The ultimate Online Privacy Test Resource List
Whenever you connect with a program to an Internet resource, a web browser to a website for instance, information are revealed to the server hosting the resource.
That's automatic, and often not the only thing happening. If that site loads resources from other servers, they too gain information, and depending on what is running on the site and supported by the browser, additional information may be revealed.
Usually, information such as your computer's IP address, a user agent that reveals browser, operating system and language, and a handful of other information are revealed automatically during connections.
While there are methods available to hide or block certain information from being made known to sites you connect to, there are also methods that sites can use to find out more about you.
Online Privacy Test Resource List
Online privacy tests help you find out what kind of information your browser (or other programs) reveal. The information itself is useful, but you can also act upon it, for instance by disabling certain features in the program you are using if you don't require them.
You find two listings below. The basic tests listing contains resources that perform simple tests (usually one) only while the advanced tests listing resources that run a series of tests.
Basic Tests
Add-ons / Plugins
Name | What | Link |
Firefox Addon Detector | Checks if certain Firefox add-ons are installed | https://thehackerblog.com/addon_scanner/ |
Flash Player System Test | Lists information about Flash Player | https://www.browserleaks.com/flash |
Flash Player Test | Checks whether Adobe Flash Player is installed | https://get.adobe.com/flashplayer/about/ |
Java Test | Tests whether Java is installed | https://www.java.com/en/download/installed.jsp |
Silverlight Test | Reveals information about Silverlight | https://www.browserleaks.com/silverlight |
Name | What | Link |
Email IP Leak | Finds out whether your email provider leaks your IP address | http://emailipleak.com/ |
Email Privacy Tester | Tests whether your email client leaks back information to the sender of an email | https://emailprivacytester.com/ |
Email Trace | Run reverse email look ups or email header traces | http://www.ip-adress.com/trace_email/ |
Have I been pwned | Check if an email account has been compromised in a data breach. | https://haveibeenpwned.com/ |
Check if your email address information have been leaked as part of an attack. |
HTML5
Name | What | Link |
Battery Status API | Tests the status of the battery | https://pstadler.sh/battery.js/ |
Canvas Fingerprinting | Checks whether Canvas can be used to fingerprint the browser | https://www.browserleaks.com/canvas |
Hard Drive Fill Test | Tests whether sites can fill your hard drive with data | http://www.filldisk.com/ |
HTML5 Features Detection | Checks HTML5 capabilities | https://www.browserleaks.com/modernizr |
HTML5 Geolocation Test | Tries to look up your location in the world | https://www.browserleaks.com/geo |
HTML5 Test | Tests the browsers HTML5 capabilities | http://html5test.com/ |
WebRTC Leak Test | Tests whether local or public IP addresses are leaked | https://www.perfect-privacy.com/webrtc-leaktest/ |
WebRTC Test | Tests WebRTC capabilities | http://whatismyipaddress.com/webrtc-test |
IP Leaks
Name | What | Link |
Check my Torrent IP | Check which IP address is revealed to peers and trackers when you use torrent clients. | https://torguard.net/checkmytorrentipaddress.php |
Content Filters and Proxy Test | Tests network filters, TOR browser and local content filters | https://www.browserleaks.com/proxy |
DNS Leak Test | Tests whether your IP address is leaked by DNS | https://www.dnsleaktest.com/ |
DNS Spoofability Test | Comprehensive analysis of DNS resolving nameservers | https://www.grc.com/dns/dns.htm |
IP Magnet | Reveal which IP address BitTorrent clients reveal to peers and trackers. | http://ipmagnet.services.cbcdn.com/ |
Whois Test | Reveals IP address, host name, IP address location information and other IP related information | https://www.browserleaks.com/whois |
Privacy Management
Name | What | Link |
Google Account History | Display Google-related activities such as your search history or location history. Includes deletion options. | https://www.google.com/settings/accounthistory |
