Rubénerd!

If you still use Google services regularly, it's worth noting they allow you do disable some of the tracking they perform. Browser plugins can help to block the rest.

Disable Web History

Most people I talk to don't realise Google records all the sites they visit through their searches. They bill it as a way to "tailor search results". The DuckDuckGo people call it "search bubbling". I deem it "unnecessary". Fortunately, Google lets you turn it off:

1. Log in, the go to history.google.com
2. Click the gear button on the right hand side
3. Choose "Settings"
4. Click "Pause"

To confirm, go back to history.google.com and notice the bright blue "Turn History On" button. Isn't it interesting that Google lets you turn web tracking on with one click, but it takes three clicks and loading a menu behind an untitled button to turn it off? ;)

It should be noted here that web history is merely being "paused". Whether Google can turn it back on, or can be compelled to, would be reason enough to logout when you want to use their search.

Adorable Hyouka detective image by こよる on Pixiv

Set DoubleClick tracking opt-out cookies

Google's advertising arms and subsidiaries track you across sites by default, but you can disable it with a cookie by visiting:

https://www.google.com/ads/preferences/html/opt-out.html

Google now even offer a plugin for Firefox, Chrome and Internet Explorer to store your desire not to be tracked. I haven't tested this, so I can't vouch for it.

https://www.google.com/ads/preferences/plugin/

In both cases, these opt-outs are stored in your browser, not your account. Therefore, to prevent this kind of tracking you need to have the opt-out cookie and/or plugin installed on every browser and on each computer/smartphone. Cumbersome, I know, but it's currently the only option Google allows us.

Browser extensions

To further prevent tracking, there are several different plugins you can use.

For Mozilla browsers, Gprivacy forces sites to respect the do-not-track header by sanitising links in search results. Any links that it modifies in your browser are shown with a green shield, and the original link with a red shield is included alongside it.

If you're not interested in maintaining a cookie whitelist with CS Lite Mod or Cookie Monster, the Beef Taco extension maintains opt-outs for hundreds of advertising networks, including Google. I've blogged about this before.

Done

As I've said with all cloud computing services, the key isn't to abstain from them, but to use them wisely. As Professor Frink would say, MMMMMMMM-HIVEN MAVEN!

Just involuntarily updated my Firefox to 8.0. So far so good, though I may need to update my update regiment. Update my update... it's not good English to repeat the same word in the same sentence. Wait, just did it again.

The losing update battle

One of the many cronjobs I have running on my headless super duper Swiss Army Knife FreeBSD server is a script to check software updates on Mozilla's servers. Whenever a new version of Firefox or Thunderbird is released, the script downloads the latest en_gb dmg. I can then go around to all the Macs in the house and install the update.

In Singapore I didn't bother, but with download quotas here and on an ISP that doesn't have unmetered content, it saves a small bundle of transfer which I can then blow on an anime episode. Don't worry, I didn't mean that. True story.

With the latest rapid-release cycle adopted by Mozilla, it seems this "solution" will become increasingly unworkable, and I'll just have the applications themselves download the updates.

The actual update!

As for the update itself, I'm liking the more native-looking widgets on Mac, and it still fits in just fine on my KDE Fedora machines despite being a GTK import. Which reminds me, Fedora 16 needs to be downloaded and installed as well.

I'd also read the horror stories about how Firefox was going to be "hostile" to plugins, but my laundry list of mostly security and privacy related whatsits are running just fine. The only change was the add-on selection screen, which allowed me to disable ones I don't need when Firefox relaunched. Unsurprisingly, I didn't uncheck anything.

A trip down memory lane

For some fun, here are a small sample of posts dealing with Firefox over the years. With this new rapid-release cycle, I think the gap between 4.0 and 7.0 you can see below will become the norm not the exception!

• Thursday 30th March 2006: Universal Binaries for Mozilla Software
• Wednesday 20th May 2009: Testing Mozilla Firefox 3.5 Beta 4
• Tuesday 30th June 2009: Mozilla Firefox 3.5 is out
• Monday 14th September 2009: Firefox 3.0.14 and 3.5.3 announced
• Thursday 21st January 2010: Firefox 3.6 golden brown and delicious
• Tuesday 23rd March 2010: Firefox 3.6.2 fixes that zero day exploit thing
• Thursday 24th March 2011: Mozilla Firefox 4.0!
• Wednesday 28th September 2011: Firefox 7.0

Never before have I installed an extension so quickly! For Firefox and for Chrome.

