The Crossover

Issue 03 - Encryption

2018-12-19T12:45:29+00:00

In this issue, we focus a little more on the issue of privacy by highlighting data leaks from new technologies as well as emphasising again the importance of encryption. In our previous issue, we explained why we should all care about privacy and why we should maintain systems that allow communications to remain private, even if we think that we have nothing to hide.

Consider

Unfortunately, there are current efforts to undermine the privacy and security of digital communications under the auspices of national security. The Australian government recently passed a bill that will allow the government to compel tech companies to build backdoors in their products, including instant messaging platforms. Other countries like the United States, the United Kingdom, Canada, and New Zealand have spent years unsuccessfully lobbying for similar laws. However, as these countries have agreements with Australia to collect, analyse and share intelligence (Five Eyes agreement), it is expected that the backdoors that are developed as a result of Australia's new bill will also be used by these governments. If a tech company offers a backdoor for an Australian government order, it is likely that other governments will soon also demand the same.

Why are backdoors so bad? Crucially, when implemented, a backdoor exists for everyone. Once a backdoor exists, any country, group, or individual can maliciously exploit its existence and access or leak private data from anyone using the affected system. Let's consider the implications of this. It has been reported that Malcolm Turnbull, the former Prime Minister of Australia, is a Signal Messenger user. The Signal Developers have said they will not implement a backdoor. However, if they did, there would be a risk that Malcolm Turnbull's communications could be made public if the backdoor were to be exploited by a criminal group, thus defeating the purpose of the bill. While Signal Messenger will not comply with the new law, other tech companies will. The existence of backdoors can lead to the release of data that security agencies are trying to protect, endangering the very operations that lawmakers say they are trying to protect. Security researchers have spent decades opposing backdoors, but the fundamental privacy and security reasons behind their objections are being ignored by lawmakers.

Become Aware

Preventing data leaks by stripping path information in HTTP Referrers

https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

In a previous issue, we talked about how your website visits can be tracked through the referrer when you visit other websites (e.g., when you click on a link in your browser, the website you are directed to will know the web address from where you came). In this article Mozilla explains the issue in a bit further detail and announces they will remove some identifying information from the referrer fields when using Private Mode. However, we must point out that even with these changes in Firefox, the website you come from is still leaked to the website tracking you, even though some personal information is stripped from the referrer field. Although Firefox now tries to remove some of this information from the referrer field, not all browsers take these measures to protect your privacy.

Fitness tracking app Strava gives away location of secret US army bases

https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

https://twitter.com/tobiaschneider/status/957317886112124928

When we share data with companies, we do not often want those companies to make that data public. Yet sometimes this is out of our control. The company can leak data even if you or the company does not intend to do so. This article exposes the inferences that can be made from inadvertently leaked data. Military personnel used fitness tracking devices while stationed all over the world and then uploaded that data to Strava. Strava publishes a heat map showing where people exercise all over the world. If you look for locations around military bases, you can see, for example, where the patrol routes are, or where military personal are usually working or exercising.

A Sleeping Alexa Can Listen for More Than Just Her Name

https://spectrum.ieee.org/view-from-the-valley/consumer-electronics/gadgets/beyond-the-super-bowl-a-sleeping-alexa-can-listen-for-more-than-just-her-name

While the article suggests how Alexa listening to more than just her name is a good feature, it also means that Alexa has the capability to listen to sounds that would not normally trigger her to start up. The results is that data that the user would not necessarily want shared is nevertheless recorded.

Amazon's Alexa recorded private conversation and sent it to random contact

https://www.theguardian.com/technology/2018/may/24/amazon-alexa-recorded-conversation

This article focus on an instance where Alexa inadvertently recorded a private conversation and sent it to a random contact. The article illustrates how, even when a device is not designed to leak private data, it can still fail and create privacy problems.