Facebook Activity Log | Lists your Facebook activity such as likes, posts and such. You can edit any item or remove them from the log. | https://www.facebook.com/me/allactivity |
YouTube Video History / Search history | Displays videos that you have watched and your YouTube search history. | https://www.youtube.com/feed/history |
SSL
Name | What | Link |
Bad SSL | Tests how the browser handles certain SSL certificates and other SSL-types | https://badssl.com/ |
FREAK Attack: Client Check | Tests whether your browser is vulnerable to the Freak Attack | https://freakattack.com/clienttest.html |
Heartbleed test | Tests a server for the Heartbleed vulnerability | https://filippo.io/Heartbleed/ |
Runs a Fallback Vulnerability test | ||
How's My SSL | Checks SSL support and provides a rating | https://www.howsmyssl.com/ |
SSL Check | Reveals the SSL cipher used to connect to the website | https://www.fortify.net/sslcheck.html |
SSL Cipher Suite Details | Lists all cipher suites supported by the browser | https://cc.dcsec.uni-hannover.de/ |
Weak Diffie-Hellman and the Logjam Attack | Tests whether your browser is vulnerable to the Logjam attack | https://weakdh.org/ |
Misc Tests
Name | What | Link |
BrowserRecon | Fingerprinting test based on user agent | http://www.computec.ch/projekte/browserrecon/?s=scan |
Browser Referer Headers | Browser referer headers test suite. | https://www.darklaunch.com/tools/test-referer |
Do Not Track | Detects support for Do Not Track | https://www.browserleaks.com/donottrack |
Evercookie Test | Checks if persistent data can be saved to the local user system. | http://samy.pl/evercookie/ |
JavaScript Browser Information | Lots of information about the browser's JavaScript capabilities | https://www.browserleaks.com/javascript |
Popup Blocking Tests | Tests how well your browser handles (blocks) popups | http://www.kephyr.com/popupkillertest/index.html |
Redirect test page | Run a series of redirect tests to find out how your browser handles those | https://jigsaw.w3.org/HTTP/300/Overview.html |
System Fonts Detection | Uses CSS+JS, Flash, Silverlight or Java to detect fonts | https://www.browserleaks.com/fonts |
Universal Plug n'Play (UPnP) Internet Exposure Test | https://www.grc.com/x/ne.dll?rh1dkyd2 |
Advanced Tests
Name | What | Link |
Am I Unique | Tests whether the browser is unique by checking the following information: User-agent, Accept, Content Encoding, Content Language, List of Plugins, Platform, Cookies, Do Not Track, Timezone, Screen Resolution, Use of local storage, Use of session storage, Canvas, WebGL, Fonts, Screen resolution, Language, Platform, Use of Adblock | https://amiunique.org/fp |
Runs a series of test including IP Leak, WebRTC leak, blacklist, DNS tests and more. | ||
Browser Spy | Runs the following individual tests: Accepted Filetypes, ActiveX, Adobe Reader, Ajax Support, Bandwidth, Browser, Capabilities, Colors, Components, Connections, Cookies, CPU, CSS, CSS Exploit, Cursors, Date and Time, DirectX, Document, Do Not Track, .Net Framework, Email Verification, Flash, Fonts via Flash, Fonts via Java, Gears, Gecko, Geolocation, Google Chrome, Google Apps, GZip Support, HTTP Headers, HTTP, Images, IP Address, Java, JavaScript, Languages, Mathematical, MathML Support, MIME Types, Mobile, Network, Objects, Object Browser, Online/Offline, OpenDNS, OpenOffice.org, Opera Browser, Opreating System, Google PageRank, Ping, Plugins, Plugs, Prefetech, Proxy, Proxy, Personal Security Manager, QuickTime Player, RealPlayer, Resolution, Screen, Security, Shockwave, Silverlight, Sound Card, SVG, Text Formatting, File Upload, User/Agent, VBScript, WAP Device, WebKit, Web Server, Window, Windows Media Player | http://browserspy.dk/ |
Cross Browser Fingerprinting Test | Tests locality, operating system, screen resolution, time zone, User Agent string, HTTP Accept, Plugins, Fonts | http://fingerprint.pet-portal.eu/# |
IP Leak | Runs the following tests: IP address, location, WebRTC IP detection, Torrent address detection, Geolocation detection, IP details, Geek details (user agent, referer, language, content encoding, document, system information, screen information, plugins, HTTP Request headers | https://ipleak.net/ |
IP Lookup | Checks IP address, browser user agent, referer | https://www.ghacks.net/ip/ |
Checks IP address, location, ISP, DNs, Blacklisted or Proxy use, IP location, Script usage such as ActiveX, JavaScript, Java and Flash. | ||
