Open source privacy tools µBlock and µMatrix

In the past we have been giving some attention to the tools Adblock Plus and RequestPolicy when we talked about enhancing your privacy and security online.

“The user decides what web content is acceptable or not in their browser.” – µBlock manifesto

Today we want to introduce you to two alternative (open source) tools for this, made by Raymond Hill: µBlock and µMatrix

µBlock

This is a simple tool, comparable to Adblock Plus, but it is open source and light-weight and very user friendly. This tool uses the approach and block-lists as AdBlock Plus and has the main advantage of being more lightweight as you can see in the graph below:

ublock

Source code and more information: https://github.com/gorhill/uBlock

µMatrix

This tool is comparable to RequestPolicy and is aimed at blocking non first party requests, like RequestPolicy. It has a nice matrix that you can easily click to allow/disallow certain requests. I have found that it works much better as it also allows related 3rd party domains. For instance redditmedia.com is not blocked on reddit.com, where RequestPolicy would block it.

umatrix

Source code and more information: https://github.com/gorhill/uMatrix

Installation

On the following links you find the installable extensions for Chromium and Firefox:

Conclusion

Both tools enhance your security and privacy online. They are easy to use and have great integration with the free Chrome (Chromium) browser. Unfortunately µMatrix is not yet available for Firefox, but this may only be a matter of time. I would highly recommend to use both tools in your Chromium install and I would recommend µBlock also on Firefox.

Ghostery lists Adobe TypeKit as privacy threat

The Internet tracker blocking program Ghostery now lists Adobe TypeKit (a very popular font service) as a privacy threat. I read about this first on WUWT:

I’ve gotten a few complaints this week from some overly paranoid people that say they can’t see WUWT anymore in Firefox, but can in Safari. The problem seems to be related solely to a browser extension called “ghostery” which is somehow flagging Adobe Typekit (used to provide custom fonts on WordPress) as some sort of malware.

Ghostery is not malware blocking software (as you can read on wikipedia). It is software that protects you against tracking while surfing the web and IMHO you are not overly paranoid when you use it. In the comments somebody explains:

Font are very seductive tracking beacons. Honest people who would never consider installing a tracking beacon have no qualms about using served fonts, and there’s no difference between them. There is a lot of ignorance out there regarding data mining.

So maybe Ghostery is not listing Adobe TypeKit by accident? We see with Google Analytics that website owners are happy to pay for analytics with their visitors privacy. The same may apply to fonts (although TypeKit is not free). But before we accuse Adobe, let’s take a look at the Adobe TypeKit privacy policy:

In order to provide the Typekit service, Adobe may collect information about the fonts being served to your website. The information is used for the purposes of billing and compliance, and may include the following: …

So, one thing is for sure: Adobe TypeKit is in fact collecting data while serving fonts. This alone may be reason for Ghostery to block it. I did some research and verified that next to the font files TypeKit is loading a 1 by 1 pixel GIF image that has an URL like this:

http://p.typekit.net/p.gif?s=1&k=sgt5tia&app=&ht=tk&h=wattsupwiththat.com&f=...

In the privacy statement Adobe says they collect data “for the purposes of billing and compliance”, which seems reasonable. Also, the privacy policy has a list of data that they collect. None of the data on the list seems to be invading the privacy of the website visitor. So is this a big fuss about nothing? I’m not sure. If you pay close attention to the wording of the sentence you see that they chose to use “may include”. AFAIK “may include” does not imply “is limited to”. Also this “compliance” is not further specified. What do they need to comply with?

Can Adobe TypeKit be trusted to respect our visitors privacy? Probably they can, but even after reading their privacy policy I’m not 100% sure. What do you think? Should I take off my tin-foil hat?

Be a pro: use font embedding, not font linking

If you want to use a font on your website you can load it by linking to an external server (using CSS or JavaScript). This is common practice and you will probably know about it if you worked with Google Fonts or Adobe Typekit. This is what we call “font linking”. The alternative is that you host the font yourself and use @font-face in your CSS to load it. You will need to upload the font in several formats to your server. This self-hosted approach is also called “font embedding”.

What is the difference?