For those who haven't been watching this narrative unfold since the mid 20th Century, Rupert Murdoch is an Australian/American media mogul who's far reaching worldwide holdings include the very best in unbiased, factual, journalistic endeavours. Still, if you want to spare yourself the delight of reading such wonderful material, here's how you do it.

For Firefox

From the Mozilla Add-Ons page:

MurdochAlert show a warning bar on Murdoch Family-controlled websites. This alerts users to the potential computer security risks of accessing Murdoch-controlled sites. Handy also for identifying the news sources controlled by the Murdoch Family.

I installed the extension, and sure enough I was presented with a warning when going to The Australian and to Fox News. Which is a relief, because I wouldn't want people to know I've been to such sites. Or Andrew Bolt... but that's another topic entirely.

Firefox-tan is happy ^_^.

For Chrome

I don't use Chrome or Chromium other than for testing, but it didn't take long for an extension in a similar spirit to MurdochAlert to be issued for it, in the form of Murdoch Block.

What does this app do?
- Blocks websites owned and operated by Newscorp

Which websites are blocked?
- http://en.wikipedia.org/wiki/List_of_assets_owned_by_News_Corporation
- The default list is only news and publication sites but that can be customized on the options page.

How is a site blocked?
- When the user opens a blocked site, a warning is displayed and the user is given an option to continue to the site.

Granted MurdochAlert has a more urgent sounding name that successfully conjurers up images of warning sirens, but I give kudos to these people for coming up with a term that rhymes.

While Firefox may still be the browser of choice for those of us who want maximum extensibility and finely tuned control, its no secret its memory management has left a lot to be desired for a while!

Enter BarTab. Aside from being a delicious pun, it allows tabs to be automatically unloaded while still being shown. You can elect to never have certain domains have tabs unloaded, and you can even unload tabs manually.

I don't know about you, but I tend to accumulate several trillion tabs over the course of a day, and this extension has shaved gigabytes off Firefox's memory usage. Coupled with Tree Style Tab which displays tabs in a sidebar list instead of a silly cramped horizontal list, it makes tabs really usable.

After talking about scary stuff in my previous post on the RequestPolicy extension for Firefox and other Mozilla browsers, now I get to talk about cool, fun stuff!

Its an effective advertisement blocker!

There are many different solutions to combating advertising on pages such as AdBlock Plus, GlimmerBlocker and the like, but all require the use of regularly updated blacklists to work effectively. You're probably subscribed to several lists yourself.

I didn't even think of it when I installed it, but given the vast majority of advertising is hosted off-site (which makes it a capable attack vector, as well as being irritating) RequestPolicy also blocks this content. As the Ghostery extension does with web bugs, it also lets me see where all the advertising is coming from on a page which isn't useful in and of itself, but its still terribly interesting.

I'm not ready to delete AdBlock Plus, but I have it deactivated for now. So far, there's very little difference. Pretty cool! ^___^

Its a redirect previewer!

One of the features I liked about TinyURL was the ability to "preview" URLs before you proceeded to visit them. This helps guard against people who use URL shorteners to obfuscate dodgy addresses.

RequestPolicy also blocks automatic redirects, instead rendering retro 301 and 302 redirect errors with a link to the new location. I can preview its address before visiting anything I may not have wanted to, and I get a sneak peak into how websites are constructed which also isn't useful in and of itself, but still terribly interesting. I've used that same sentence somewhere before recently.

It puts a red flag in the status bar!

Does that make me a communist?

Having been an avid user of NoScript, PermitCookies, Ghostery and AdBlock Plus to whitelist site elements and improve security and privacy, RequestPolicy has me really excited :).

Only the paranoid survive ~ Andrew S. Grove

RequestPolicy is an extension for Firefox and other compatible Mozilla browsers that helps to address the growing issue of cross-site request forgery (CSRF/XSRF) attacks which are actively being used by nefarious users to track which sites you visit, use existing session data and (to put it simply) masquerade as you. This allows them to perform actions on your behalf, which one can imagine would be catastrophic if we were talking about a bank or a voting page for our favourite K-On character.

What makes such attacks particularly worrying is unlike cross-site scripting attacks (XSS) which require a dynamic content vector such as ECMAScript or Flash, CSRF attacks can be executed simply by an unsuspecting user clicking a link, or even worse loading a page with a static element such as an image with a request in place of its source Earl.