Jondonym Full Anonymity Test | Tests IP, location, net provider, Reverse DNS, Cookies, Authentication, Cache (E-Tags), HTTP Session, Referer, Signature, User-Agent, SSL Session ID, Language, Content Types, Encoding, Do Not Track, Upgrade-Insecure-Requests | http://ip-check.info/?lang=en |
Panopticlick | Tests Supercookies, Canvas Fingerprinting, Screen size and color depth, browser plugins, time zone, DNT header, HTTP Accept headers, WebGL fingerprinting, language, system fonts, platform, user agent, touch support and cookies | https://panopticlick.eff.org/ |
A whole battery of tests including: Stealth Test, Browser Test, Trojans Test, Advanced Port Scanner, Exploits Test, PC Flank Leaktest | ||
Onion Leak Test | For CORS and WebSocket Requests | http://cure53.de/leak/onion.php |
Web Privacy Check | Displays the IP address, DNS, user agent and other data. | https://ipinfo.info/html/privacy-check.php |
Whoer | Comprehensive test suite that tests for IP address, location, ISP, OS, Browser, Anonymity settings such as DNS, Proxy, Tor, Anonymizer or Blacklist, Browser headers, whether JavaScript, Flash, Java, ActiveX or WebRTC are enabled, time zone, language settings, screen information, plugins, navigator information and HTTP headers | https://whoer.net/ |
Now You: Please help make this the best privacy test resource online by sharing resources not on this list already.
Check your DNS
https://www.astrill.com/dns-leak-test
https://bash.ws/dnsleak – test for DNS leak in command line, supports IPv6.
https://bash.ws/email-leak-test – test for email IP leak, shows email headers.
https://bash.ws/torrent-leak-test – test for torrent IP leak
https://bash.ws/webrtc-leak-test – test for webrtc leak, supports IPv6.
There are several more leak test tools.
WebRTC Leak
https://browserleaks.com/webrtc
https://www.hidemyass.com/en-us/webrtc-leak-test
https://www.purevpn.com/webrtc-leak-test
IPv6 Leak Test
ipv6leak.com/
https://www.astrill.com/en/ipv6-leak-test
https://www.purevpn.com/ipv6-leak-test
DNS Leak Test
https://www.dnsleaktest.com/
https://nordvpn.com/features/dns-leak-test/
https://www.purevpn.com/dns-leak-test
Another very good one is Device Info: https://www.deviceinfo.me/
Lots of information in one place.
I just came across an IP Lookup tool which shows your city, Public IP Address, ISP, Browser and Location as well. Must have a look.
https://www.purevpn.com/what-is-my-ip
ndeed, excellent list. Here are some other links that could be useful:
DNS leak test:
– https://www.expressvpn.com/dns-leak-test
– https://torguard.net/vpn-dns-leak-test.php
WebRTC leak test:
– https://www.xmyip.com/webrtc-leak-test
– https://www.expressvpn.com/webrtc-leak-test
WebRTC test:
– https://browserleaks.com/webrtc
IP lookup:
– https://www.whatismyip.com/
– https://www.xmyip.com/
Thanks for the list.
Hello,
Maybe you could add this in your list : https://anonymster.com/web-rtc-leak-test/
Thanks for this article !
We also need similar list to test operating system too.
I use little snitch in Mac and Tiny Firewal in Windows.
Great list, but is there a list of extension and/or userscripts and/or browsers that help defeat many of the methods used by these sites? For example, one that spoofs canvases, fonts, the JavaScipt Navigator object, etc.?
Awesome list.
This one tests for quite a few things (including real IP, WebRTC, ad blockers and web proxies) – http://do-know.com/privacy-test.html and has password test too http://do-know.com/password-strength-test.html
Good list of web proxies here – https://www.new-proxies.com/index.php?p=main&page=5
Thanks for all the links and comments here,
this site rocks!!
have a safe and blessed new year
Another popup blocking test site:
http://www.popuptest.com/
your site, truly, never disappoints. thx (to you AND all the others) for the great info (and conversations, debates etc.) always.
thank you Martin, Wrai & Pants for the links. Appreciate.
A terrific list of resources for online privacy. Consider adding the following (source: http://www.cogipas.com/internet-privacy-resources/):
– Panopticlick (https://panopticlick.eff.org/): EFF’s tool determines how unique is your browser configuration
– Email Trace Tracking (http://www.ip-adress.com/trace_email/): reverse email trace searches
– IPLeak.net (http://ipleak.net/), ipMagnet (http://ipmagnet.services.cbcdn.com/) & TorGuard (http://torguard.net/checkmytorrentipaddress.php): detect whether your true IP address is leaking when torrent file-sharing
Thanks!