Signature validation vulnerability in German ID cards

https://www.sec-consult.com/en/blog/2018/11/my-name-is-johann-wolfgang-von-goethe-i-can-prove-it/

The article explains how the system that is used to validate German id cards in online platforms had a vulnerability that allowed an attacker to impersonate any individual. Some banks and insurance companies in Germany use this system to authenticate users, as it is believed to provide a better user experience for its customers. The authentication scheme is also used in government portals like the German Justice Department and the German Pension Fund.

Learn

Man-in-the-middle (MITM) Attacks

A man-in-the-middle attack is when a malicious person or machine can intercept a message being sent, read it, and relay it between the parties. For example, if Alice wants to deliver a message to Bob, Mallory could intercept the message, read it, and continue to forward the message to Bob. If Bob and Alice are not using any tool to prevent these types of attacks, they will not even be able to determine whether the message was seen or tampered with by Mallory.

Man-in-the-middle attacks are one of the main types of attacks that end to end encryption tries to prevent. For example, if you suspect your Internet Service Provide (ISP) could be an attacker, you need to prevent it from reading the messages it relays from your computer to the servers you are connecting to, including the ones you use for email or accessing websites. In this case, the ISP is acting as a Man-in-the-middle and if you encrypt your connection end to end you are preventing a Man-in-the-middle attack.

What is end to end encryption?

We see the term "End to End Encryption" being used a lot in the media, and we notice that this sometimes confuses people. What are the two ends? And what connects them?

End to end encryption refers to an encrypted communication channel between two devices. Each device represents the end of that channel. A channel might be, for example, a messenger service or an email communication. If the communication is encrypted end to end, nobody else with access to the channel data can decrypt the information the two devices are sharing.

If, for example, Alice wanted to communicate securely with Bob, she could put a message in a vault and then send the vault to Bob using normal mail. When Bob receives the vault he can open it and read the message but the person delivering the vault, for example the courier, could not read the message.

The same thing happens when you want to connect to some websites. If you want to make sure only you and the website know about the content of your exchange, you can encrypt data on your device and send it across the network to the website server. The server can then decrypt the data and return an encrypted response back to you. Thus, no one who may be listening to this communication, like your Internet Service Provider or a government agency, can decrypt the data since it is encrypted from your end to the website's end -- the data is encrypted end to end.

In the above example, we assumed Alice and Bob already shared a secret: the vault combination. This is what would allow them to share the encrypted information. But this cannot not always be the case. For instance, what would happen if Alice and Bob had never met before? They would not have any way to securely communicate the combination to each other as someone could be listening and therefore could also open the vault.

The same thing happens on the internet. If someone knows the encryption key used by one end, then they can decrypt the data: the communication would no longer be encrypted end to end.

There are a number of technologies that solve this problem and they are based on Public Key Cryptography (See wikipedia). HTTPS, a technology that you probably use everyday and are using right now when reading this website, uses Public Key Cryptography. If you are interested in how Public Key Cryptography works you can watch this video.

When you use HTTPS you are encrypting your data on your device all the way to the server. Your Internet Service Provider cannot decrypt your data and read what you are actually sending to the server, though it can know you are communicating with that server. This means that when you use HTTPS you are encrypting data from your device to the computer that is serving the information you are accessing.

To check if you are using HTTPS, you can look at your browser address bar and check if you have a green padlock while visiting the website. However, HTTPS has some limitations and end to end encryption is not always used, for instance in the following situations:

The computer handling your requests could end the encryption and pass your request on to other computers without using any encryption.
Some metadata leaks out of the request, and any one listening to your communication could see that you are attempting to contact that service.
Some services do not use HTTPS with up to date encryption settings, which means they are using old versions of encryption algorithms or parameters and the encryption may be insecure.

HTTPS is still considerably more secure than not using it, so you should consider using https everywhere you can and never give out personal data over a connection not using HTTPS (for how to do this, see Act, below).

The Signal Messenger App, which we have written about in Issue 2, encrypts your messages on your device and sends it across the network to someone. Only that person can decrypt the message and read it. No service relaying the message, including Signal, can read the message.

