mide

Protecting Your Privacy

Saturday, May 14, 2016

Content Navigation

Why Privacy is Important

Privacy is a very hot topic right now with advertisers trying to deliver relevant ads and the potential for businesses or governments trying to peek into your personal doings for more information.

While I could go down a deep rabbit hole of government spying concerns, I'm going to keep this focused on businesses and advertisers whose business model depends on your information. For more information on what I mean, check out the Interactive Do Not Track Documentary, an awesome project showing how your data makes people money.

If you feel that you have nothing to hide and this doesn't impact you, please email me with your bank accounts and complete internet browser history. It's never been about having something that needs to be hidden, it's the fact that it's none of my business which websites you browsed on Friday evening or how you spent your last paycheck.

Steps I've Taken

I've taken a few steps to make privacy easier for my visitors. Keep in mind that while I'm privacy conscious, many websites aren't.

Google Analytics Deletion

I recently decided to disable Google Analytics. While it provided me with some great insight into the visitors of my website; I made the conscious decision that my visitor's privacy was not worth my curiosity factor.

I have not replaced the functionality of Google Anayltics with another tool (like Piwik or others), but it's worth mentioning that AWS CloudFront is collecting some of this information (see the Tin Foil Hat section below).

HTTPS Addition and Automatic Redirection

I have moved my website hosting away from GitHub Pages because of its lack of TLS support. With the advent of free and automated certificate authorities like Let's Encrypt and AWS Certificate Manager, there is no reason not to add TLS onto websites and support end-to-end encryption for all browsing.

I now use AWS S3 to host my website and the AWS CloudFront CDN to serve it. The TLS certificate is generated and managed by the AWS Certificate Manager.

Assets Moved to Personal Doamin

In an effort to keep my codebase small, I've been reluctant to add assets (photos, videos, etc) to it. This required me to host assets elsewhere, preferably for free or cheap. I previously used the following websites for asset hosting:

Each location I hosted a file was another external request that a visitor would be required to make, and thus another opportunity for tracking to occur. It's possible that one of the hosts correlates visitors across multiple source domains by inspecting the requests.

All my assets have been moved to assets.mide.io, another domain under my control. My visitors no longer need to send requests to third party domains to view my content. This has the added bonus of reducing my dependencies on external sources.

Embedded Content Removed

I previously embedded YouTube videos and SoundCloud sound clips into my blog entries to make things easier and more active for my viewers. However, I realized just how many assets each of these additions were pulling in.

If the embedded content didn't set any cookies or run any scripts, it still performed a request to fetch the content from a different source. I want my visitors to know explicitly when they're viewing content from a site other than my own, and I have achieved that by requiring a click of a link.

Tin Foil Hat Considerations

HTTP to HTTPS Redirection

I do not control the servers that perform HTTP to HTTPS redirection. It is possible that the HTTP server performs tracking based on requests. It is also true that third parties (like employers or internet providers) are able to see the initial HTTP request to http://www.mide.io and could perform tracking based on that.

Some websites employ HTTP Strict Transport Security, a mechanism that causes servers to instruct clients to only communicate over secure channels for some length of time. This policy will cause the browser to perform HTTP to HTTPS redirections before requesting any content from the server, making man-in-the-middle attacks much more difficult. I do not currently have this enabled for this domain.

If this is a concern of yours, always make sure you type in https:// for the website you're visiting or use a browser addon like HTTPS Everywhere.

Lack of Control over TLS Certificate and Key

I do not have control over the TLS private key, it's stored within Amazon's services. Amazon is the entity performing the decryption and the serving of content, they could be logging and gathering metrics on requests. In fact, CloudFront does collect some information from visitors, as can be seen from their Viewers Report.

In an ideal situation, I'd be the only one with access to the private key and the server would be physically and digitally under my control. But this isn't cost effective for me, so this is a compromise that I have to make for now.

DNS Lookup Privacy Leaks

When you type www.google.com into your web browser, it will perform a DNS lookup to translate google.com to 216.58.217.142 (for example). This lookup occurs in plaintext and is answered by your DNS server.

Whoever your DNS provider is (Google, OpenDNS, your provider, or others), they are able to see the DNS lookup for the website you're visiting. The DNS query doesn't reveal any content, but it does reveal that you're visiting that website. For example, if you visit my website, mide.io, your provider will know that you're visiting mide.io because you performed a DNS query for the domain in cleartext.

Domain Name System Security Extensions (DNSSEC) solve some authenticity issues, but does not provide any confidentiality in queries.

Steps You Can Take

Browser Options

Tools

Review Local Laws

Some jurisdictions prohibit the use of strong encryption or anonymizing software. Consult your laws before taking any actions. I am not responsible if you get in trouble for advice you read on the internet.

Resources

Conclusions

Privacy isn't a switch you can turn on, it's a whole lifestyle of decisions. But don't fret, for there are helpful actions you can take at every level. Just remember, once something is public, it's public for good.