Latest LQ Deal: Latest LQ Deals
Go Back > Blogs > craigevil's random words of wisdom
User Name


Ramblings about Debian GNU/Linux
Rating: 3 votes, 4.67 average.

Security and Privacy on the Internet

Posted 08-12-2010 at 04:31 AM by craigevil
Updated 04-24-2021 at 10:07 PM by craigevil (Most of the advice is outdated.)

This post like all of my posts are several years out of date.
Use the Tor Browser, or a VPN preferably a paid one.
You can also use a browser like Librewolf that is a bit more hardened than Firefox or Chrome.

If you are really worried about privacy there are a few things you can do including:
Use the Adblock Plus extension for Firefox and use the
Easy Privacy list as well as the Antisocial list.
This list blocks the ever increasing social networking content on third-party sites.

Use a hosts file to block the multitude of clicktrackers

If you want to do the same thing without having the hosts file slowdown, dnsmasq offers similar functionality and it seems to be pretty snappy. Also, it allows you to use DNS for your LAN to boot!

Use Tor
Use a VPN, Linux VPN Masquerade HOWTO: Background Knowledge

Do not accept 3rd party cookies.

Use moblock/Peerguardian

Helpful articles:
Security and Encryption for Anonymous Internet and Computer Privacy
Big Brother is Watching – Privacy, Censorship, and Staying Anonymous
Encrypt your web browsing session (with an SSH SOCKS proxy)
Anonymizing Google's cookie

Do not use Google to search, instead use ixquick or duckduckgo or Startpage Search Engine. Or at the very least use the new Google SSL search.

There are several extensions for Firefox that can help to block the junk on the Internet.
Extensions to block crap or to get rid of it that I use:
- Adblock Plus
- Adblock Plus: Element Hiding Helper
- BetterPrivacy
- Cookie Monster
- Flashblock
- NoScript
- Hide My Ass Proxy Extension
- HTTPS-Everywhere
- HTTPS Finder
- Ghostery
- GoogleSharing
- Open in Private Browsing Mode
- QuickJava
- QuickProxy

Also for Firefox there are a few things you can tweak either in about:config or by creating a user.js.
Firefox makes unrequested connections

/* Disable network prefetching/search engine suggest */
user_pref("network.prefetch-next", false);
user_pref("", false);

/* Disable geolocation */
user_pref("geo.enabled", false);

/* Disable Google lookups */
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.remoteLookups", false);

If you use Chrome/Chromium you can add the Google SSL page as the default search.
Right click on the Omnibar and select ‘edit search engines...’

Select ‘Add...’

For ‘Name’ enter: “Google SSL Web Search beta” (without the quotes)

For ‘Keyword’ enter: ““ (without the quotes)

For ‘URL’ enter: “{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie= {inputEncoding}&q=%s” (without the quotes)

Select ‘OK’

With the new Google SSL Web Search entry selected, hit the ‘Make Default’ button

Basic Rule: Always browse in "Private Mode" so that fewer traces of your web history remain on your HDD. Opera,Chrome, Firefox, Safari, and Internet Explorer all include a form of Private Browsing.
Privacy mode - Wikipedia
Midori isn't on the wikipedia list but it also has Incognito.
Epiphany doesn't or at least it doesn't from what I can tell.

If you use instant messengers or irc you want to use OTR along with using SSL.
See my blog about irssi for how to set-up SSL on the OFTC and Freenode networks.

Off-the-Record Messaging
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

No one else can read your instant messages.
You are assured the correspondent is who you think it is.
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.
Use PGP/GPG in your email client.
Enigmail: A simple interface for OpenPGP email security
Enigmail is a security extension to Mozilla Thunderbird and Seamonkey. It enables you to write and receive email messages signed and/or encrypted with the OpenPGP standard.
Sending and receiving encrypted and digitally signed email is simple using Enigmail.
Some of the other popular email clients.
Evolution and PGP
Pretty Good Privacy (PGP) / GNU Privacy Guard (GnuPG)
Mutt-i, GnuPG and PGP Howto
Encrypting email in Claws Mail

Other projects that protect you on the web.

HTTPS Everywhere | Electronic Frontier Foundation -
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
The Freenet Project -
Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship. Freenet is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect.
Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
JonDo - the free client software for JonDonym | JonDos GmbH
JonDo is a free, open-source and highly portable (Java-based) client software for accessing the JonDonym services. Its primary use is the anonymisation of web site requests against web site operators, internet providers and the anonymisation service Operators.
They even provide a Debian repo
Add the following line to /etc/apt/sources.list. Replace DISTRI by the name of your distribution. At the moment lenny, squeeze, sid, intrepid, jaunty, karmic and lucid are supported.
# Secure Apt - apt-key add JonDos_GmbH.asc
# deb DISTRI main
Posted in Uncategorized
Views 136621 Comments 38
« Prev     Main     Next »
Total Comments 38


  1. Old Comment
    A couple of Google Chrome extensions:
    Do Not Track Plus :
    Do Not Track Plus blocks web beacons and other tracking technologies that advertisers use to track your browsing behavior. Easily see what trackers are in use at each website you visit and block any or all of them.
    Chrome Web Store - Abine TACO :
    Abine TACO sets all the NAI opt-out cookies to stop advertisers from delivering content based on their attempts to profile you and your online behavior. At each website you visit TACO can show you how many and which advertising networks you've opted-out of.

    This Chrome extension sets a number of permanent, generic, non personally
    identifiable opt-out cookies in the browser, which will prevent over 100 different online advertising networks from subjecting users to behavioral advertising (and in some cases, will stop the networks from being able to track users' web browsing habits too).
    Chrome Web Store - Vanilla Cookie Manager :
    A Cookie Whitelist Manager that helps protect your privacy. Automatically removes unwanted cookies.
    Posted 02-13-2012 at 05:18 PM by craigevil craigevil is offline
  2. Old Comment
    Seems the OptimizeGoogle extension for Firefox is being discontinued.

