The ultimate Online Privacy Test Resource List

Martin Brinkmann
Dec 28, 2015
Updated • Sep 5, 2019
Security
|
60

Whenever you connect with a program to an Internet resource, a web browser to a website for instance, information are revealed to the server hosting the resource.

That's automatic, and often not the only thing happening. If that site loads resources from other servers, they too gain information, and depending on what is running on the site and supported by the browser, additional information may be revealed.

Usually, information such as your computer's IP address, a user agent that reveals browser, operating system and language, and a handful of other information are revealed automatically during connections.

While there are methods available to hide or block certain information from being made known to sites you connect to, there are also methods that sites can use to find out more about you.

Online Privacy Test Resource List

Online privacy tests help you find out what kind of information your browser (or other programs) reveal.  The information itself is useful, but you can also act upon it, for instance by disabling certain features in the program you are using if you don't require them.

You find two listings below. The basic tests listing contains resources that perform simple tests (usually one) only while the advanced tests listing resources that run a series of tests.

Basic Tests

Add-ons / Plugins

Name What Link
Firefox Addon Detector Checks if certain Firefox add-ons are installed https://thehackerblog.com/addon_scanner/
Flash Player System Test Lists information about Flash Player https://www.browserleaks.com/flash
Flash Player Test Checks whether Adobe Flash Player is installed https://get.adobe.com/flashplayer/about/
Java Test Tests whether Java is installed https://www.java.com/en/download/installed.jsp
Silverlight Test Reveals information about Silverlight https://www.browserleaks.com/silverlight

Email

Name What Link
Email IP Leak Finds out whether your email provider leaks your IP address http://emailipleak.com/
Email Privacy Tester Tests whether your email client leaks back information to the sender of an email https://emailprivacytester.com/
Email Trace Run reverse email look ups or email header traces http://www.ip-adress.com/trace_email/
Have I been pwned Check if an email account has been compromised in a data breach. https://haveibeenpwned.com/
Pwnedlist Check if your email address information have been leaked as part of an attack.

HTML5

Name What Link
Battery Status API Tests the status of the battery https://pstadler.sh/battery.js/
Canvas Fingerprinting Checks whether Canvas can be used to fingerprint the browser https://www.browserleaks.com/canvas
Hard Drive Fill Test Tests whether sites can fill your hard drive with data http://www.filldisk.com/
HTML5 Features Detection Checks HTML5 capabilities https://www.browserleaks.com/modernizr
HTML5 Geolocation Test Tries to look up your location in the world https://www.browserleaks.com/geo
HTML5 Test Tests the browsers HTML5 capabilities http://html5test.com/
WebRTC Leak Test Tests whether local or public IP addresses are leaked https://www.perfect-privacy.com/webrtc-leaktest/
WebRTC Test Tests WebRTC capabilities http://whatismyipaddress.com/webrtc-test

IP Leaks

Name What Link
Check my Torrent IP Check which IP address is revealed to peers and trackers when you use torrent clients. https://torguard.net/checkmytorrentipaddress.php
Content Filters and Proxy Test Tests network filters, TOR browser and local content filters https://www.browserleaks.com/proxy
DNS Leak Test Tests whether your IP address is leaked by DNS https://www.dnsleaktest.com/
DNS Spoofability Test Comprehensive analysis of DNS resolving nameservers https://www.grc.com/dns/dns.htm
IP Magnet Reveal which IP address BitTorrent clients reveal to peers and trackers. http://ipmagnet.services.cbcdn.com/
Whois Test Reveals IP address, host name, IP address location information and other IP related information https://www.browserleaks.com/whois

Privacy Management

Name What Link
Google Account History Display Google-related activities such as your search history or location history. Includes deletion options. https://www.google.com/settings/accounthistory
Facebook Activity Log Lists your Facebook activity such as likes, posts and such. You can edit any item or remove them from the log. https://www.facebook.com/me/allactivity
YouTube Video History / Search history Displays videos that you have watched and your YouTube search history. https://www.youtube.com/feed/history