With font linking you add the following HTML code to your website:

<link href='http://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css'>

While with font embedding you add the following CSS code:

@font-face {
  font-family: 'Open Sans';
  font-style: normal;
  font-weight: 400;
  src: url('open-sans-latin-regular.eot'); /* IE9 Compat Modes */
  src: local('Open Sans'), local('OpenSans'),
       url('open-sans-latin-regular.eot?#iefix') format('embedded-opentype'), /* IE6-IE8 */
       url('open-sans-latin-regular.woff2') format('woff2'), /* Super Modern Browsers */
       url('open-sans-latin-regular.woff') format('woff'), /* Modern Browsers */
       url('open-sans-latin-regular.ttf') format('truetype'), /* Safari, Android, iOS */
       url('open-sans-latin-regular.svg#OpenSans') format('svg'); /* Legacy iOS */
}

As you can see it easier to link the font as you do not have to write extensive CSS and upload the 5 font files (eot, woff2, woff, ttf & svg) that font embedding requires.

Font linking is not allowed

Font linking does not work for offline content. It requires requests to other services, in contradiction to font embedding. Font linking may cause uptime worries, dependency issues (Great firewall of China) and leaking of Personally Identifiable Information (PII). In some countries (like the Netherlands) it is even forbidden by law to share PII (like IP address and user-agent string) without an explicit consent from the user to allow tracking. So, it is a simple choice, one would think, right?

Font embedding is also not allowed

Services like Fonts.com, MyFonts, Typekit, etc. do not allow font embedding, you need to link them. The reason: they have a “pay-per-use” business model. But isn’t it a bit strange that this type of usage (enforced by the licensing model) is actually restricted by EU privacy laws? Exception is Google Fonts as their fonts are free to use and free to embed.

It’s-a me, Mario! Let’s-a go!

Mario Ranftl (majodev) has created an extremely useful google-webfonts-helper (hosted on Heroku). If you want to know how you can find the source on Github (collecting stars). It makes it very easy to self-host your fonts. The steps:

  1. Go to: https://google-webfonts-helper.herokuapp.com/fonts
  2. Select one of the 682 fonts from the menu on the left
  3. Copy-paste presented CSS code into your stylesheet in the directory “css”
  4. Download the zip file using the big blue button
  5. Unzip the files and upload them to your website in the directory “fonts”

Thank you Mario, that is super! Alternatively, if you have your own fonts and need them in such a convenient zip file, you may try fontsquirrel.com’s Webfont Generator. Let me know how you like these tools (or if you know any better) using the comments. Also, check out the discussion on Hacker News!

Now let’s start using fonts responsibly!

Use Ubuntu’s “hostapd” to monitor your smartphone

I don’t like smart-phones at all. I do not like how people use them in bars and restaurants. I also don’t like that the phone is always online. Especially not since all kinds of “apps” and background processes are constant leaking information about me. Call me a fool, but I’m worried about my privacy. Since my friends nowadays refuse to send me SMS (they solely rely on WhatsApp) I was getting socially isolated (showing up at canceled events and so on). That is why I recently gave up my stubbornness and decided to buy a smartphone as well. Still everyday I am wondering what (and how) my smartphone is communicating over the Internet. To get an answer to this question I decided to investigate this.

Parts

SitecomWL113WirelessNetworkUSBAdapter wireshark

I had the above Sitecom (WL-113) USB wifi dongle laying around that could serve as an access point for my phone so that I could peek into the communication on my PC using the excellent open source Wireshark software. This is a diagram of the infrastructure:

wl-113_network

I am running Xubuntu 14.04 and I connected my USB dongle.

Preparation

First I ran “lsusb” to confirm the adapter was identified.

maurits@nuc:~$ lsusb
...
Bus 002 Device 024: ID 0df6:9071 Sitecom Europe B.V. WL-113 rev 1 Wireless Network USB Adapter

And yes it was. Great! Now to see what the system says about it when I connected it. Running “dmesg” showed me the driver that was loaded:

maurits@nuc:~$ dmesg
...
[20068.576242] usb 2-1.4: new high-speed USB device number 24 using ehci-pci
[20068.669492] usb 2-1.4: New USB device found, idVendor=0df6, idProduct=9071
[20068.669498] usb 2-1.4: New USB device strings: Mfr=16, Product=32, SerialNumber=0
[20068.669501] usb 2-1.4: Product: USB2.0 WLAN
[20068.669504] usb 2-1.4: Manufacturer: Sitecom
[20068.744236] usb 2-1.4: reset high-speed USB device number 24 using ehci-pci
[20068.837283] ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
[20068.837521] zd1211rw 2-1.4:1.0: phy12
[20068.855382] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready

To see whether the adapter was really there I ran “ifconfig -a” and yes it was and it was named “wlan0”:

maurits@nuc:~$ ifconfig -a
...
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5387 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:634228 (634.2 KB)  TX bytes:634228 (634.2 KB)

wlan0     Link encap:Ethernet  HWaddr 00:00:de:ad:be:ef
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I did get a little curious of what the dongle would look like on the inside, so I Googled for “zydas wl-113”. I found the following image on Wireless-Forum.ch:

wl-113

I also found a guy who had a Sitecom WL-113 with a Ralink 2571WF chip inside (probably not a “rev 1” model). But I am pretty sure mine has a ZyDAS 1211 as in the above picture (but I did not open it up). Before we can do “nice” things with it we need to see whether it supports “master mode“. This means that the dongle goes into a mode in which it behaves as an access point. Ubuntu has a tool called “iw” (install it with “sudo apt-get install iw”) that allows you to list the supported modes (amongst many other things) like this:

maurits@nuc:~$ iw list
Wiphy phy12
    ...
    Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point

Bingo! Our dongle supports “AP” mode (many devices do not). You may want to try to put the adapter in master mode with the following command:

maurits@nuc:~$ iwconfig wlan0 mode master
Error for wireless request "Set Mode" (8B06) :
    SET failed on device wlan0 ; Operation not permitted.

But that fails. After reading the web a little I found that this does not mean that the dongle does not support it.

Installing “hostapd” the host access point daemon

You just need to install “hostapd” program using “sudo apt-get install hostapd”. Before you can start the hostapd application you need to take a few steps. First I had to create the “/etc/hostapd/hostapd.conf” file with the following contents:

interface=wlan0
bridge=br0
driver=nl80211
ssid=MyNetwork
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=YourPassPhrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Now edit the file “/etc/default/hostapd” and uncomment the “DAEMON_CONF” line and make it:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

If we want the PC to temporarily act like a router we need to enable IPv4 forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Now you can start the “hostapd” access point software with:

sudo hostapd /etc/hostapd/hostapd.conf

If all goes well it should show:

maurits@nuc:~$ sudo hostapd /etc/hostapd/hostapd.conf
Configuration file: /etc/hostapd/hostapd.conf
Using interface wlan0 with hwaddr 00:00:de:ad:be:ef and ssid "MyNetwork"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

If it does not work you may want to run the following:

sudo nmcli nm wifi off
sudo rfkill unblock wlan

This is because network manager has detected the wlan interface and grabbed it. If you need debug output you may run:

sudo hostapd -d /etc/hostapd/hostapd.conf

If you need even more debug output you may run:

sudo hostapd -dd /etc/hostapd/hostapd.conf

If this fails with the following message:

hostapd_free_hapd_data: Interface wlan0 wasn't started

Then execute:

sudo service hostapd stop

If it says it started (using “sudo hostapd”), but you actually don’t see the Wifi network on your smartphone then reconnecting the dongle and starting all over again may help. Note that the “hostapd” service will automatically be started on next boot.

Bridging to get Internet access

bridge_configuration

Now you may want to configure a bridge between eth0 (your Internet connection) and wlan0 (your dongle access point). First we remove the IP address from eth0 using. Then we add eth0 to bridge br0 (which already contains wlan0). After that we bring the bridge up, let it do DHCP and which also adds a default route to the gateway using:

sudo ifconfig eth0 inet 0.0.0.0
sudo brctl addif br0 eth0
sudo ifconfig br0 up
sudo dhclient br0

Now you should still be able to surf the Internet while you also have a software access point running on your computer. If you want to undo the bridge configuration you may run:

sudo ifconfig br0 down
sudo brctl delif br0 wlan0
sudo brctl delif br0 eth0
sudo ifconfig br0 down
sudo dhclient eth0

Permanent configuration (persist on reboot)

The IPv4 forwarding setting can be made permanent by uncommenting the following line in “/etc/sysctl.conf”:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

If you want to make the bridge configuration permanent you can add the following to “/etc/network/interfaces”:

manual wlan0
manual eth0

auto br0
iface br0 inet dhcp
        bridge_ports eth0

Note that this wont work since the network manager will still grab the wlan0 and execute “rfkill”. To avoid this you can turn off the network manager completely (and permanently) with:

sudo service network-manager stop
echo "manual" | sudo tee /etc/init/network-manager.override

To re-enable the network manager simply do the opposite:

sudo rm /etc/init/network-manager.override
sudo service network-manager start

Capturing with Wifi with Wireshark

Now we can start Wireshark on the wlan0 interface using:

sudo wireshark wlan0

And we get nice output:

wireshark_dump

Using this tool I can record and analyze the communication of the apps I installed on my smartphone.