Content loaded from an external source can also potentially be used to track the sites you visit, how often you visit them, and what specific pages you frequent. The behavioural advertising value of this data practically guarantees companies are performing this kind of activity. One could say they're Phorming ideas as we speak. Hey come on, that was funny, why aren't any of you laughing? Don't answer that.

For those of us with tin foil hats stapled to our heads (hey, we all have our reasons), these two issues are rather terrifying. A large percentage of sites predominantly consist of modifiable content loaded from other sites now, and all a CSRF attack would take is a single static element that even a seasoned internet user could be forgiven for missing. What's more worrying still is that this problem is potentially its old as the net itself, and the current trend towards decentralised sites will only make it worse. Mmm, cookies. And sunfish.

This RequestPolicy extension thingy

In what has become the de facto accepted standard for Firefox security extensions, RequestPolicy places an icon in your statusbar (or the extensions bar in Firefox 4.x) which lets you allow certain cross-site requests temporarily, add them permanently to your whitelist, or keep them blocked (the default). This can aid in preventing some CSRF attacks, as well as potentially blocking images or other elements that are loaded externally to track your activities without your permission or knowledge, such as analytic or advertising tools.

As with the other extensions I described at the top of the post, RequestPolicy becomes more useful the longer you have it active given you're populating its whitelist over time. To help with the initial configuration, the developer includes a list of suggested sites which you can add once the extension is first installed.

I've been using 0.5.16 in Firefox 3.6.13 (version number soup) for close to a week with no issues :).

Link arms, don't make them

Robert Auger has a page on CSRF attacks and some proof of concept code for those interested in learning the details: The Cross-Site Request Forgery (CSRF/XSRF) FAQ. Wikipedia's page is surprisingly lacking in this case, but still useful for a summary. Surprise surprise, my page here is not the be all, end all authority on this subject and I don't have all the details! ;D

The extension is available from the developer's website, or from Mozilla's addon page. The images are of Mugi-chan from K-On because... just because.

If you've been reading my blog for a while you'd know I'm a huge fan of Taco for Firefox, the Targeted Advertising Cookie Opt-out extension. Running an update yesterday I noticed there are now two different versions: the classic Taco and a new Beef Taco fork. Ugh, too many food puns.

What the heck is a taco?

One of the most perfect foods in the universe. In this context though, it's an extension that does some cool stuff:

Sets permanent opt-out cookies to stop behavioral advertising by 102 different advertising networks, including Google, Yahoo, Microsoft, all members of the Network Advertising Initiative, and many other companies.

The controversy, I think

From what I can ascertain (I hate that word, but it fits) the classic Taco extension developers decided to take their extension commercial and add a lot more features with the 3.x series. The 2.x series which was F/OSS licenced has been forked as Beef Taco for those who find the new terms unacceptable.

I thought the new developer of BEEF TACO was quite the gentleman and civil about the whole thing:

Also, please do not be too harsh on Abine in the reviews. They are trying to start a commercial company and made some (IMHO) bad decisions. That doesn't mean they are malicious or evil, TACO 3.0 is actually a decent product when you take time to understand it. You can read more of my feelings on this ,a href="http://www.velvetcache.org/2010/06/17/forking-taco-2-0">here.

In the meantime, let's keep this a positive, happy place, shall we :-)

Fair enough :).

Features are often scary

Personally I'll be sticking with Beef Taco now, not because of the licencing issue (which I'm fairly indifferent to, that's why I use ZFS on FreeBSD!) but because I'm generally a feature-phobe. In general I feel more features generally degrade the usability of existing ones, introduce bloat, slow software down and most critically they introduce new vectors for exploits. For something as relatively simply as an extension that just sets cookies to opt me out of targeted advertising I prefer keeping things simple

As far as I can tell, the old Taco and Beef Taco don't even have a UI, they just work in the background doing their thing like a studious worker who... eats tacos.

And now if you'd excuse me, I'm off to pack more boxes. I took a break from packing and cleaning to talk about a browser extension I love. Is there a sign of something there?

Related posts

• TACO, Master Password Timeout for Firefox
• My updated list of useful Firefox Extensions

For those of you as addicted to Tree Style Tab for Firefox as I am, there's been a flurry of updates over the last week that address some appearance and functionality bugs as well as improved compatibility with other extensions. Get it!