Thanks Noah, added your resources (will take some time to go through the first resource which I have not done yet).
Hi Martin
how about a list of VPN providers that also offer tracker protection? I only know of disconnect.me that unfutunately do not support Linux. You posted a link on you patreonsite not that long ago with an overwiev of security/privacy minded emailproviders. something like that would be great in another thread.
b,
I don’t want to send people to another site but this may have the info you are looking for;
https://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/
Not sure if this helps but check this out: https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/edit#gid=0
Thank you, Martin! This is a terrific list!
@b – torrentfreak has an annual VPN list with detailed information. Have you looked at those?
Heartbleed Test
https://filippo.io/Heartbleed/
Its from the same guy who set up the now defunct Superfish one (https://filippo.io/Badfish/)
His website warrants a little reading, could be interesting
Also: Freak Attack
https://freakattack.com/clienttest.html
Added, thanks!
https://whoer.net/
http://5who.net/
Added, thanks a lot for those links!
whoer: (nice little set of checks there)
“Your anonymity: 100%
Your anonymity measures are safe or you don’t use them”
I think it checks whether it can detect if you are using anonymity services. If you do and it cannot, that’s good, otherwise, it is bad
Battery of tests
http://www.pcflank.com/index.htm
Added, thanks for the reference!
Browser referer test
https://www.darklaunch.com/tools/test-referer
Thanks very much, added to the listing.
Yet another very interesting article and a great list of resources .
Have a great ‘Urlaub’ Martin.
Nice one Martin! That’s one hell of a list.
Bookmarked!
Holy cow! Thanks Martin, this list is amazing.
Thanks for the reply and again for the list. I’ll do a little searching and if I find anything, I’ll post any useful links.
For the badssl site, is there an explanation as to what the results mean once clicked? Some offer a brief description, but I’d love to understand what each means in depth, if what I’m seeing is good or bad and if bad, what might be done to secure said problems.
Great list btw
I’m not aware of any documentation. The tests performed check how your browser reacts when certain SSL-related configurations are encountered.
It should be pretty simple to work out – red=bad, yellow=indifferent/optional/may-be-obsolete-soon, green=good
For example, under Diffie-Hellman, if you click on the dh1024 link, you either see a page or FF blocks it with a warning.
// 1210: disable 1024-DH Encryption
// https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
// WARNING: may break some obscure sites, but not major sites, which should support ECDH over DHE
user_pref(“security.ssl3.dhe_rsa_aes_128_sha”, false);
user_pref(“security.ssl3.dhe_rsa_aes_256_sha”, false);
At the very top, second set down, about sha1 .. if you click sha1 2016
– this relates to security.pki.sha1_enforcement_level where the default value of 2 only allows sha1 until the end of 2015
Under mixed are clicks for mixed content (content from http & https)
// 2609: disable insecure active content on https pages – mixed content
user_pref(“security.mixed_content.block_active_content”, true);
// 2610: disable insecure passive content (such as images) on https pages – mixed context
// current default is false, am inclined to leave it this way as too many sites break visually
// user_pref(“security.mixed_content.block_display_content”, true);
And so on.
If you click a red one and see a web page, you need to sort that out
If you click a yellow one and see a page, it may need some investigation
Where did all the SSL/TLS ones go?
– https://www.howsmyssl.com/
– https://cc.dcsec.uni-hannover.de/
– https://www.fortify.net/sslcheck.html
– https://www.ssllabs.com/ssltest/viewMyClient.html
– https://weakdh.org/
– https://filippo.io/Badfish/
Popup blocking tests
– http://www.kephyr.com/popupkillertest/index.html
Redirect tests
– https://jigsaw.w3.org/HTTP/300/Overview.html
Nice one, the popup test is really practical. I see a large of fail in Test 12 LOL…Mine passed..as I use uBlock to block popup as well~
Thanks, have added them (with the exception of two (one I had already, the other returned not found (https://filippo.io/Badfish/))).
https://emailprivacytester.com/
“this [website] will send you a specially crafted email which uses a variety of techniques, to attempt to send information back to this server when read. It will then display the results for you.”