SSL

Name What Link
Bad SSL Tests how the browser handles certain SSL certificates and other SSL-types https://badssl.com/
FREAK Attack: Client Check Tests whether your browser is vulnerable to the Freak Attack https://freakattack.com/clienttest.html
Heartbleed test Tests a server for the Heartbleed vulnerability https://filippo.io/Heartbleed/
RC4 Fallback Test Runs a Fallback Vulnerability test
How's My SSL Checks SSL support and provides a rating https://www.howsmyssl.com/
SSL Check Reveals the SSL cipher used to connect to the website https://www.fortify.net/sslcheck.html
SSL Cipher Suite Details Lists all cipher suites supported by the browser https://cc.dcsec.uni-hannover.de/
Weak Diffie-Hellman and the Logjam Attack Tests whether your browser is vulnerable to the Logjam attack https://weakdh.org/

Misc Tests

Name What Link
BrowserRecon Fingerprinting test based on user agent http://www.computec.ch/projekte/browserrecon/?s=scan
Browser Referer Headers Browser referer headers test suite. https://www.darklaunch.com/tools/test-referer
Do Not Track Detects support for Do Not Track https://www.browserleaks.com/donottrack
Evercookie Test Checks if persistent data can be saved to the local user system. http://samy.pl/evercookie/
JavaScript Browser Information Lots of information about the browser's JavaScript capabilities https://www.browserleaks.com/javascript
Popup Blocking Tests Tests how well your browser handles (blocks) popups http://www.kephyr.com/popupkillertest/index.html
Redirect test page Run a series of redirect tests to find out how your browser handles those https://jigsaw.w3.org/HTTP/300/Overview.html
System Fonts Detection Uses CSS+JS, Flash, Silverlight or Java to detect fonts https://www.browserleaks.com/fonts
Universal Plug n'Play (UPnP) Internet Exposure Test https://www.grc.com/x/ne.dll?rh1dkyd2

Advanced Tests

Name What Link
Am I Unique Tests whether the browser is unique by checking the following information: User-agent, Accept, Content Encoding, Content Language, List of Plugins, Platform, Cookies, Do Not Track, Timezone, Screen Resolution, Use of local storage, Use of session storage, Canvas, WebGL, Fonts, Screen resolution, Language, Platform, Use of Adblock https://amiunique.org/fp
Browser Privacy Test Runs a series of test including IP Leak, WebRTC leak, blacklist, DNS tests and more.
Browser Spy Runs the following individual tests: Accepted Filetypes, ActiveX, Adobe Reader, Ajax Support, Bandwidth, Browser, Capabilities, Colors, Components, Connections, Cookies, CPU, CSS, CSS Exploit, Cursors, Date and Time, DirectX, Document, Do Not Track, .Net Framework, Email Verification, Flash, Fonts via Flash, Fonts via Java, Gears, Gecko, Geolocation, Google Chrome, Google Apps, GZip Support, HTTP Headers, HTTP, Images, IP Address, Java, JavaScript, Languages, Mathematical, MathML Support, MIME Types, Mobile, Network, Objects, Object Browser, Online/Offline, OpenDNS, OpenOffice.org, Opera Browser, Opreating System, Google PageRank, Ping, Plugins, Plugs, Prefetech, Proxy, Proxy, Personal Security Manager, QuickTime Player, RealPlayer, Resolution, Screen, Security, Shockwave, Silverlight, Sound Card, SVG, Text Formatting, File Upload, User/Agent, VBScript, WAP Device, WebKit, Web Server, Window, Windows Media Player http://browserspy.dk/
Cross Browser Fingerprinting Test Tests locality, operating system, screen resolution, time zone, User Agent string, HTTP Accept, Plugins, Fonts http://fingerprint.pet-portal.eu/#
IP Leak Runs the following tests: IP address, location, WebRTC IP detection, Torrent address detection, Geolocation detection, IP details, Geek details (user agent, referer, language, content encoding, document, system information, screen information, plugins, HTTP Request headers https://ipleak.net/
IP Lookup Checks IP address, browser user agent, referer https://www.ghacks.net/ip/
Five Star Privacy Checker Checks IP address, location, ISP, DNs, Blacklisted or Proxy use, IP location, Script usage such as ActiveX, JavaScript, Java and Flash.
Jondonym Full Anonymity Test Tests IP, location, net provider, Reverse DNS, Cookies, Authentication, Cache (E-Tags), HTTP Session, Referer, Signature, User-Agent, SSL Session ID, Language, Content Types, Encoding, Do Not Track, Upgrade-Insecure-Requests http://ip-check.info/?lang=en
Panopticlick Tests Supercookies, Canvas Fingerprinting, Screen size and color depth, browser plugins, time zone, DNT header, HTTP Accept headers, WebGL fingerprinting, language, system fonts, platform, user agent, touch support and cookies https://panopticlick.eff.org/
PC Flank A whole battery of tests including: Stealth Test, Browser Test, Trojans Test, Advanced Port Scanner, Exploits Test, PC Flank Leaktest
Onion Leak Test For CORS and WebSocket Requests http://cure53.de/leak/onion.php
Web Privacy Check Displays the IP address, DNS, user agent and other data. https://ipinfo.info/html/privacy-check.php
Whoer Comprehensive test suite that tests for IP address, location, ISP, OS, Browser, Anonymity settings such as DNS, Proxy, Tor, Anonymizer or Blacklist, Browser headers, whether JavaScript, Flash, Java, ActiveX or WebRTC are enabled, time zone, language settings, screen information, plugins, navigator information and HTTP headers https://whoer.net/

