{Article} Privacy Badger Is Changing to Protect You Better
-
@Catweazle Well, i admit that til now i had not recognised that
TunnelBears
were a clear & present danger for which i needed aBlocker
:face_with_stuck-out_tongue_winking_eye:This is far from encouraging:
Updated
17 December 2018Tbh, today's revelation about PB, coupled with my growing historical dissatisfaction with it anyway, has made me question the whole point of bothering with this type of non-granular extension, which IMO would include TBB. Given that i remain tremendously impressed with the extensive protections afforded to me by uMatrix, & given my desire to minimise the total number of installed extensions,
i shan't be bothering even to install TBB to play with it.Oh stuff it, i tried it for 2' in my Testing profile, before removing again. Unless there's more to it than i found during that extremely cursory play, then these simply do not cut the mustard for me:
-
I uninstalled PB a long time ago, it's benefit was questionable to begin with. IMO, as much as I love the other work the EFF does, they're not a stellar software shop. I no longer use any of their extensions.
Things may have changed since I first read about TBB, but my understanding then was that it was a fork of UBO that was more limited in its configurability. That's not an improvement in my opinion, and I see no reason to replace uBO on systems I maintain, or what I recommend to others.
-
Ok, I'm going to listen to you, I'm not that expert in these cases and I have to trust what they say on the official website.
There are alternatives, just because I also have Trace (OSS) on hand, which I think is quite valid .
I use also uBO apart.
I have also tried CyDec for a season in the past, but this is too extreme and will break a lot of pages if I don't remove some of its protection. This seems to me to be more suitable for business use. (all tests in Browserleaks with fake data or n/a) -
@Catweazle you have to be very careful with spoofing the data trackers receive. It's possible to make things worse rather than better. Yeah, they don't get your actual information, but it can combine into an impossible and/or more unique fingerprint. How effective spoofing techniques are remains a somewhat debatable subject. Personally, I don't bother with it, o think it's too much work, with exception of spoofing my UA every so often for a site that doesn't like Vivaldi or for testing purposes. Most of the time, my UA spoofing extension is disabled in the browser, not just in the extension itself.
For protection against tracking, nothing beats a default deny/allow exceptionally config in my opinion. It doesn't matter what data you would send to trackers if you never connect to the servers.
-
@BoneTone , I know, but it's one thing to hide the fingerprint and another to randomize it, making it impossible to identify anything. CyDec does this in a massive way, offering not only fingerprints, but also all other with randomized data. This in extreme case, activating all the protections, both in Trace and in CyDec, breaks many pages, making them inaccessible, this is the only problem, not the possible identification. These extensions therefore require to be configured to have the best protection without having a white screen on YouTube or other sites (in Trace by default), in CyDec it may happen that you appear as posting through IE and Smartphone from Alaska
-
@Catweazle said in {Article} Privacy Badger Is Changing to Protect You Better:
another to randomize it, making it impossible to identify anything
That's the thing, randomizing that stuff doesn't make it impossible identify users, or even accurately guess the correct values. Researchers have had success training their models on shockingly small datasets, much smaller than any tracking company would have. Spoofing puts one into a much smaller population than not. While researchers have had success at guessing the true values of certain data, that's not really the goal of fingerprinting. They don't care what your list of extensions are, or what order you installed them, or what your screen resolution is. They just want to tie a session to a profile, and no kind of spoofing makes that impossible. The only thing that makes it impossible is not connecting to trackers.
In some ways heavy blocking makes browsing less convenient, but in other ways it's more convenient. Most of the work occurs after initially setting up a default deny configuration, but fairly quickly the sites one visits frequently have the necessary exceptions configured and no more work is necessary for them to behave as desired.
Edit: fixed typos in first sentence.
-
@BoneTone , I don't use "heavy blocking", but Trace give me in"normal blocking" good results, avoid tracking and webs too curious.
I have tried CyDec in the past and it really seemed too extreme, with the extension that works in conjunction with a desktop app shielding against fingerprinting at all levels and certainly a normal navigation result difficult, by preventing me from accessing many pages. This may be interesting for certain companies and CyDec also mentions it on the official website, which is mainly aimed at this type of use at the business level.
Trace instead is at the moment the best alternative for PB, with similar protection in the 'normal' configuration, but with the possibility of sometimes putting it with an extreme blocking, if necessary. -
As @BoneTone said:
"For protection against tracking, nothing beats a default deny/allow exceptionally config in my opinion. It doesn't matter what data you would send to trackers if you never connect to the servers."
What to worry about the 16 sites Ghacks normally connect if they not connect at all?
-
@barbudo2005 , waht webs know about you, you can test in Browserleaks and adjust your blockings according to the results.
-
@Catweazle said in {Article} Privacy Badger Is Changing to Protect You Better:
Trace instead is at the moment the best alternative for PB
Eh, I'd say uBlock Origin and/or uMatrix are the best alternatives. Certainly that's what I have used since uninstalling PB quite some time ago. But I admittedly don't know Trace that well, and it could be equivalent to uBlock Origin. That graphic doesn't provide a lot of detail, though it's reminiscent of the blocking modes in UBO.
-
@Catweazle said in {Article} Privacy Badger Is Changing to Protect You Better:
@barbudo2005 , waht webs know about you, you can test in Browserleaks and adjust your blockings according to the results.
Tools like that provide only a partial picture of what can be collected & tracked. I haven't looked very recently, but I've never seen a complete one. Many often state that they are knowingly not using techniques that are known to be used by trackers, though they too frequently bury this info in non-obvious locations that can be difficult to find. I would be very wary of using any such tool as confirmation of protection. And as research has indicated, things like this displaying inaccurate info doesn't prevent people from still tracking you or determining the correct info.
Edit: it is just simpler and more effective to block than to try to deceive.