When using an end to end encryption application, you are trusting that the person or computer to whom you are communicating is really who you think it is. For example, someone contacts you through Signal and they say they are your friend Alex. You immediately start a private encrypted communication using your key and the key that person is using. But how do you know that person is really your friend Alex and not someone else?

This is where out of band key verification comes in. By using key verification before you and Alex start to use end to end encryption, you can make sure that the keys you are using really belong to you and Alex. Many applications support this type of key verification -- Signal Messenger supports this through the safety numbers feature and we encourage you to try it out and verify the keys used by your contacts.

When you email someone, you are sending an unencrypted piece of text from your device through multiple servers until it reaches the person you are emailing. This means all these computers will be able to read your email and your email metadata. If you want to encrypt your emails end to end, meaning the communication is encrypted all the way from you to the person you are emailing, you can use a technology called GPG.

By using GPG you can encrypt the contents of your emails from your computer to the computer of someone reading it, using Public-Key Cryptography. If you want to start using GPG visit the link in the Act section below.

Act

Virtual Private Networks (VPNs) and End to End Encryption

When you use a VPN service, you are encrypting data in your computer and sending it across the internet to your VPN provider. The VPN provider decrypts this data and forwards it to the service you are trying to send the data to. When the VPN provider receives the response, it encrypts the data again and sends it to you.

The VPN service acts as a proxy between you and the service you are trying to use. The data from your device to the VPN provider is encrypted, but any data flowing from the VPN provider to other services may not be encrypted.

This means that the choice of VPN provider is extremely important, as not all VPN providers are secure. If the VPN provider can be coerced into giving away data it has about you, it does not matter what type of encryption you are using because the VPN provider will always be able to decrypt your connection.

Some VPN providers claim they do not log any requests, or keep any data about you, but this cannot be verified and ultimately you will need to trust a VPN provider to not give out data about you. You can visit https://www.privacytools.io/#vpn if you are looking for a VPN provider that is believed to be trusted. However, even if a provider is on that list, it does not mean that it is trustworthy and there will always be a risk that it is a malicious VPN provider.

When deciding whether to use a VPN, you need to think about which types of attacks you are trying to prevent. If you want to prevent your ISP from knowing which websites you are visiting, a VPN provider might offer that protection. If you are trying to prevent anyone from knowing which websites you visit then you need to deploy other measures, since the VPN provider could still know which websites you are visiting. If you are visiting websites that use HTTPS, even though the VPN provider could know what websites you are visiting, the VPN provider could not decrypt what you are sending or receiving from the server as you would be encrypting that exchange end to end.

If you need to encrypt a browser session in a way that nobody can determine which websites you visit, we encourage you to read about the Tor Browser: https://www.torproject.org

Check if your connection is encrypted

When visiting a website, you can check if the connection you are using is encrypted from your computer through to the website's server using HTTPS. To check whether the connection is secure you can check the browser address bar. If the connection is using encryption, you can click on the green padlock and get more information about the type of encryption and algorithms in use. The Crossover website uses an encrypted connection, which means that nothing in the connection from your computer to our website can know what you are reading, including your Internet Service Provider. Although they will know you are visiting this website, they cannot know which content you are reading or what information you are providing. You can check the encryption we use by clicking on the green padlock icon.

Send encrypted email

Visit this website to know more about GPG and how to use it: https://theprivacyguide.org/tutorials/pgp.html

Set up GPG and send us an encrypted email to thecrossover@0io.eu to test your setup. Use this gpg key.

Use HTTPS everywhere

Some websites offer HTTPs encryption but make it difficult to use. They can offer access using HTTPS or HTTP. The Https Extension forces your browser to use the HTTPS connection when you visit a website that is using HTTP but a HTTPS connection is also available.

The extension is available for multiple browsers and you can read more about it at https://www.eff.org/https-everywhere

Understand what private data is being shared when using HTTPS and Tor

This EFF https://www.eff.org/pages/tor-and-https visualisation shows which data is being shared when you use HTTPS and/or Tor.