Now You: Please help make this the best privacy test resource online by sharing resources not on this list already.

Summary
The ultimate Online Privacy Test Resource List
Article Name
The ultimate Online Privacy Test Resource List
Description
The ultimate online privacy test resource list is a collection of Internet sites that check whether your web browser leaks information.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Osteen said on July 25, 2022 at 11:56 am
    Reply
  2. Tom said on April 9, 2021 at 2:48 pm
    Reply

    https://bash.ws/dnsleak – test for DNS leak in command line, supports IPv6.
    https://bash.ws/email-leak-test – test for email IP leak, shows email headers.
    https://bash.ws/torrent-leak-test – test for torrent IP leak
    https://bash.ws/webrtc-leak-test – test for webrtc leak, supports IPv6.

  3. Daniel said on May 1, 2019 at 10:01 pm
    Reply

    Another very good one is Device Info: https://www.deviceinfo.me/
    Lots of information in one place.

  4. Kenny said on May 11, 2018 at 1:45 pm
    Reply

    I just came across an IP Lookup tool which shows your city, Public IP Address, ISP, Browser and Location as well. Must have a look.
    https://www.purevpn.com/what-is-my-ip

  5. Chris said on May 2, 2018 at 4:33 pm
    Reply

    ndeed, excellent list. Here are some other links that could be useful:

    DNS leak test:
    – https://www.expressvpn.com/dns-leak-test
    – https://torguard.net/vpn-dns-leak-test.php

    WebRTC leak test:
    – https://www.xmyip.com/webrtc-leak-test
    – https://www.expressvpn.com/webrtc-leak-test

    WebRTC test:
    – https://browserleaks.com/webrtc

    IP lookup:
    – https://www.whatismyip.com/
    – https://www.xmyip.com/

  6. Jason said on January 13, 2018 at 10:12 am
    Reply

    Thanks for the list.

  7. Jabe said on May 5, 2017 at 10:41 am
    Reply

    Hello,

    Maybe you could add this in your list : https://anonymster.com/web-rtc-leak-test/

    Thanks for this article !

  8. Anonymous said on September 29, 2016 at 8:05 am
    Reply

    We also need similar list to test operating system too.

    I use little snitch in Mac and Tiny Firewal in Windows.

  9. Steve said on September 1, 2016 at 2:34 pm
    Reply

    Great list, but is there a list of extension and/or userscripts and/or browsers that help defeat many of the methods used by these sites? For example, one that spoofs canvases, fonts, the JavaScipt Navigator object, etc.?

  10. Andy said on February 4, 2016 at 1:35 pm
    Reply

    Awesome list.
    This one tests for quite a few things (including real IP, WebRTC, ad blockers and web proxies) – http://do-know.com/privacy-test.html and has password test too http://do-know.com/password-strength-test.html

    Good list of web proxies here – https://www.new-proxies.com/index.php?p=main&page=5

  11. justakiwi said on December 31, 2015 at 8:51 pm
    Reply

    Thanks for all the links and comments here,
    this site rocks!!
    have a safe and blessed new year

  12. Rollo said on December 31, 2015 at 5:47 pm
    Reply

    Another popup blocking test site:
    http://www.popuptest.com/

  13. herman maldonado said on December 30, 2015 at 6:12 pm
    Reply

    your site, truly, never disappoints. thx (to you AND all the others) for the great info (and conversations, debates etc.) always.

