Slashdot Mirror
Ask Slashdot: Most Secure Browser In an Age of Surveillance?
An anonymous reader writes "With the discovery that the NSA may be gathering extensive amounts of data, and the evidence suggesting makers of some of the most popular browsers may be in on the action, I am more than a little wary of which web browser to use. Thus, I pose a question to the community: is there a 'most secure' browser in terms of avoiding personal data collection? Assuming we all know by know how to 'safely' browse the internet (don't click on that ad offering to free your computer of infections) what can the lay person do have a modicum of protection, or at least peace of mind?"
A LiveCD with TBB:
https://www.torproject.org/
for LiveDVD/USB preconfigured not to leak try TAILS:
https://tails.boum.org/
in both instances unplug your HDD(s) before use.
Yes : the whole NSA key debacle. You are free to choose to believe Microsoft denegations that the item they called _NSAKEY is a key they gave to the NSA. This is not the kind of smoking guns Snowden provided, but I do think this qualifies as "something that suggests they put in back doors into software."
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I was thinking Incognito/TAILS, exactly. Those guys seem incredibly serious about privacy and security. I haven't messed a whole lot with it myself lack of memory, no discs to spare, runs like crap in a VM...), but I recall it even featured Tor and a Tor Firefox extension and it had strict rules about *not* allowing certain "convenience" features in the name of privacy (ie. swap partition). No doubt, with security features and precautions like those, its Firefox browser is probably locked tight as hell by default.
Aside from this, I figure with all the extensions available and some additional services, you could help to protect yourself. You could start by doing the usual in your browser (disable third-party cookies, install the Adblock Plus, NoScript and DoNotTrackMe extensions, etc.). Reduce your reliance on American companies and/or servers. Example: Since Google's going to be killing off Talk/XMPP support, I decided to look around for alternatives, and chose many XMPP servers to test and decide which one to use. I originally was interested in performance and was going to choose one closest to me, in my own country if possible (the United States). Now, I am almost 100% certain my primary XMPP account will *not* be on an American server, unless I happen to decide to try my hand at setting up and maintaining my own XMPP server.
And... services. Obviously Tor can work as in Incognito if you want to use that, but another option would be a VNC provider. Specifically, one that respects your privacy (ie. does not store any more log data than they need to operate), and possible more importantly--again--one that is not in the United States. I'm not sure of a good VNC provider, but I can say that it's pretty pathetic when you are forced to subscribe to and pay a foreign provider just to try to ensure your own privacy. But, well, it looks like the U.S. government has no end in sight when it comes to royally fucking up own economy.
And last... you run Windows? Mac? Might want to change your operating system. It's already been discovered that various U.S. government agencies have deals with Microsoft to learn about zero-day exploits before anyone else in the world... who knows what other deals they might have, or what other American companies also have deals. Definite possibility of backdoors as well.
The real problem is that PRISM works (from what I can understand) by splitting the signal in between, for example, Microsoft's or Google's servers and their respective ISPs (Steve Gibson brings some pretty good points in a recent episode of Security Now). This means they get *everything*, so if it's encrypted (https:// for example) the government *may* not be able to read the data itself as it's transferred for storage in their own top-secret storage rooms... but they can definitely look at the activity to find out what IP address communications are between at any given time (or... just ask the company running the servers who that user is).
OP says "what browser should I use" I automatically add "for the Facebooks".
Here's the low-down:
That's just off the top of my head. The software you use to disclose the information isn't the problem - you are.
They at least get early Zero-Day access. I'm guessing they have more.
http://arstechnica.com/security/2013/06/nsa-gets-early-access-to-zero-day-data-from-microsoft-others/
MS gives advance information about security patches to AV vendors. The intention is to allow those AV vendors to create scanning signatures which will enable AV products to pick up the attacks. Attackers have show a lazy tendency to just reverse engineer patches instead of finding vulnerabilities themselves. Less than 1% of attacks are zero-day attacks these days.
Some of AV vendors that receive such vulnerability information are foreign companies. Yes. Some of those AV companies are Chinese.
Is it not reasonable to afford the NSA the same advance warning? The advance warning is a few days before the patch is made public, around the same time that the public receive advance notification (with less details than the AV companies and NSA). It is not like they have months to exploit it.
But tinfoil hatters and Microsoft haters always spin it as something nefarious. There is *nothing* to suggest that there are NSA backdoors in Windows or any other OS for that matter.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
wget -m -k -K -E -l 1000 -t 3 -w 1 http://www.website.com/
Then after waiting a while (ok, maybe a long while), open the page/articles you *really* wanted to read in a text editor. Sure, the NSA might know which *site* you visited through normal spying means, but they'll never figure out which *page* you were really after.
Of course, they might think you read all the pages, and spend a few million dollars of taxpayer money trying to determine whether it's possible for someone to read 1 page per second and whether that implies terrorist connections, but they're clearly already misusing your tax dollars so you shouldn't really care if they misuse some more.
Except that Chrome phones home the first time you start it up to check for upgrades. This has the unfortunate 'effect' of informing Google of the browser ID at this IP address, and as a consequence it informs the NSA of the linkage of browser ID and IP address.
Post NSA, I try to avoid Google services. They try to grab data for themselves, but in the process grab it for the NSA, and if the choice is NSA+Google or no Google, then I go without Google.
I opt for Firefox with the 'check for updates' turned to manual checks.
It's a minor thing, but it helps in as much that the choice of browser can help (not much if you're in the USA, quite a bit if you're not and behind an ISP NAT).
Of course you can win. All you have do is to build up a massive surveillance system yourself. Then you know exactly who is trying to listen to you with which methods, and can enact appropriate counter measures. :-)
The Tao of math: The numbers you can count are not the real numbers.
As a web developer, I have to disagree. Strongly. Not only does IE10 bring its own set of (annoying and visually breaking) problems, but it disables all the hacks we (used to) use to fix the appearance of things in previous browsers.
That said...from a "standards compliance" perspective, IE has made some marginal improvements. Marginal. At best.
Bits of code, random ramblings: jakimfett.com
Not enough, apparently.
Only two posts celebrating MS security since he's opened his account a few days ago is far too few.
Even if those two are the only posts he's made as yet.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Exactly what I was thinking. Which is why I would recommend netsurf. It's fast, functional, and can use frame buffer. It does not have flash or java script and uses its own rendering system.