2011-07-26T11:07:59CEST
[Mac OS X, Safari, Chrome, Browser]
Christian Bauer
Switching to Chrome

The update to OS X Lion disabled some of my Safari extensions and plugins. An update to the cookie manager plugin I was using is now 15 USD in the App Store. No thank you. As this trend is likely to continue and I'm not going to spend money on securing my webbrowser, I decided to switch to Chrome. It's also much faster than Safari.

(Why not Firefox? It's not only very slow on OS X but it's missing critical pieces such as a working whitelist cookie manager and integration with Keychain. All of the extensions I've tried are either amateurish ugly toys or don't work at all. And I need a Webkit browser anyway for testing my own software.)

Here is how I configured Chrome for acceptable privacy and security:

  • Preferences > Under the Hood > Uncheck everything in the Privacy section
  • Preferences > Under The Hood > Content Settings > (X) Block Sites from setting any data
  • Preferences > Under The Hood > Content Settings > (X) Ignore exceptions and block third-party cookies
  • Install Adblock, select the "EasyPrivacy" list and add this list: http://adversity.googlecode.com/hg/Antisocial.txt
  • Install Better Pop Up Blocker and configure it; I'm not blocking native alerts/dialogs of the browser, they are useful
  • Install FlashBlock

You will now have to manage HTTP cookie, Flash ad player, and popup whitelists. Your strategy is to only allow trustworthy domains. All untrustworthy domains and trackers are automatically blocked, that includes crap like the Facebook button, Google Analytics, tracking pixels, etc.

Additionally, you should configure the global settings of the Flash plugin to storage space "None" and disable "third party Flash content". These Flash cookies will not be blocked by Chrome, even if you block HTTP cookies and "block sites from setting any data". You also want to delete all existing cookies. I haven't found an integrated whitelist manager for Flash LSO in Chrome, that's where Safari was better. Clearing the HTTP cookies in Chrome now also deletes all Flash LSO (and HTML5 local storage, which nobody wants either) but that is useless if you work with a whitelist policy. With a general Flash blocker and disabled Flash storage you should be fine though.

You are still vulnerable to several infection vectors of Evercookie, such as the cached PNG identifier. Fortunately, as far as I can tell, the advertising bastards haven't figured out yet how to deploy this on their servers.

1 Comment
2011-08-02T07:49:30CEST
Christian Bauer
Turns out I was wrong, evercookie is actually being used: http://www.wired.com/epicenter/2011/07/undeletable-cookie/ What we need is a whitelist in our browsers for any kind of local data storage or cache. It's that easy. Wake up, Firefox/Chrome interns.
Add comment

Projects
Cling
Lemma
Konto
.org
Articles
Source & Issues
Download
.com
News
About Us
Services
Contact
© 4th Line GmbH|Imprint
Creative Commons License