  14. b said on December 30, 2015 at 3:21 pm
    Reply

    thank you Martin, Wrai & Pants for the links. Appreciate.

  15. Noah Brodi said on December 30, 2015 at 7:08 am
    Reply

    A terrific list of resources for online privacy. Consider adding the following (source: http://www.cogipas.com/internet-privacy-resources/):

    – Panopticlick (https://panopticlick.eff.org/): EFF’s tool determines how unique is your browser configuration

    – Email Trace Tracking (http://www.ip-adress.com/trace_email/): reverse email trace searches

    – IPLeak.net (http://ipleak.net/), ipMagnet (http://ipmagnet.services.cbcdn.com/) & TorGuard (http://torguard.net/checkmytorrentipaddress.php): detect whether your true IP address is leaking when torrent file-sharing

    Thanks!

    1. Martin Brinkmann said on December 30, 2015 at 11:49 am
      Reply

      Thanks Noah, added your resources (will take some time to go through the first resource which I have not done yet).

  16. b said on December 29, 2015 at 3:54 pm
    Reply

    Hi Martin
    how about a list of VPN providers that also offer tracker protection? I only know of disconnect.me that unfutunately do not support Linux. You posted a link on you patreonsite not that long ago with an overwiev of security/privacy minded emailproviders. something like that would be great in another thread.

    1. Vrai said on December 30, 2015 at 2:11 am
      Reply

      b,

      I don’t want to send people to another site but this may have the info you are looking for;
      https://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/

    2. Martin Brinkmann said on December 29, 2015 at 8:49 pm
      Reply
      1. Quick Brown Fox said on December 30, 2015 at 1:14 am
        Reply

        Thank you, Martin! This is a terrific list!

    3. Pants said on December 29, 2015 at 4:57 pm
      Reply

      @b – torrentfreak has an annual VPN list with detailed information. Have you looked at those?

  17. Pants said on December 29, 2015 at 3:29 pm
    Reply

    Heartbleed Test
    https://filippo.io/Heartbleed/

    Its from the same guy who set up the now defunct Superfish one (https://filippo.io/Badfish/)
    His website warrants a little reading, could be interesting

    1. Pants said on December 29, 2015 at 5:14 pm
      Reply
      1. Martin Brinkmann said on December 29, 2015 at 8:45 pm
        Reply

        Added, thanks!

  18. Evelyn Spencer said on December 29, 2015 at 12:48 pm
    Reply
    1. Martin Brinkmann said on December 29, 2015 at 8:43 pm
      Reply

      Added, thanks a lot for those links!

    2. Pants said on December 29, 2015 at 3:15 pm
      Reply

      whoer: (nice little set of checks there)
      “Your anonymity: 100%
      Your anonymity measures are safe or you don’t use them”

      1. Martin Brinkmann said on December 29, 2015 at 8:41 pm
        Reply

        I think it checks whether it can detect if you are using anonymity services. If you do and it cannot, that’s good, otherwise, it is bad

  19. Yossarian said on December 29, 2015 at 11:26 am
    Reply
    1. Martin Brinkmann said on December 29, 2015 at 11:37 am
      Reply

      Added, thanks for the reference!

  20. Rollo said on December 29, 2015 at 10:19 am
    Reply
    1. Martin Brinkmann said on December 29, 2015 at 11:39 am
      Reply

      Thanks very much, added to the listing.

  21. wybo said on December 29, 2015 at 9:39 am
    Reply

    Yet another very interesting article and a great list of resources .

    Have a great ‘Urlaub’ Martin.

  22. Maou said on December 29, 2015 at 2:56 am
    Reply

    Nice one Martin! That’s one hell of a list.
    Bookmarked!

  23. Jason said on December 28, 2015 at 10:59 pm
    Reply

    Holy cow! Thanks Martin, this list is amazing.