I’ve used it before, and passed with flying colors because I only allow plain text by default in my email client and don’t auto download anything. I just tried it now and it seems to just queue the email to send me, and that’s it .. nothing happens.
Great, added :)
Ahh OK .. it took a while to come through, but did eventually
Very good Martin.
Another excellent article Martin. Thank you !
After all your hard work this year, I think that it is about time for you to sit down with a few glasses of schnapps and enjoy a “Good Slide into the New Year”
Gary, I’ll be on vacation in January ;)
Made in Germany
Thank you Martin
Now, that is what I’d call a comprehensive resource list… thanks, Martin!
Thumbs up Martin, very useful. Happy Holidays.
Gorgeous. Many more than I was aware of.
As I see it, in terms of privacy the keystone remains the user’s IP. If it’s not faked than all other privacy tools are somewhat useless, but if it is faked (with a good and reliable VPN) then all other privacy tools can make the difference and even the very pertinence of a hidden IP : not only a VPN user would be recognized if other tools are not active but moreover that user would be spotted as hiding himself, which is like a double slap!
I may be wrong but, consequently, if IP is true then privacy tools aren’t really worth it. Am I wrong?
I forgot one thing though : how can a site be sure the user’s spotted IP is not faked? if it has no means to be totally sure than my above argumentation would be invalidated.
Reminds me “Secret Agent Man” sung by Austin Powers, way back in time :)
“then privacy tools aren’t really worth it. Am I wrong?”
No privacy isn’t worth it. Anything that increases privacy/security and reduces tracking/fingerprinting is good. “Privacy” tools can be used to block adverts (that’s not only visually nice and speedwise better, but also a security issue), “Privacy” tools can be used to enhance/strengthen your encryption.
“Privacy” is a bit of a mixed term – IMO there are really FOUR items here: security, privacy, tracking and fingerprinting; and while they can have overlap (sometimes a lot) they are all decidedly very distinct different things, and the overlap that occurs is a result of effects, not design (eg, you use encryption (tls/ssl/pfs etc) for security reasons (to keep data secret and going to and from the correct sites), but as a consequence, you get added security (eg from MITM attacks) and added privacy (eg, among many other things, sites that use https won’t leak individual page visits to your isp etc, or PFS means that broken keys (eg by the NSA) won’t compromise previous communications etc.
To answer your question about IP, it depends. In a wired article (I think it was wired) a few weeks ago, someone asked five security experts what mobile device (smartphone, tablet) would they buy/consider the most secure – and all of them first asked “In what context? is the threat from employers, from family, from states, from hackers etc”?. So there is no definitive answer, I guess is what I am saying. There are variables here – for example I could be using public wifi, I could be wardriving, I could be using a prepaid disposal mobile data stick (bought with cash by a faceless bum off the street in another city) and so on. Or I could be using an ISP not tied to my name (but tied to a company) .. or it could be tied to me directly. The ISP would still have to reveal who I am – so my privacy is pretty much OK here (assuming I follow good OpSec), and only court orders/laws would reveal who I am. So it really depends who you’re trying to hide from – advertisers or state operators or the MPAA and so on.
Its really about OpSec. For example, it would be silly for me to spoof my timezone (to the most common one, which is I think UTC +1) to reduce my fingerprint when other factors (such as locale and even date formats can contradict this) and especially my real IP would put me in another timezone completely – I would stand out.
Bad OpSec is very common – most people would fail, instantly, immediately. Almost everyone would fail eventually. You can do it right a thousand times, but all it takes to connect the dots is one mistake. Three examples of IP ones off the top of my head 1) some guy issued a bomb treat at a university via TOR and he was the ONLY one in the entire campus who was connected to the tor network at the time 2) lulzsec dude leaked his real IP when his VPN went down for a few seconds (note to martin .. article on VPN chaining!) – and also he kept IRC logs the silly twat and 3) Dread Pirate Roberts confirmed as Silk Road operator when his monitored ISP network traffic showed him in and out of TOR at the same time as posts by DPR (there were other factors but they still had to confirm before they busted down his door etc).