If only my brain were so easily updated

As of this evening I'm up to the conveniently named 2010.04.02 version and it works great. Curiously I had the Christmas 2009 version of it for months before Firefox told me there was an update, despite the fact there were several intermediary versions and other extensions have been automatically updated dozens of times since then.

Anyway, I used to say NoScript was the only reason I stuck with Firefox, but having all my tabs neatly stacked on the side instead cramming them all under the address bar makes them so much easier to read and navigate. As far as I know Opera is the only other browser that allows you to put tabs on the side, which is weird given I'd think you'd really need it if you're a browser power user.

The screenshot below that I took for this post back in 2009 should give you a pretty good idea as to why I need such an extension!

Some trivia

Wikipedia articles that have trivia sections tend to have template boilerplate stating their existence is discouraged, so I've decided to actively put trivia sections in more of my blog posts from now on.

If you abbreviate "Tree Style Tab", you get TST, which sounds an awful lot like a South Park episode with a dog whisperer, as well as being an acronym for Transition state theory which I learned in high school, and the code for a Hong Kong MTR station. True story.

Macslocum over at O'Reilly Answers is asking people to submit their favourite browser plugins and extensions. No prizes for guessing which one I chose!

First Macslocum's recommendations:

Firebug (Firefox) -- I can't believe this thing is free. It's hands-down the best HTML/CSS testing tool I've ever used. It's also incredibly handy when I can't remember my own CSS naming conventions.

ClickToFlash (Safari) -- This automatically disables any Flash-based elements. But unlike strict ad blockers, ClickToFlash gives you the option of activating Flash on a piece-by-piece basis. So if you want to watch a movie on a web page but you don't want to see the Flash ads, just click the movie element and that Flash-based part of the page will load.

How about you? Which plugins/extensions do you use?

For what it's worth, I also highly recommend ClickToFlash to all my Mac friends using Safari, it improves performance and reliability so much it's as if you've just shoved an extra few gigs of memory into your system for free.

My predicable answer

Without a doubt it'd have to be NoScript for Firefox. The fact no other browser has such simple blocking and whitelisting for dynamic content and Javascript ensures I won't be switching browsers anytime soon.

Frankly, given all the thousands of exploits using Javascript as a vector I'm surprised (and somewhat dismayed) it's such an unusual extension.

[For some reason text fields on the O'Reilly Network always correct JavaScript as Javascript!]

As I've enumerated here many times, I can't use a browser without NoScript anymore, I feel as though I'm in a car without seat bealts, a war zone without a bulletproof vest or a conference without pants when I don't have it. How people think they can be responsible internet users without such software in 2010 baffles me more than... attending a conference without pants. I suppose some people wear business skirts, just not me, surprising though that may sound. Chuck Peddle wears pants, I can tell you that much. And he invented the 6502 for heaven's sake!

If you have an O'Reilly account, go over there now and voice your opinion. Tim O'Reilly, the good O'Reilly, not the sleazy news guy ;).

Relatedness

If you haven't seen my other posts on this subject, I also talk about my other favourite Firefox plugins in these posts: More Firefox extensions and Firefox extensions. I put way too much effort into those pages! Of all the extensions, most are security related.

Another great reason for using NoScript in Firefox if you didn't think it was useful before is that it blocks embedded media such as Flash unless you specifically choose to unblock it on individual pages (which for me is almost never!). With HTML5 elements like <video> and <audio> now being supported in Firefox 3.5 I was worried I'd be losing this control and that there would be an unguarded vector for attack... not to mention being annoyed and irritated by pages that start playing jingles and animated advertisements!

Suppose Firefox employed an external library to play media which turned out to be vulnerable; it's happened in the past. Any malicious hacker could embed a specially crafted video or audio file into a page and your browser would start playing it automatically when you visited the page. By the time you realised what was going on, it'd be too late.

Well it's time to breath easier again (that sounded like an introduction to a cheap infomercial). I just noticed this evening after updating to version 1.9.8.1 that NoScript now blocks HTML5 media elements on pages that aren't on your NoScript whitelist just like JavaScript, Flash and the like which is fantastic news. I understand selectively enabling JavaScript may be a bit troublesome for some people to cope with, but HTML5 media filtering should be a mandatory part of Firefox in my opinion.

In any event, it's one less thing to make me nervous and to worry about, which for someone always buzzing with social anxiety and caffeine is a good thing :).