  24. Brian said on December 28, 2015 at 10:04 pm
    Reply

    Thanks for the reply and again for the list. I’ll do a little searching and if I find anything, I’ll post any useful links.

  25. Brian said on December 28, 2015 at 8:59 pm
    Reply

    For the badssl site, is there an explanation as to what the results mean once clicked? Some offer a brief description, but I’d love to understand what each means in depth, if what I’m seeing is good or bad and if bad, what might be done to secure said problems.

    Great list btw

    1. Martin Brinkmann said on December 28, 2015 at 9:31 pm
      Reply

      I’m not aware of any documentation. The tests performed check how your browser reacts when certain SSL-related configurations are encountered.

      1. Pants said on December 29, 2015 at 11:47 am
        Reply

        It should be pretty simple to work out – red=bad, yellow=indifferent/optional/may-be-obsolete-soon, green=good

        For example, under Diffie-Hellman, if you click on the dh1024 link, you either see a page or FF blocks it with a warning.

        // 1210: disable 1024-DH Encryption
        // https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
        // WARNING: may break some obscure sites, but not major sites, which should support ECDH over DHE
        user_pref(“security.ssl3.dhe_rsa_aes_128_sha”, false);
        user_pref(“security.ssl3.dhe_rsa_aes_256_sha”, false);

        At the very top, second set down, about sha1 .. if you click sha1 2016
        – this relates to security.pki.sha1_enforcement_level where the default value of 2 only allows sha1 until the end of 2015

        Under mixed are clicks for mixed content (content from http & https)

        // 2609: disable insecure active content on https pages – mixed content
        user_pref(“security.mixed_content.block_active_content”, true);
        // 2610: disable insecure passive content (such as images) on https pages – mixed context
        // current default is false, am inclined to leave it this way as too many sites break visually
        // user_pref(“security.mixed_content.block_display_content”, true);

        And so on.

        If you click a red one and see a web page, you need to sort that out
        If you click a yellow one and see a page, it may need some investigation

    1. Cyrus Wong said on March 9, 2017 at 11:56 am
      Reply

      Nice one, the popup test is really practical. I see a large of fail in Test 12 LOL…Mine passed..as I use uBlock to block popup as well~

    2. Martin Brinkmann said on December 28, 2015 at 8:58 pm
      Reply

      Thanks, have added them (with the exception of two (one I had already, the other returned not found (https://filippo.io/Badfish/))).

  26. Pants said on December 28, 2015 at 8:35 pm
    Reply

    https://emailprivacytester.com/

    “this [website] will send you a specially crafted email which uses a variety of techniques, to attempt to send information back to this server when read. It will then display the results for you.”

    I’ve used it before, and passed with flying colors because I only allow plain text by default in my email client and don’t auto download anything. I just tried it now and it seems to just queue the email to send me, and that’s it .. nothing happens.

    1. Martin Brinkmann said on December 28, 2015 at 8:47 pm
      Reply

      Great, added :)

      1. Pants said on December 28, 2015 at 9:10 pm
        Reply

        Ahh OK .. it took a while to come through, but did eventually

  27. Onur said on December 28, 2015 at 8:00 pm
    Reply

    Very good Martin.

  28. Gary D said on December 28, 2015 at 7:33 pm
    Reply

    Another excellent article Martin. Thank you !
    After all your hard work this year, I think that it is about time for you to sit down with a few glasses of schnapps and enjoy a “Good Slide into the New Year”

    1. Martin Brinkmann said on December 28, 2015 at 7:37 pm
      Reply

      Gary, I’ll be on vacation in January ;)

  29. Made said on December 28, 2015 at 7:05 pm
    Reply

    Made in Germany
    Thank you Martin

  30. ozar said on December 28, 2015 at 6:57 pm
    Reply

    Now, that is what I’d call a comprehensive resource list… thanks, Martin!

  31. RG said on December 28, 2015 at 6:47 pm
    Reply

    Thumbs up Martin, very useful. Happy Holidays.

  32. Tom Hawack said on December 28, 2015 at 6:40 pm
    Reply

    Gorgeous. Many more than I was aware of.

    As I see it, in terms of privacy the keystone remains the user’s IP. If it’s not faked than all other privacy tools are somewhat useless, but if it is faked (with a good and reliable VPN) then all other privacy tools can make the difference and even the very pertinence of a hidden IP : not only a VPN user would be recognized if other tools are not active but moreover that user would be spotted as hiding himself, which is like a double slap!

