How to browse the web (a little) more securely
Over the past few years I’ve accumulated a few tips and tricks to keep my browsing private. Quite a few parties may have access to your browsing, with varying levels of fidelity depending on the mechanisms involved.
I’ll start with a broad overview, but for the most part I’d like to focus in on Chrome-specific settings and preferences that will keep your online activity private from advertising platforms such as Google, Facebook, etc.
Think of a typical user journey:
- Launch a browser (let’s use Chrome 99.0.4844.74 for this blog)
- Think of a topic (let’s pick “BBC news”) and type it into the Chrome omnibox, commonly named the address or url bar
- Review Google results (or the search engine of choice)
- Pick the first result (https://www.bbc.com/news) and click it
- Browse BBC news
Let me list out the various platforms involved in this journey, listing which steps that platform has access to.
- Operating System (1–5)
- Chrome (1–5)
- Internet Service Provider (2–4)
- DNS providers (2, 4) although likely these DNS records are cached
- google.com (2–4)
- bbc.com (4–5)
- 3rd Party Advertising services (E.g. Google, Facebook)
We can largely trust that major operating systems and browsers not to reveal information about your browsing history when configured correctly. Note that there are always some grey areas in this, so look through privacy policies (e.g. https://www.google.com/chrome/privacy/) and information sharing (Chrome Preferences > Sync and Google services > Other Google services > Help improve Chrome’s features and performance). Note that using browser features such as signing into your google account or synchronizing history should in general not grant google additional information about you.
Internet service providers will know which websites you visit since they will handle all of your web traffic. For HTTPS websites, the ISP will only be able to see the domain that you are visiting, but not the path, parameters, or other aspects of the request. If you type “BBC news” into the Chrome Omnibox and hit “enter”, your browser will visit a URL that looks like “https://www.google.com/search?q=bbc+news&oq=bbc+news&sourceid=chrome&ie=UTF-8”, but of this your ISP will only know the protocol https, the subdomain www , and the domain google.com. https://https.cio.gov/faq/#what-information-does-https-protect. The only way to prevent your ISP from seeing even this information is with a Virtual Private Network (VPN).
DNS providers can also see the domains for which you are requesting a lookup, although a VPN can mask the IP address from which you make the request, meaning that any record they may have of your lookup isn’t linked back to you. Make sure your VPN is configured correctly: https://www.makeuseof.com/tag/dns-leaks-can-destroy-anonymity-using-vpn-stop/.
Websites themselves can of course see your browsing activity — there’s no way to hide from google.com that you want to visit google.com! That being said, there are ways to hide or mask what the websites sees about you, such as your IP address and cookies, so that your browsing activity is not linked to you in any way. To mask your IP address, use a VPN or a service such as iCloud Private Relay. To prevent existing cookies from being read by a website, use a Guest profile in chrome.
Any cookies created while the Chrome Guest profile is open will be read by websites; this applies across multiple Guest profile windows. Safari Private Windows do not appear to share cookies between windows.
Now we come to 3rd party advertising services such as Facebook and Google. They are able to track your browsing history by placing invisible pieces of their website into other websites such as https://bbc.com/news. For example, it takes approximately 200 requests to load https://bbc.com/news, with those requests made to such interesting destinations as:
- sb.scorecardresearch.com
- edigitalsurvey.com
- www.google.com
- prod-use.perf-serving.com
- …and dozens more
I also see dozens of cookies, many with rather unexpected domains such as:
- .doubleclick.net
- .adform.net
- .adnxs.com
I’ll point out here that these cookies in themselves don’t really contain any information that compromises you or your browsing history beyond the page you’re currently visiting. But if you browse many websites, perhaps including some that you are logged in to, the 3rd parties providing those cookies may gain quite a bit of knowledge about you and your browsing habits.
Best Practices
Disable Google Services
Just disable these (via chrome://settings/syncSetup):
- Help improve Chrome’s features and performance
- Make searches and browsing better
- Enhanced spell check
Different Chrome Profiles
If you do need to stay logged into major trackers (Google, Facebook, Amazon, Apple, etc), set up a different chrome profile for each service. In that profile, log into only that service and use that profile only to access that one website. Use a separate chrome profile (or even Guest windows!) for general web browsing.
Block third party cookies
To see what impact this has, click the Lock icon at the far left of the Chrome Omnibox and see how many cookies are in use. Open the “Cookies in use” to see which cookies were blocked.
You can see some additional cookie information in the Chrome inspector via Inspect > Application > Storage > Cookies. Note that some 3rd party cookies still appear set. Does it seem strange that cookies with domains such as .google.com were not blocked by Chrome? If you visit google.com and open up inspector, you can see the same cookie values there, so the cookies are clearly shared with google.com.
Block All Cookies
If you know you will use a particular browser profile only to access certain services, feel free to block all cookies and add that particular service to the list of Sites that can always use cookies . So your “Facebook” profile could add facebook.com and instagram.com, your “Google” profile could add *.google.com and gmail.com, your “Amazon” profile could add amazon.com, audible.com, and so on. If you have multiple accounts (I have multiple gmail accounts) simply create a new profile.
Disable Location / Camera / Microphone / Notifications
Visit chrome://settings/content , and visit each of the Permissions items. I personally set each to Don't allow sites and then add specific sites to the allow list. This gives confidence that you won’t be spied upon and prevents the myriad annoying popups such as this:
Note that the website can attempt to use your IP address for some location-based services, but this can easily be bypassed with a VPN or iCloud Private Relay. The Location feature in Chrome is entirely separate from the geolocation your IP address may be associated with.
- https://nordvpn.com/blog/change-location-google-chrome/#:~:text=Access%20your%20Chrome%20location%20settings,on%20as%20the%20default%20option.
- https://tools.keycdn.com/geo
Browsing with minimal distractions
Although not specifically related to security, I have a browser profile in which I disable both javascript (chrome://settings/content/javascript) and audio (chrome://settings/content/sound). It prevents a lot of really annoying website behaviors such as popups, autoplaying ads, and noise.
TBD
There’s a lot I haven’t covered. There are dozens more toggles buried deep in Chrome settings. Let me know if you would like me to look into them!
- chrome://settings/privacySandbox
- Remove all cookies on shutdown
- chrome://settings/content/ads
- chrome://settings/syncSetup: Allow Chrome sign-in
- chrome://settings/syncSetup: Autocomplete searches and URLs
