It’s not very clear what the probability of having your password leaked in a breach / having your email read / having your laptop being remotely disabled and wiped (unless you pay the creator Bitcoin) is. But one of these will probably happen to you in your lifetime, so I would take 10 mins to mitigate them now.
There is no absolute security; it’s always partial and relative to a goal. This guide is aimed at “not losing control of your accounts, not being surveilled by companies or criminals, not having your online banking subverted, not getting infected by trojans or ransomware or whatever”. It’s strictly for people with average risks: not that much money, not much tech cred, not much sensitive information to protect.
Most of this article assumes you’re using Firefox, because Chrome (and Google services on other browsers) is or was an attack itself. That is, it protects you very well against everyone except Google. Firefox is also significantly faster than Chrome in Private mode. It’s not a big deal compared to the other parts of this list, you’ll just need to find alternatives to the add-ons I recommend.
First: password hygiene
Attack: password cracking
If people hack a website you’re registered on, they could easily get the encrypted ‘hash’ of your password even if the site owners do everything right. These can eventually be brute-force decoded, and then they have your password. To prevent this common occurrence, we need our passwords to be very long (16 characters +) and have no English words. You also want a different password for each site, so that one brute-force doesn’t open up all of your accounts at once. So, easy!: We want passwords that are too hard to remember, and we need to never reuse any of them.
Mitigation: A ‘password manager’, for instance the free, open-source, cross-platform KeePassX. Keep the database file on several devices, and on a thumb drive, and an offsite. Can put it in the cloud if you think you’re likely to lose those. LastPass and 1Password seem fine, maybe a bit slicker and more friendly, but they cost.
Attack: password phishing
People can create convincing clones of websites just so you give them your password freely. (This isn’t just about human inattention: attackers can register urls which look exactly like the real one).
Mitigation: Password manager / no password reuse.
Real mitigation: 2FA everywhere you can, Yubikey. If the site doesn’t ask you for the access code from your phone, you should immediately change your password (from the top search result for that site).
Cognitive burden: once you have the Master passphrase memorised (not hard, give it a couple days): much less than remembering 40 different passwords.
Attacks: IP tracking, unencrypted traffic, ISP logs, public wifi spoofing
The problem a VPN solves optimally is internet requests by non-browser apps. If you use e.g. Linux’s built-in VPN client, everything goes through
(NB: Modern browsers have this useful thing called WebRTC. It leaks your IP, so if you really want to hide that you’ll need to go into
about:config and set
media.peerconnection.enabled to false. uBlock seems to fix this too.)
Even when the URL is real, vulnerabilities in the original internet protocol mean people can sometimes insert themselves inbetween your data and the receiving site. This is lethal (think online shopping, online banking). This add-on prevents this where it can.
Attack: Tracking and fingerprinting
- Cookie Autodelete. This add-on deletes cookies (files placed on your computer to identify you) when the tab is closed. Good compromise.
- AdNauseam. uBlock plus trolling: clicks every ad it finds (without loading them), which thus undermines the tracking surveillance system by injecting large amounts of noise. (Real clickthroughs are rare.) Just use uBlock or AdBlockPlus if you have rule-utilitarian scruples.
- Privacy Badger. Overlaps a bit with AdNauseam. Seems to cover the use case for Disconnect and Ghostery.
- DuckDuckGo. Zero-tracking search engine. Not quite as good as Google but it includes a built-in “use Google safely” command.
- RandomUserAgent: changes the device and browser you’re reporting, at random. Sometimes breaks things.
Attack: email surveillance
Not a lot you can do, short of undertaking the 100-hour hell of runnning your own mail server. Try a Swiss company, e.g. Protonmail (they have no public data-sharing agreement with the Five Eyes and constitutional protections for foreigners).
No whois entry on your sites. People will try and charge you £10 for this but it is mandated by GDPR so shop around.
Attack: tracking over CDNs
A new clever attack: identifying you by your repeat requests to a public Content Delivery Network. The add-on DecentralEyes foils this by keeping a copy of commonly used files in your cache.
Total annual cost: $40 ($40 VPN, $2 usb drive for your password DB)
Daily time cost: 10 seconds adding particular NoScripted scripts. Once you get the KeePass keyboard shortcuts in your muscle memory it is faster than typing.
Whenever you install a browser add-on, you’re allowing unknown code to execute on your machine, behind NoScript. Processes are “sandboxed” in modern browsers - that is, browser malware is unlikely to break into your main OS account - but this is still a risk.
However, you can be very confident in EFF products - HTTPS Everywhere, Privacy Badger - and relatively confident in popular open-source add-ons like NoScript, Cookie-Autodelete, uBlock, and RandomUserAgent, especially if you built from source.
More things you could do:
- Turn off these Firefox configs.
- Get Linux (99%+ of malware doesn’t work on it, and there’s strong prevention of state backdoors and ‘security through obscurity’ zero-days).
- Add an additional keyfile for Keepass, on a USB. This is too far for me. You’d want it attached to your body.
- Tor. Slow!
- Faraday wallet for phone and contactless card. Obviously this prevents all incoming calls too.
- Airgapping one of your computers.
- Consider not using Chinese hardware.
- Consider not using American hardware.
- Consider not using Kaspersky (involuntary aid).
- Two-factor authenticated bank.
- Store a PGP key somewhere public (e.g. Keybase): makes it possible to authenticate yourself without identifying documents. (Softening the blow of identity theft, preventing chronic lulz).
- Life / work separation. Never shop at work, never work on your home computers. This makes two of you, with two different attacks (and sets of attacks) needed.
- Against reward hacking (that is, being distracted with push notifications and infinite feeds): Just don’t have a smartphone, or keep it in your bag and use a dumbphone for interpersonal alerts. Also ImpulseBlocker.
Here’s a good tool for seeing if this does the trick.
Note that you’re not going to stop any nation-states except via perfect paranoia, the kind which makes the above look sloppy and carefree. Luckily, that effort is not worthwhile for almost anyone.