    I may be wrong but, consequently, if IP is true then privacy tools aren’t really worth it. Am I wrong?
    I forgot one thing though : how can a site be sure the user’s spotted IP is not faked? if it has no means to be totally sure than my above argumentation would be invalidated.

    Reminds me “Secret Agent Man” sung by Austin Powers, way back in time :)

    1. Pants said on December 28, 2015 at 8:09 pm
      Reply

      “then privacy tools aren’t really worth it. Am I wrong?”

      No privacy isn’t worth it. Anything that increases privacy/security and reduces tracking/fingerprinting is good. “Privacy” tools can be used to block adverts (that’s not only visually nice and speedwise better, but also a security issue), “Privacy” tools can be used to enhance/strengthen your encryption.

      “Privacy” is a bit of a mixed term – IMO there are really FOUR items here: security, privacy, tracking and fingerprinting; and while they can have overlap (sometimes a lot) they are all decidedly very distinct different things, and the overlap that occurs is a result of effects, not design (eg, you use encryption (tls/ssl/pfs etc) for security reasons (to keep data secret and going to and from the correct sites), but as a consequence, you get added security (eg from MITM attacks) and added privacy (eg, among many other things, sites that use https won’t leak individual page visits to your isp etc, or PFS means that broken keys (eg by the NSA) won’t compromise previous communications etc.

      To answer your question about IP, it depends. In a wired article (I think it was wired) a few weeks ago, someone asked five security experts what mobile device (smartphone, tablet) would they buy/consider the most secure – and all of them first asked “In what context? is the threat from employers, from family, from states, from hackers etc”?. So there is no definitive answer, I guess is what I am saying. There are variables here – for example I could be using public wifi, I could be wardriving, I could be using a prepaid disposal mobile data stick (bought with cash by a faceless bum off the street in another city) and so on. Or I could be using an ISP not tied to my name (but tied to a company) .. or it could be tied to me directly. The ISP would still have to reveal who I am – so my privacy is pretty much OK here (assuming I follow good OpSec), and only court orders/laws would reveal who I am. So it really depends who you’re trying to hide from – advertisers or state operators or the MPAA and so on.

      Its really about OpSec. For example, it would be silly for me to spoof my timezone (to the most common one, which is I think UTC +1) to reduce my fingerprint when other factors (such as locale and even date formats can contradict this) and especially my real IP would put me in another timezone completely – I would stand out.

      Bad OpSec is very common – most people would fail, instantly, immediately. Almost everyone would fail eventually. You can do it right a thousand times, but all it takes to connect the dots is one mistake. Three examples of IP ones off the top of my head 1) some guy issued a bomb treat at a university via TOR and he was the ONLY one in the entire campus who was connected to the tor network at the time 2) lulzsec dude leaked his real IP when his VPN went down for a few seconds (note to martin .. article on VPN chaining!) – and also he kept IRC logs the silly twat and 3) Dread Pirate Roberts confirmed as Silk Road operator when his monitored ISP network traffic showed him in and out of TOR at the same time as posts by DPR (there were other factors but they still had to confirm before they busted down his door etc).

      As for advertisers and IPs – screw advertisers – if they want to track me via IP ranges, it’s much the same as a VPN range. The key here is not to leak them your real ID and block the JS/XSS and adverts themselves in the first place. They have enough other metrics and methods – cookies, login accounts (amazon, youtube/gmail/google, facebook etc – these are the global advertising giants – and you probably leak your IP to one or some or all of them ALL the time). Not sure a VPN would help really, they’re already tracking via other means and 90% of people don’t care. They’re not going to work *that* hard to get an extra 2 or 3% of profiling.

      1. Tom Hawack said on December 29, 2015 at 10:34 am
        Reply

        @Pants, @Jason, all this is most interesting and I realize how little I know the networks compared to you guys.
        To sum up, the Web is far more complex than I ever imagined and far less defined by clear boundaries between the “good” and the “bad” guys. We are somewhere over the rainbow, beyond good and evil, in fact in an environment which corresponds to the dialectics of war, that is, different (and possibly opposed) references to what is legitimate and what is not.