Issue 02 - Privacy

2018-02-05T12:45:29+00:00

In this issue we focus on privacy and emphasise why it is important for us to care about our privacy. We discuss two crucial arguments in favour of you caring about your privacy [Consider], offer links to articles and videos that discuss privacy issues [Become Aware], and explain the advantages of open source software -- in contrast to closed source or proprietary software -- for mitigating against privacy and security concerns [Learn]. We offer suggestions for privacy tools and messaging apps that help protect your privacy when communicating via your smartphone [Act].

We would like to thank everyone who sent suggestions about links to include or topics to discuss.

Consider

Most of us are law abiding citizens and feel that we do not have anything to hide, from the government or from big corporations. So, why not give up some of our privacy so that governments can track terrorists better or so that search engines can deliver better results or more tailored ads?

There are several problems with this perspective. The first problem is not necessarily about YOU. Even though you feel that you have nothing to hide, other people may have legitimate reasons to hide their information or behaviour. For instance, consider the case of a journalist investigating the illegal activities of a private company, or an activist trying to organise or empower people to protest an oppressive government. In both cases, being able to hide information from private institutions or governments is an essential part of these activities. Even though you do not have anything to hide, the right to privacy is worth protecting so that people who do have a genuine reason to hide information or hide their behaviour can exercise that right.

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say. – Edward Snowden

A second problem with this perspective is that it is not really accurate: everyone has something to hide. I may be a law abiding citizen, but I probably do not want any or all of my acquaintances knowing what I do during my free time, who my friends are, or my political views. Think about it: if someone hacked into your computer today, would you consider this a violation of your privacy? Would you be completely OK with your information being out there for someone else to use? Family photos? Browsing history? Private email conversations? Further, what we may consider honest, genuine, or truthful information can be taken out of context and presented in an untruthful way.

Privacy is the right we should have to protect information about ourselves, to decide what information to share and with whom. We may decide that some information is worth sharing, but we should not have the right to decide that for other people. We may also choose to give away some of our privacy in return for seemingly more accurate search results or ads, but we should be aware that we are making that choice, and the price that we are paying.

We are moving towards a future where so much data is being collected about us that private companies can now provide a credit score or an insurance score based on our browsing habits or Facebook history. In the very near future, our bank could refer to these companies to assess if, based on our data, we should get a loan. "Data" such as our lifestyle habits, where we live or have lived, who our friends are along with their credit scores and income. Similarly, insurance companies could use metadata obtained from our smart phones to see if we usually drive our cars slow or very fast, whether we typically sleep a lot and/or very well, or whether we do sports. This information could be used to determine whether we pay more or less for our car or health insurance. Systems like these are not theoretic. Private companies and some governments already use these systems to some extent, for example, China is currently implementing a Citizen Score system based on data collected from citizens.

It is important to take steps to improve and protect our online privacy, not only for ourselves but to protect other people's right to privacy too. If only those people who legitimately need to hide their information use privacy protecting measures, they will be much easier to target by the very people they are trying to protect their information from.

As citizens, we can vote for people who care about our privacy and understand that privacy is a right. As consumers and users of technology, we can choose products and services that respect our privacy instead of products that do not. Only this way we can expect people, governments, and private companies to care more about retaining the privacy of its citizens.

Become aware

Why Privacy Matters

https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

In this talk, journalist Glenn Greenwald presents some arguments on why privacy matters and why we should care about it.

NOTHING TO HIDE - The documentary about surveillance and you

https://vimeo.com/189016018

This documentary focus on the "I have nothing to hide" argument and presents reasons on why it is dangerous to think that we have nothing to hide and that we do not need to worry about privacy.

Dozens of Companies Are Using Facebook to Exclude Older Workers From Job Ads

https://www.propublica.org/article/facebook-ads-age-discrimination-targeting

This article details how companies are using data collected about user's online habits to target job ads based on the user's age.

The discussion of whether this is unlawful or not is beside the point. Rather, we think that it is important to be aware that these practices are happening, and by allowing companies to store and use our private data actually supports the tracking and targeting practices of such companies.