As for advertisers and IPs – screw advertisers – if they want to track me via IP ranges, it’s much the same as a VPN range. The key here is not to leak them your real ID and block the JS/XSS and adverts themselves in the first place. They have enough other metrics and methods – cookies, login accounts (amazon, youtube/gmail/google, facebook etc – these are the global advertising giants – and you probably leak your IP to one or some or all of them ALL the time). Not sure a VPN would help really, they’re already tracking via other means and 90% of people don’t care. They’re not going to work *that* hard to get an extra 2 or 3% of profiling.
@Pants, @Jason, all this is most interesting and I realize how little I know the networks compared to you guys.
To sum up, the Web is far more complex than I ever imagined and far less defined by clear boundaries between the “good” and the “bad” guys. We are somewhere over the rainbow, beyond good and evil, in fact in an environment which corresponds to the dialectics of war, that is, different (and possibly opposed) references to what is legitimate and what is not.
Caution for us all, curiosity as well, imagination when being aware that reality is always more than the tip of the iceberg. Knowledge, as always the best contribution to avoid paranoia. Last but not least, brotherhood, which does exist on our networks as surprising as it may seem when it is continuously confronted to the uncertainty of the cyber world.
And the beat goes on.
@Tom: I think your friends advised you well! :)
What you are basically describing is the unfailing memory of the internet. If you do something online, you must assume that a record of this activity will remain somewhere forever. This is why I tell my friends to be careful with their posts / searches / site visits NOW, because it will be too late to change their behaviour one day in the future when they may have a greater need for privacy. You can’t go back and undue the past. The EU has tried to legislate this by forcing Google to “forget” people who want to be forgotten, but of course Google can only make these people disappear from Google searches; it cannot delete the various electronic records that are dispersed all over the internet.
Similarly, I would apply the same principle about the internet’s “memory” to data encryption. If you transmit encrypted data with your VPN today, you must assume that a copy of these data may remain somewhere for years to come, and that this copy will be easily de-cryptable at some point in the future. Whenever we hear these stories of hackers breaking into a big online company’s database and stealing millions of pieces of user data, the company always assures us, “Don’t worry, the data were encrypted!” Well, if I were a hacker, I’d just hold onto those gigabytes of encrypted data until technology allowed me to decrypt them. Why not? And with the pace of technological change, I probably wouldn’t have to wait more than 2-5 years.
@Tom “..leads to the discovery of the hiders? Are they all known, by the way?”
That depends who the hiders are hiding from. Answer, absolutely not, because so much data has been collected that it’s almost impossible to sift thru – the needles in a haystack.
There are some very very very smart people out there who are doing things to help. And then there are huge government resources being spent – just think of all the equipment for sale (see the intercept), think of the info from the Snowden docs which is the tip of the iceberg, think of things like an entire country’s telecommunications being recorded and kept for a rolling month-long period. And all this in an ever-increasingly fast-changing technological environment. Think of IoT and all the security holes to come.
Even using what you would consider to be safe, can lead to your downfall (I wish I could find the article). Here’s one for you: a gang uses prepaid burner phones, they change them every day. They are bought from sources that will not record their faces. The phones run Cynamod or somethng. The phones use secure methods of text/voice (eg silent circle etc). They are programmed to only allow calls to each other. Software algorithms already in place can detect this pattern – i.e a select.small group of phones with previously unused or out-of-circulation numbers suddenly springing to life (cell tower connections). An example of OpSec here would be to have a Faraday bag for the phone – and only check in in public places with crowds (this would have been real tinfoil hat nutter’s crackpot stuff a few years ago). Here’s an example of bad OpSec – said phone red-flagged by the scary govt men is turned on at the perp’s house. And the perp thought he was safe. This is an example of an immature tech – until it becomes more mainstream, it only helps to make you stand out – which is Jason’s point.
The underlying issue here is that the internet was never designed with security in mind. Neither was email. Neither were telephones. Anything done since then has been a patch, not a final solution. Add to that the fact that govts are stipulating other measures, such as data retention – or trying to, such as no anonymized domain registrants – or are being aholes, such as weakening encryption. The list is endless. Add in startups and internet companies (your ISP eg verizon/comcast – as well as google, twitter, facebok etc), your hardware/service companies (tvs, onstar road stuff, etc) and advertisers – who are all out to monetize you, and we’re screwed.