        Caution for us all, curiosity as well, imagination when being aware that reality is always more than the tip of the iceberg. Knowledge, as always the best contribution to avoid paranoia. Last but not least, brotherhood, which does exist on our networks as surprising as it may seem when it is continuously confronted to the uncertainty of the cyber world.

        And the beat goes on.

      2. Jason said on December 29, 2015 at 2:42 am
        Reply

        @Tom: I think your friends advised you well! :)

        What you are basically describing is the unfailing memory of the internet. If you do something online, you must assume that a record of this activity will remain somewhere forever. This is why I tell my friends to be careful with their posts / searches / site visits NOW, because it will be too late to change their behaviour one day in the future when they may have a greater need for privacy. You can’t go back and undue the past. The EU has tried to legislate this by forcing Google to “forget” people who want to be forgotten, but of course Google can only make these people disappear from Google searches; it cannot delete the various electronic records that are dispersed all over the internet.

        Similarly, I would apply the same principle about the internet’s “memory” to data encryption. If you transmit encrypted data with your VPN today, you must assume that a copy of these data may remain somewhere for years to come, and that this copy will be easily de-cryptable at some point in the future. Whenever we hear these stories of hackers breaking into a big online company’s database and stealing millions of pieces of user data, the company always assures us, “Don’t worry, the data were encrypted!” Well, if I were a hacker, I’d just hold onto those gigabytes of encrypted data until technology allowed me to decrypt them. Why not? And with the pace of technological change, I probably wouldn’t have to wait more than 2-5 years.

      3. Pants said on December 29, 2015 at 12:59 am
        Reply

        @Tom “..leads to the discovery of the hiders? Are they all known, by the way?”

        That depends who the hiders are hiding from. Answer, absolutely not, because so much data has been collected that it’s almost impossible to sift thru – the needles in a haystack.

        There are some very very very smart people out there who are doing things to help. And then there are huge government resources being spent – just think of all the equipment for sale (see the intercept), think of the info from the Snowden docs which is the tip of the iceberg, think of things like an entire country’s telecommunications being recorded and kept for a rolling month-long period. And all this in an ever-increasingly fast-changing technological environment. Think of IoT and all the security holes to come.

        Even using what you would consider to be safe, can lead to your downfall (I wish I could find the article). Here’s one for you: a gang uses prepaid burner phones, they change them every day. They are bought from sources that will not record their faces. The phones run Cynamod or somethng. The phones use secure methods of text/voice (eg silent circle etc). They are programmed to only allow calls to each other. Software algorithms already in place can detect this pattern – i.e a select.small group of phones with previously unused or out-of-circulation numbers suddenly springing to life (cell tower connections). An example of OpSec here would be to have a Faraday bag for the phone – and only check in in public places with crowds (this would have been real tinfoil hat nutter’s crackpot stuff a few years ago). Here’s an example of bad OpSec – said phone red-flagged by the scary govt men is turned on at the perp’s house. And the perp thought he was safe. This is an example of an immature tech – until it becomes more mainstream, it only helps to make you stand out – which is Jason’s point.

        The underlying issue here is that the internet was never designed with security in mind. Neither was email. Neither were telephones. Anything done since then has been a patch, not a final solution. Add to that the fact that govts are stipulating other measures, such as data retention – or trying to, such as no anonymized domain registrants – or are being aholes, such as weakening encryption. The list is endless. Add in startups and internet companies (your ISP eg verizon/comcast – as well as google, twitter, facebok etc), your hardware/service companies (tvs, onstar road stuff, etc) and advertisers – who are all out to monetize you, and we’re screwed.

        Until something becomes mainstream – it’s hard to fight the good fight. After the Snowden leaks, a lot of companies implemented https (perfect forward secrecy as well, and other things such as DNSSEC etc), eg google between its own servers, all? google services, youtube .. and other large chunks of the internet. Now a large percentage of traffic (but a very small percent of sites) use encryption – this is good. Now we can hide in it – my midget & goat porn is hidden. Imagine if 20% of the world’s traffic was TOR. Imagine if 50% of people used VPNs. The downside to this is govts (and companies thru lawsuits) will simply outlaw it or deter investors/use – see Australian politicians such as Brandis and others spouting off about things they don’t understand – see NZs ISP Slingshot being threatened in court by Sky (TV) over their “global mode” (basically a free VPN for all slingshot users). And as fast as we close the holes, new ones open up – eg flash can die, but HTML5 poses new threats, or we have a pretty mature secure OS in Windows7 and then Windows8+10 come along with all its asshattery.