The NSA’s voice-recognition system raises hard questions for Echo and Google Home

https://www.theverge.com/2018/1/22/16920440/amazon-echo-google-home-nsa-voice-surveillance

This article is based on an The Intercept report on how NSA is improving voice recognition technology to listen in on an extraordinary amount of voice data to find people based on voice prints. This technology could be used in the future by surveillance agencies to listen in on home devices like Google Home or Amazon Echo.

Learn

Open Source Software

Software is developed using many different programming languages. The source of a program is usually composed of multiple files of code. These are text files that describe what a program does when executed and contain instructions in some programming language like Java or C. The source code format is made for human reading and writing. To execute this code, developers need to convert this source code into a binary file that can be executed by a computer.

If the software is closed source, only the binary file is distributed and this is the file you download when you download some software from a website. This binary file contains instructions only readable by computers and it is very difficult, often impossible, to determine what the software does when executed.

If the software is open source, the source files used to produce the binary file you download can also be downloaded and inspected. This means that not only can we produce a binary file and execute it, but we can also inspect that source code and determine what the program does.

Note that open source software does not need to be free as in free beer. Someone can write some open source software and sell both the source code and the binary files. Closed source software can, and often does, include open source software in their binaries, provided the legal license used to develop the open source software allows it.

Whether or not software is closed or open source has certain implications for our privacy and security. If a web browser is open source, for example, then we could inspect its source and determine if the browser is sending private data to some remote company while we browse the web. If the browser is closed source, it is sometimes very difficult, or impossible, to determine if our privacy is being violated as we only have access to the computer readable version of the program. We cannot inspect what the program is doing.

Closed source programs do not allow people to review the source code and determine if the developers properly used security algorithms or libraries in order to encrypt data, for example. We are not able to determine whether the program uses industry standard encryption methods, or if there is an easy way to break the encryption used by the application. The application could also contain malicious code that may be used by hackers to compromise our computer and obtain data stored in our computer.

When software is open source, everyone who is willing to donate some time can help improve the software. People can develop additional features, fix bugs, write documentation, and provide support. As a consequence, there are large communities of people built around these software projects, which in turn helps to build trust and improve the software for everyone.

Open software may not always be better than closed source or proprietary software. As with any software you install on your computer or smart phone, you should take a moment to check the project website and available reviews. Nevertheless, open source software is a more trustworthy alternative to proprietary software when it comes to privacy protection.

Act

Signal Messenger

https://www.signal.org/

There are many open source messaging applications that you can use on your mobile phone. Signal is an open source messaging application that encrypts your conversations, protecting your privacy as well as the privacy of the people you are talking to. Both the client and server implementations of Signal are open source. If you need some help installing signal you can visit this website

The encryption protocol developed and used by Signal was made open source, and currently is used by other applications like WhatsApp and Facebook Messenger. However, WhatsApp and Facebook Messenger are not open source and therefore we do not know what information Facebook can know about our conversations when using these applications, if the application contains malicious code, or if the Signal Protocol is being implemented properly. The same is true for other closed source encrypted messaging applications like Threema. See this article for more information on WhatsApp vs Signal.

Recently, there were some reports that WhatsApp Security Flaws Could Allow Snoops to Slide Into Group Chats.

Telegram is often suggested as an alternative messaging app, but Telegram uses custom cryptography, which the authors claim to be safe. However, in computer security circles this is considered bad practice. Using a tested and proven protocol like the Signal Protocol is considered to be more secure. In fact, we are able to tell what type of cryptography Telegram uses because Telegram made its code open source.

Privacy Tools

Over the next issues we will be talking about some of the tools at privacytools.io. You can visit that website and learn about many of the tools and services available to protect your online privacy.

Issue 01

2017-12-04T12:45:29+00:00

Introduction

The Crossover is a newsletter about things that we think everyone today should know for their day-to-day interactions with technology.

As our reliance on technology grows, we anticipate a knowledge gap. There are those who are comfortable with technologies and possess the necessary technological skills and know-how to protect themselves online, and there are those who like to use technologies but do not have the necessary knowledge or skills to protect themselves even if they would like to. Learn. Become aware. Consider. Act.