Until something becomes mainstream – it’s hard to fight the good fight. After the Snowden leaks, a lot of companies implemented https (perfect forward secrecy as well, and other things such as DNSSEC etc), eg google between its own servers, all? google services, youtube .. and other large chunks of the internet. Now a large percentage of traffic (but a very small percent of sites) use encryption – this is good. Now we can hide in it – my midget & goat porn is hidden. Imagine if 20% of the world’s traffic was TOR. Imagine if 50% of people used VPNs. The downside to this is govts (and companies thru lawsuits) will simply outlaw it or deter investors/use – see Australian politicians such as Brandis and others spouting off about things they don’t understand – see NZs ISP Slingshot being threatened in court by Sky (TV) over their “global mode” (basically a free VPN for all slingshot users). And as fast as we close the holes, new ones open up – eg flash can die, but HTML5 poses new threats, or we have a pretty mature secure OS in Windows7 and then Windows8+10 come along with all its asshattery.
PS: For a jolly good read I recommend two of Cory Doctorow’s books (they are free from his website – http://craphound.com/ ) – “Little Brother” and its sequel “Homeland”
– https://en.wikipedia.org/wiki/Little_Brother_%28Cory_Doctorow_novel%29
– https://en.wikipedia.org/wiki/Homeland_%28Cory_Doctorow_novel%29
@Jason,
” I’m gaining user anonymity at the expense of increased fingerprintability [with a VPN]” like if the cops said “We have a Bozo in town, spotted, but no idea who he is.”.
A naive question concerning the limits of Big Ears (far more numerous than those of Uncle Sam alone) : we read once in a while that it has been impossible to localize the origin of a cyber attack. This would mean that it is possible to escape totally to a government control whatever sophisticated it is once you have the knowledge, the talent and the intelligence, or does this mean that the escape is only temporary given, as Pants pointed out, that “Bad OpSec is very common – most people would fail, instantly, immediately. Almost everyone would fail eventually.”. I mean, is it human failure or a technological issue in time (things can work now but never eternally) that leads to the discovery of the hiders? Are they all known, by the way?!
I started discovering the Web in December 2000. I remember posting then my name, my email (never my real physical address nevertheless) until some users told me “Hey, beware, you’re gonna have problems” (mainly with spam). Fifteen years later I’ve gained in caution what I’ve lost in spontaneity. Not sure it was a good deal.
Tom, that’s a good question about VPNs, and I think Pants’ “it depends” answer is the best one anyone could give.
But we can look at this backwards as well. Does using a VPN actually increase your “fingerprintability”? I would say “yes”.
Most VPN server IP addresses are actually known by large corporations and government agencies. (If they weren’t known, Craigslist wouldn’t be able to block VPN users the way it does…) This creates an interesting paradox for VPN users. On the one hand, they are hiding their true IP address, but on the other hand, the Googles and NSAs of the world KNOW they are hiding it. Now if you add a long list of security addons to your browser together with the VPN, without thinking about what you are doing, you will probably out like a neon sign on a dark night.
But I still use a VPN (and recommend it to absolutely everyone) because the tradeoffs generally work in my favour. For example, while my uniqueness within a browsing session increases, my personally identifiable metadata decreases. In other words, I’m gaining user anonymity at the expense of increased fingerprintability. Plus, once I start a new VPN session, I will have a new IP address that cannot immediately be linked to my previous one, so my actions from one session to the next remain disconnected (especially if you change your time zone / user agent / screen resolution from time to time). Moreover, even if someone tracks me within a session, they don’t know the content of my communications because the VPN encrypts them, i.e. I’m getting data privacy together with my anonymity.
It’s all very messy! My gut feeling is that a VPN with 2 or 3 *good* security addons and some intelligent user behaviour creates a satisfactory security blanket against mass surveillance. (Things are different if you have a determined adversary, but that goes beyond what we’re talking about here.)
Pants wrote: “note to martin .. article on VPN chaining!”
> Another article would be on using ddwrt to cut the internet connection at the router itself when the VPN connection is lost. That’s my current project…
Security, privacy, tracking and fingerprinting, each with its specificity and all overlapping occasionally. OK.
A true spider’s web, a multi-dimensional labyrinth. Which explains that even pros can get caught in the nest.
Interesting comment as always, Pants.
In fact there’s no winning system. It’s an everlasting race, from and towards. Or you don’t run at all, which is more a fatality than a choice for most of us. I’ll keep in mind the link between what me aim for, in terms of security and privacy, and the context. Define the context and know its rules, before all. Good point.