        PS: For a jolly good read I recommend two of Cory Doctorow’s books (they are free from his website – http://craphound.com/ ) – “Little Brother” and its sequel “Homeland”
        https://en.wikipedia.org/wiki/Little_Brother_%28Cory_Doctorow_novel%29
        https://en.wikipedia.org/wiki/Homeland_%28Cory_Doctorow_novel%29

      4. Tom Hawack said on December 29, 2015 at 12:12 am
        Reply

        @Jason,
        ” I’m gaining user anonymity at the expense of increased fingerprintability [with a VPN]” like if the cops said “We have a Bozo in town, spotted, but no idea who he is.”.

        A naive question concerning the limits of Big Ears (far more numerous than those of Uncle Sam alone) : we read once in a while that it has been impossible to localize the origin of a cyber attack. This would mean that it is possible to escape totally to a government control whatever sophisticated it is once you have the knowledge, the talent and the intelligence, or does this mean that the escape is only temporary given, as Pants pointed out, that “Bad OpSec is very common – most people would fail, instantly, immediately. Almost everyone would fail eventually.”. I mean, is it human failure or a technological issue in time (things can work now but never eternally) that leads to the discovery of the hiders? Are they all known, by the way?!

        I started discovering the Web in December 2000. I remember posting then my name, my email (never my real physical address nevertheless) until some users told me “Hey, beware, you’re gonna have problems” (mainly with spam). Fifteen years later I’ve gained in caution what I’ve lost in spontaneity. Not sure it was a good deal.

      5. Jason said on December 28, 2015 at 11:31 pm
        Reply

        Tom, that’s a good question about VPNs, and I think Pants’ “it depends” answer is the best one anyone could give.

        But we can look at this backwards as well. Does using a VPN actually increase your “fingerprintability”? I would say “yes”.

        Most VPN server IP addresses are actually known by large corporations and government agencies. (If they weren’t known, Craigslist wouldn’t be able to block VPN users the way it does…) This creates an interesting paradox for VPN users. On the one hand, they are hiding their true IP address, but on the other hand, the Googles and NSAs of the world KNOW they are hiding it. Now if you add a long list of security addons to your browser together with the VPN, without thinking about what you are doing, you will probably out like a neon sign on a dark night.

        But I still use a VPN (and recommend it to absolutely everyone) because the tradeoffs generally work in my favour. For example, while my uniqueness within a browsing session increases, my personally identifiable metadata decreases. In other words, I’m gaining user anonymity at the expense of increased fingerprintability. Plus, once I start a new VPN session, I will have a new IP address that cannot immediately be linked to my previous one, so my actions from one session to the next remain disconnected (especially if you change your time zone / user agent / screen resolution from time to time). Moreover, even if someone tracks me within a session, they don’t know the content of my communications because the VPN encrypts them, i.e. I’m getting data privacy together with my anonymity.

        It’s all very messy! My gut feeling is that a VPN with 2 or 3 *good* security addons and some intelligent user behaviour creates a satisfactory security blanket against mass surveillance. (Things are different if you have a determined adversary, but that goes beyond what we’re talking about here.)

        Pants wrote: “note to martin .. article on VPN chaining!”
        > Another article would be on using ddwrt to cut the internet connection at the router itself when the VPN connection is lost. That’s my current project…

      6. Tom Hawack said on December 28, 2015 at 10:04 pm
        Reply

        Security, privacy, tracking and fingerprinting, each with its specificity and all overlapping occasionally. OK.
        A true spider’s web, a multi-dimensional labyrinth. Which explains that even pros can get caught in the nest.
        Interesting comment as always, Pants.

        In fact there’s no winning system. It’s an everlasting race, from and towards. Or you don’t run at all, which is more a fatality than a choice for most of us. I’ll keep in mind the link between what me aim for, in terms of security and privacy, and the context. Define the context and know its rules, before all. Good point.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.