We aim to give advice on digital rights, digital privacy and generally on using the internet. We curate a list of articles and we send out a newsletter with links to those articles. We provide our opinion on why people should be interested in these subjects. We also provide recommendations for simple tools (programs, software, add-ons) that people can use to help them to be safe, secure, and private when online. We also aim to take a moment to explain technology concepts in everyday language, or link to sources that do the same. All our recommendations are ours and we do not promote products or tools.

This is the first edition of our newsletter. There is no regular schedule for this newsletter and we will never send a new issue more than once a week.

To subscribe use you can visit https://tinyletter.com/thecrossover

This edition is also available at https://0io.eu/thecrossover.

If you would like to suggest topics or articles for future issues, please send them to thecrossover@0io.eu.

Learn

For this newsletter, we will explain third party scripts.

What are third party scripts

Every time you visit a webpage, you load a number of different assets or content, like images or text, as well as code. Usually, the more complex a webpage is, the more code is used to program the webpage and this code is split across multiple files. Because there is so much code that is common across all webpages, there are projects that provide code that can be reused as a library and embebed in any web page. What this means is that often a large part of the code being executed when you visit a webpage was not actually developed only by the people that developed that website, but also by third party developers that distribute their code. This code can have access to all the information you see on the webpage and to your user data, just like the code written by the developer of the actual webpage you are visiting.

Sequences of code, known as scripts, can access which keyboard keys you pressed, how you moved your mouse around the webpage, how frequently or how much you scrolled up or down, and they have access to the text you wrote before you submit forms (e.g., if you start to search for the term "abortion" but then delete it and search for "adoption", both behaviours could be known). These scripts can use this information to watch your every move and to see how you behave online.

Because some of these script libraries are so commonly used by webpage developers, developers often resort to Content Distribution Networks (CDN) to distribute these files. For example, Google provides a CDN for the open source library jQuery. This means that a developer who wants to use jQuery in their webpage, can link to the jQuery instance stored in the Google servers. When you load that webpage, your computer will fetch the version stored in the Google servers, rather than a version stored in the same servers as the webpage you are visiting. Importantly, what this means is that by using their CDNs, these companies can now track you through the different websites you visit.

Suppose that you visit two websites, and they both use a version of jQuery hosted at Google. On the first website, you search for information about a particular disease (e.g., high blood pressure). As the webpage accesses the jQuery hosted at Google, Google logs this request. Now you visit a website about medications to control or treat this disease (e.g., ACE inhibitor) and Google again logs this request and can now tell that you visited both websites. As the host of this CDN, Google could know both pieces of information about your search. This data could then be used to try and infer something about you, or could be sold to private companies (e.g., insurances) for advertising or other purposes.

Not all third party scripts are malicious. For example, jQuery is a frequently used open source library that can make website development easier. However, there are also malicious third party scripts that can actually track your behaviour online. You can avoid some of these third party scripts by using ublock origin and decentraleyes, although it is important to understand that these are not the perfect solution and do not protect against all types of tracking. See below for a description of these add-ons and what they can and cannot do.

Become aware

No, you’re not being paranoid. Sites really are watching your every move

https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/

In this article the author describes how big companies are using third party scripts to spy on a user's online behaviour.

"Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording," Steven Englehardt, a PhD candidate at Princeton University, wrote. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.""

"A study published last week reported that 482 of the 50,000 most trafficked websites employ such scripts, usually with no clear disclosure. It's not always easy to detect sites that employ such scripts. The actual number is almost certainly much higher, particularly among sites outside the top 50,000 that were studied."

We're building a dystopia just to make people click on ads

https://www.ted.com/talks/zeynep_tufekci_we_re_building_a_dystopia_just_to_make_people_click_on_ads

We think this is a must watch talk. Sociologist Zeynep Tufekci shows how major tech companies are building their products around ads and describes the dangers of this approach. Tufekci provides some disturbing examples of how the technology used by big companies can be used to influence our society. For example, Tufekci explains how Facebook could use data they already have, or outcomes from the social experiments they are currently running, to control the results of democratic elections.