Links/sources

Figuring all the above out was not possible without the following websites:

Block Google and Facebook to improve Firefox privacy

firefoxFirefox, a browser built by the Mozilla foundation, is in my opinion the best browser on the web. It is available all major operating systems including Linux and Android. Unfortunately Firefox is not available for iOS. Firefox is “Committed to you, your privacy and an open Web” and on the Mozilla website they tell us that Firefox is:

  • Trusted: Designed to protect your privacy
  • Flexible: Designed to be redesigned
  • Fast: Faster than ever

On the Firefox privacy page Mozilla says:

We build Firefox with a mission to put you first, above all else.
We do it to keep you in control. We do it so you can browse without worry.
And we do it because no one else will. – Mozilla

I think it is widely accepted (and true) that your privacy is much at risk when you are surfing the Internet. Firefox will protect your privacy (to some extent) if you tell it to, but you do have to tell it to do so. You can do this by clicking the menu button and clicking “Preferences”. This screen has a privacy tab and I strongly recommend you to set the settings as strict as shown on the screenshot below:

privacy

Pay extra attention to the “Accept third-party cookies” and “Tell sites that I do not want to be tracked” options. Unfortunately this last feature just informs any third party of your preference, but it does not actually block the tracking. This is where AdBlock Plus comes into play.

ad_block_plus_logo

Download Adblock Plus here. After installing you can configure the AdBlock Plus icon (red stop sign) to be present in the toolbar (or not) by clicking the menu icon, clicking “Add-ons” and then the “Extension” tab on the left and then the “Preferences” button of AdBlock Plus. On the bottom there is a list of checkboxes and one is “Show in toolbar”.

adblockplus

It is very convenient to have the AdBlock Plus icon in the toolbar (left from the menu icon) so that you can quickly disable it if that is needed. It may for instance happen that a site no longer shows you Facebook “Like” buttons and you are very desperate to “Like” something.

ad_block_plus_settings

For the best experience I would disable “Show tabs on Flash and Java” and disable “Count filter hits”. In the filter preferences I have added three subscriptions and unchecked “Allow some non-intrusive advertising”, like this:

adblock_filter_preferences

Most people install only “EasyList”, which is easy to find and mainly blocks advertisers.  I also recommend the “Adblock warning Removal List” to avoid any warnings that may appear due to the usage of AdBlock Plus. The other subscription you should have is “Fanbox’s Annoyance List” which sounds unimportant, but actually blocks all Google and Facebook tracking (and many other “annoying” things). I also use “EasyPrivacy”, which also blocks privacy threats. These subscriptions may not be available from the user interface, but this should not stop you. You can find them on the following link:

https://easylist.adblockplus.org/en/

AdBlock Plus will block the loading of elements that match the rules that are defined in the subscriptions. These elements can be visible or invisible (scripts or transparent tracking pixels). This does not only improve your privacy online, but also makes websites load faster. It actually matters a lot as you can see from a quick experiment I did using Firebug. I executed a full page refresh on several websites with and without AdBlock Plus enabled. Below a graph showing the loading time of the website with AdBlock Plus enabled compared to the loading time of the website without AdBlock Plus enabled. You can see that all sites load faster with AdBlock Plus enabled (<100%), since the browser has to load less elements from the website:

website_loading_times

This is the data I collected in my (single) run along some popular websites, which is used to draw the above graph:

           website   total   onload   total ABP   onload ABP   total   onload
washingtonpost.com   12.06     6.98        5.12         4.72     42%      68%
       nytimes.com   11.35     5.72        6.84         4.28     60%      75%
             nu.nl    5.17     4.07        2.29         1.63     44%      40%
     microsoft.com    3.41     2.85        2.69         2.15     79%      75%
   mail.google.com   10.19     1.15        8.47         1.12     83%      97%
        google.com    1.58     1.06        0.89         0.84     56%      79%
           cnn.com    9.48     5.45        3.09         2.17     33%      40%
           bbc.com    3.42     3.05        2.09         1.82     61%      60%

So the bottomline is this: by protecting your privacy better, surfing the Internet will go faster. This is a well-kept secret that I share with you “because no one else will.”

About privacy and the ethics of blocking ads

Some people argue that you should not install ad blocking software, because blogs can exist because banners bring income to the writers. Although I doubt that this is true (direct advertising and editorials pay a magnitude better and cannot be blocked), I want to focus on the opposite: websites stealing from their visitors. By using “free analytics”, “like buttons”, “JavaScript-driven ad engines” and “web-shop tracking” many, if not most, websites are sharing very sensitive (privacy related) information about their visitors with third parties (without the visitors consent). This information can be stored and used to identify and profile visitors. The bad thing is that many site owners do not even realize their behavior is unethical (and in some cases even forbidden by law). In my opinion this unethical behavior makes using blocking software ethical.