-
@BoneTone said in {Article} Privacy Badger Is Changing to Protect You Better:
it is just simpler and more effective to block than to try to deceive
uM with default-deny policy, thence individual sites let thru' on exception basis, just seems so obvious to me... but before i learned this, it was not obvious at all - ha!
-
I am using LocalCDN a fork of Decentraleyes (more frameworks and update more regularly)
https://codeberg.org/nobody/LocalCDN
https://chrome.google.com/webstore/detail/localcdn/njdfdhgcmkocbgbhcioffdbicglldapd
Are you using one of them?
-
@Steffie and uMatrix, by virtue of not being list based, doesn't need to receive regular updates of what new tracking sites exist. Lists still remain useful, especially as one is granting exceptions to provide visual guidance on what not to allow. When everything is initially blocked, however, obviously nothing is getting through. I even block first-party abilities by default.
-
@barbudo2005 I've been using Decentraleyes but I'll give this one a look when I find some time. Thanks.
-
@BoneTone said in {Article} Privacy Badger Is Changing to Protect You Better:
by virtue of not being list based
I hope i phrase this appropriately to not mislead, because i am not seeking to actually criticise or mock list-based methods, only place them in a proper perspective. All i do want to mention though is that at no point [even before discovering uMatrix years ago] did i feel "comfortable" about lists. I simply could not get it out of my mind that by definition the instant a given list is produced, it is on the path to obsolescence, when the "digital playground" [or rather, sadly more apt i suspect, the digital battlefield] in which it operates is so hyper-dynamic. I never could stop regarding lists as being merely digital whack-a-mole.
-
-
@Steffie said in {Article} Privacy Badger Is Changing to Protect You Better:
on the path to obsolescence,
You know I generally agree with the point, but even with uMatrix they remain useful... think of the sites that are "below the fold"... you almost never grant those exceptions. *Parts* of the lists will become obsolete, but never the lists themselves as long as they continue to be maintained. But your point about them being dated the moment they're released stands, which is what I think you were getting at. Even as you receive the update, there are likely some entries that are no longer necessary, and some servers are without a doubt not included. That's why we have so many lists in our settings -- different maintainers have different criteria. Some lists, to remain available for users, remove certain sites due to legal threats, necessitating the use of even more lists. Such is the state of the world.
I know some like to call the whole functionalclam episode an example of the Streisand effect, but it wasn't. The most popular blocker now doesn't include their servers as blocked (and worse is intentionally crippled by its developers for cash). The Streisand effect did not happen, except for those few users who are aware of the incident, and who then took action to add another list to their config. They reduced the number of people who are blocking them, the DMCA threat was successful.
Fortunately, someone with DMCA experience stepped in and literally challenged them to DMCA the list that person put out. It didn't happen, probably because the user of that list is so small, I don't know of any tool that includes it by default. But that person is apparently ready to fight it legally should it occur, which I don't anticipate happening any time soon if ever.
Back to the lists, and I apologize for the rambling, they remain useful if imperfect. Even within uMatrix and any other similar tools that might exist. There will always be a useful place for known bad sites. Just as a default deny firewall will remain the best protection for any foreseeable future. The two in unison are currently the best protection I can imagine.
-
@barbudo2005 Those stats don't really mean much to me. There's no comparison, nor any history of sites visited. But, I still appreciate the heads up, and when I've got the time will investigate the tool, possibly replacing Decentraleyes with it.
A neighbor just had her home robbed today. As I was explaining to others, it's good practice to revisit your threat model at least annually, and reevaluate the mitigations you've put in place. I'll be auditing or home security this weekend, and fixing any issues in the coming week. Poor woman, we've opened our home to her, even in this current pandemic. She knows that should she feel the need, she can immediately come to us for safety. It's not about the value of the material things they stole, though that sucks horribly. It's the theft of the feeling of being safe in your own home that is most violating. F... I'm about to tear up again. I've experienced this, and the material loss was minimal, nothing compared to hers, still it affected my life deeply.
Almost none of us really care about nation-state actors, the threat they present is extremely small in comparison to others. And the cost of mitigating against those threats is far too great to implement. It's the personal safety that is top priority, followed closely by personal data, with material possessions having high priority but incomparable to personal safety.
So, just because of today's events, I'd like to remind folks while they're thinking about their browser security to also sirens at least as much time on home security. Outside door jamb reinforcements, bump proof locks, security cameras and 24/7 monitoring on their alarms. And know a neighbor or two at least, someone you can run to in times of crisis.
Stay safe everyone. One love.
-
@BoneTone said in {Article} Privacy Badger Is Changing to Protect You Better:
them being dated the moment they're released stands, which is what I think you were getting at
Yes, indeed that was/is my point. My use of the word "obsolescence" possibly caused unintended misdirection, rather maybe i should have said "out-of-date / superseded", ie, no matter how wonderfully well a given list might have been curated at t=0, once it is released it is "frozen" until its next revision, but in all the time elapsing in-between, that toxic swamp that is the current web rolls on fast, & the profit-driven bad-actors definitely don't stand still.
If i were to give a Linux metaphor, IMO lists are the fixed-release distros whilst uMatrix [& to a lesser extent uBO, but damn few others afaik] are the rolling-distros... automatically up to date by design [more or less; the metaphor is certainly imperfect]. By a time just before the next fixed-release ISO drops [= the next list update], the staleness of the packages is maximised.
In no way do i criticise the list-component of uBO & uM, but i merely emphasise that if ALL these two defences had was lists, & thus if we did not have such fabbo user-amenable dynamic filtering rules, then they'd be no better than all the rest of the inferior defences. It is specifically the availability of this dynamic filtering that makes we users of these tools so attracted to them. Thank goodness for Gorhill.