These structures are organizing how we function and they're controlling what we can and we cannot do. And many of these ad-financed platforms, they boast that they're free. In this context, it means that we are the product that's being sold.

"We have to face and try to deal with the lack of transparency created by the proprietary algorithms, the structural challenge of machine learning's opacity, all this indiscriminate data that's being collected about us. We have a big task in front of us. We have to mobilize our technology, our creativity and yes, our politics so that we can build artificial intelligence that supports us in our human goals but that is also constrained by our human values."

Consider

Has Web Advertising Jumped The Shark?

http://blog.dshr.org/2017/11/has-web-advertising-jumped-shark.html

The author of this blog describes the current problems with web advertising:

Bad guys love it.
Readers hate it.
Webmasters hate it.
Advertisers find it wastes money.

The first point is of particular interest. The author shows how bad guys use third party scripts to exploit users, in many cases introducing security vulnerabilities or introducing code that mines a cryptocurrency into a user's browser.

Firefox 57 is out

https://www.mozilla.org/en-US/firefox/57.0/releasenotes/

https://techcrunch.com/2017/09/29/its-time-to-give-firefox-another-chance/

Mozilla recently released a new version of their browser. Firefox 57 is a complete rewrite of their browser core and it's a major improvement to their browser. If you previously tried Firefox but abandoned it for Chrome/Safari/etc because it was too slow, you should give firefox another try.

A note on browsers. A common misconception is that the Google Chrome browser is open source, however, this is not true. Chrome is based on the open source browser called Chromium, but google adds closed source code to Chromium and releases the browser as Chrome. This means that there is a significant amount of code in Chrome that we cannot be sure about what it does. This is especially worrying since Google is an ad company and would certainly benefit from knowing more about you and your browsing habits. Google is also a for-profit company with ad publishers and other big companies as their main clients. As such, maximizing the profit of those companies will always be put before maximizing your experience.

Even though Chromium, and not Chrome, really is an open source browser, the development is mostly driven by Google software developers whose job it is to write code that ends up supporting Chrome.

For this reason, we recommended using Firefox, a completely open source browser developed by the Mozilla non-profit organization.

Act

Recommended browser extensions

uBlock Origin

https://github.com/gorhill/uBlock/

uBlock Origin is a browser extension that is available for Firefox, Chrome and even Safari. It is a very fast performing ad and third party script blocker. It also includes some anti ad blocker functionality. It is completely open source.

We recommend you go to uBlock's settings and enable a few block lists that are not enabled by default. This makes uBlock block some extra 3rd party scripts. You can go to Settings -> 3rd party filters and enable the following checkboxes if they are not already enabled:

uBlock Filters - Privacy
uBlock Filters - Resource Abuse
Malvertising filter list by Disconnect
Malware filter list by Disconnect
Dan Pollock’s hosts file
Peter Lowe’s Ad and tracking server list

This blocks most ad servers and known trackers. If you are worried that this does not block all trackers you can also setup Privacy Badger.

If you are a power user, we recommend you run this extension in advanced mode and block all 3rd Party Scripts and Frames. This will break most websites and you'll have to manually allow the 3rd party scripts you trust. See this page to configure uBlock Origin to use Advanced mode.

Privacy Badger

https://www.eff.org/privacybadger

Many people use the Ghosthery extension to block ad trackers. However, Ghostery is developed under a proprietary license and may sell some data about your browsing habits to 3rd parties. If you are worried that uBlock Origin does not block all trackers, you can either run it in advanced mode, or install Privacy Badger. This extension is developed by the Electronic Frontier Foundation and it's open source.

Decentraleyes

https://decentraleyes.org/

Decentralyes includes third party scripts that are usually used by developers to build webpages. It detects when your browser is trying to access remote versions of scripts, for example those stored in a large CDN like Google, and intercepts the request. Instead, it returns the version that is stored in your computer. This way the CDN will not receive your request and cannot be used to track you.