photos from last summer but about protecting also client's data. Of course one can be completely negligent and disrespectful to the parties one communicates with for the convenience of believing in non-facts.

People really need to stop being so paranoid or get medication for it.

I am open to get a recipe from you for medication about Intel ME, proprietary BIOS, quantum computers built to break any cryptography challenge etc. If there is such medication I would gladly give it with those who build these systems.

[suse_rasputin]

...besides the NSA (storing statistically 1 TB of data per capita of the world population, as of 2013), for loging into this forum I have to accept:

microfocus scripts (to reach the login screen)

opensuse.org 13 scripts

suse.com 32 scripts

googleapis 1 script

Some dozends more I block (from other vendors), no idea why they are necessary at all.

I have a number of (tech and other) forums I don't have to accept A SINGLE script from any source (especially not googleapis) to login and write comments.

This is a pest. I would never know obout these things without uMatrix and NoScript.

[heyjoe]

...besides the NSA (storing statistically 1 TB of data per capita of the world population, as of 2013), for loging into this forum I have to accept:

microfocus scripts (to reach the login screen)

opensuse.org 13 scripts

suse.com 32 scripts

googleapis 1 script

Some dozends more I block (from other vendors), no idea why they are necessary at all.

I have a number of (tech and other) forums I don't have to accept A SINGLE script from any source (especially not googleapis) to login and write comments.

This is a pest. I would never know obout these things without uMatrix and NoScript.

You forgot to mention that this forum uses Google Analytics and www.opensuse.org has connections to Facebook too.

BTW you don't need to accept anything from googleapis to use the forum. Here are my uMatrix settings:

[suse_rasputin]

I have to allow ajax.googleapis.com one script during login, otherwise there is the green "Forgot password" text of the login page in the password field and no way to proceed from there. Have a screenshot but no picture hoster... ;-) (you should have a look if googleapis is allowed by your uMatrix in general, I use the combination of uMatrix and NoScript).

Surfing the web is so digusting these days (especially webshops), I started to have machines for nothing else but browsing in dedicated networks used via VNC. Just to keep my normal net as clean as possible and my data away from any tracking and other stuff.

[heyjoe]

I have to allow ajax.googleapis.com one script during login, otherwise there is the green "Forgot password" text of the login page in the password field and no way to proceed from there. Have a screenshot but no picture hoster... ;-) (you should have a look if googleapis is allowed by your uMatrix in general, I use the combination of uMatrix and NoScript).

Ok, I had

Code:

* ajax.googleapis.com script allow

but I removed it and I was able to log in. BTW why do you need NoScript if you have uMatrix (it can block JS too)?

Surfing the web is so digusting these days (especially webshops)

Quite right. That's why I like to keep the sites I work on 'self-contained' - having all needed resources on the same domain and with strong HTTP headers (making A+ in https://observatory.mozilla.org/). I rarely see other sites do that (unfortunately). I don't know if it is due to webmaster's lack of knowledge or simple carelessness. For example amazon.com doesn't even have XSS protection header.

[suse_rasputin]

Reboot your machine (after a decent Bleachbit, including your cache) and try to login, without googleapis.com allowed one scritp you won't succeed. Believe me.

You should try the combination of NoScript and uMatrix. I think they complement each other.

But all this helps you nothing if your browser is a chatterbox, as the starter of this thread suggests. Will do some wiresharks on FF 57 over the coming weeks. MAybe it's time to keep browsers COMPLETELY out of the LAN and place them in a dirty net on their own...

[heyjoe]

Reboot your machine (after a decent Bleachbit, including your cache) and try to login, without googleapis.com allowed one scritp you won't succeed. Believe me.

My testing procedure doesn't include reboot of the nuclear reactor I just open private mode window and login. The only ugly thing in the login window with googleapis.com disabled is the lack of submit button but I simply enter user and pass and press Enter. Screenshot:

https://ultraimg.com/images/2017/12/13/nK9F.png

If you want the overlay links not to appear you can try a static uBO rule (works for me)

Code:

login.microfocus.com###help > ul

But all this helps you nothing if your browser is a chatterbox, as the starter of this thread suggests. Will do some wiresharks on FF 57 over the coming weeks. MAybe it's time to keep browsers COMPLETELY out of the LAN and place them in a dirty net on their own...

Could you please share the results? It would be interesting to see also what that Waterfox really does. Hopefully this will turn into a bug report to Mozilla (who btw still haven't answered the one about telemetry).

BTW I wonder if it is possible to isolate the browser additionally somehow (I need to learn about AppArmor) without having to create a VM guest just for web browsing purposes (or move to Qubes). Currently I use an extension which allows FF to store passwords in its own gnome keyring. But recently I found this information:

Any application that executes with the same user's privileges can get access to any of the user's keyrings, and thus, can read secrets stored in any that are unlocked.

In other words one either has to agree browsers to have full access to keyrings containing other credentials (for LAN, SSH, private keys etc) or one has to store plain text logins. Or one has to move to kwallet where the situation is even worse.

From a paranoid viewpoint one can really consider some kind of LAN cable kill switch () but that wouldn't help if the software stores temporary data "until network becomes available". Unfortunately looking at the code myself wouldn't really show how exactly the program works. Hopefully some developers are reading this thread.

[suse_rasputin]

...works without the googleapis script, I never tried "ENTER", instead of the login button...

Will do some browser research and come back. May take a while ;-)

[heyjoe]

Will do some browser research and come back. May take a while ;-)

Thanks. Will wait.

[suse_rasputin]

...any ideas how to share .cap files, if interesing?