    A couple of ways to still get the blocking functions:

    googlePrivacy for Greasemonkey :

    Don't track me Google for Greasemonkey -

    GoogleSharing :: A Special Kind Of Proxy -

    PrivacySuite :: Add-ons for Firefox - and/or Ghostery

    Do Not Track Plus
    Posted 02-14-2012 at 08:41 AM by craigevil craigevil is offline
    Updated 04-10-2012 at 08:49 PM by craigevil
  3. Old Comment
    Why DNSCrypt is so significant

    In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.

    DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.
    Encrypt DNS Traffic In Linux With DNSCrypt (Via OpenDNS) ~ Web Upd8: Ubuntu / Linux blog :
    Here are the correct steps:
    gedit /etc/init.d/

    # Provides: dnscrypt
    # Required-Start: $all
    # Required-Stop: $all
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: DNSCrypt for OpenDNS
    # Description: Launch the dnscrypt to communicate with OpenDNS

    /usr/sbin/dnscrypt-proxy --daemonize

    Save then:
    cd /etc/init.d/
    chmod +x
    update-rc.d defaults
    update-rc.d enable

    Configure your connection manager to use as DNS and now it should work
    Introducing DNSCrypt (Preview Release) :

    You can download the .deb files from:
    OpenDNS Community > Blog > Tales from the DNSCrypt: Linux Rising :

    Detailed post in the antiXfreeforums:
    antiX-forum - Secure DNS with DNScrypt -
    Posted 02-21-2012 at 02:56 AM by craigevil craigevil is offline
    Updated 03-02-2012 at 08:34 PM by craigevil
  4. Old Comment
    Some security apps on Linux:
    the ones with * I have used and/or have installed at present

    Basic tools:
    *checksecurity - basic system security checks
    *lynis - security auditing tool for Unix based systems
    *rkhunter - rootkit, backdoor, sniffer and exploit scanner
    *chkrootkit - rootkit detector
    *tripwire - file and directory integrity checker
    *tiger - Report system security vulnerabilities
    *bastille - Security hardening tool
    *debsums - tool for verification of installed package files against MD5 checksums
    *debsecan - Debian Security Analyzer
    *tor - anonymizing overlay network for TCP
    *torchat - decentralized instant messenger built on top of the Tor Network

    unhide - Forensic tool to find hidden processes and ports
    unhide.rb - Forensic tool to find processes hidden by rootkits
    *aide - Advanced Intrusion Detection Environment
    bsign - Corruption & intrusion detection using embedded hashes
    systraq - monitor your system and warn when system files change
    *snort - flexible Network Intrusion Detection System
    *fwsnort - Snort-to-iptables rule translator
    *psad - Port Scan Attack Detector
    samhain - Data integrity and host intrusion alert system
    *acct - The GNU Accounting utilities for process and login accounting
    pmacct - promiscuous mode traffic accountant
    iotop - simple top-like I/O monitor
    nmap - The Network Mapper
    pads - Passive Asset Detection System
    tshark - network traffic analyzer - console version
    *wireshark - network traffic analyzer - GTK+ version
    clamassassin - email virus filter wrapper for ClamAV
    *clamav - anti-virus utility for Unix - command-line interface
    arpalert - monitor ARP changes in ethernet networks
    arpwatch - Ethernet/FDDI station activity monitor
    arpon - versatile anti ARP poisoning daemon
    Posted 03-05-2012 at 05:59 PM by craigevil craigevil is offline
    Updated 04-18-2012 at 05:23 PM by craigevil
  5. Old Comment
    RetroShare -

    RetroShare is a Open Source cross-platform, private and secure decentralised communication platform.
    It lets you to securely chat and share files with your friends and family, using a web-of-trust to authenticate peers and OpenSSL to encrypt all communication.
    RetroShare provides filesharing, chat, messages, forums and channels
    What is Retroshare?
    RetroShare is the next generation sharing network, which provides:

    Reliable Identification and Authentication of your friends.
    Plus an Introduction Scheme which connects you to the friends of your friends, and facilitates network growth.
    Encrypted Communication, ensuring all shared information is known only to you and your peers.
    A Communication Platform which can potentially support services such as Secure Email, File Sharing, Streaming, Video or Voice over IP, Photos, Wall and Messaging
    A Decentralised Social Sharing Network designed **For the People** with no dependancies on any corporate system or central servers.
    Why use Retroshare?
    You want to chat and share files securely with your friends
    Only your friends will be able to see and download files that you share.
    RetroShare is serverless, which means - unlike other messengers, you don't* need to register, complete annoying registration forms and receive tons of ads. Sending a key to your friend by e-mail is enough to set up your own IM network. This also means no IM spam, because people you didn't invite absolutely cannot connect.
    You can also use your favorite nick name either: no need to use cryptic names like "" just because someone (whom you don't even know) snapped your favorite nick before you.
    RetroShare is encrypted, meaning high privacy: nobody, including your
    ISP, can see what files you're sharing.

    You need secure instant messaging and files exchange for a small workgroup.
    You need to chat securely and exchange files with other colleagues at work, but do not trust your data to a public chat network like Live or Google Chat ? Don't want a hassle of installing and maintaining your own chat server either ? Use RetroShare instead:

    RetroShare is serverless , which means that no server, ever, gets to see your data. Any IM server, no matter how secure, poses a risk of data leak because of hacker's attack. Retroshare completely eliminates this security risk associated with the IM server, without any added costs.
    RetroShare encrypts all connections, which means every bit of data is encrypted end-to-end. Unlike other products using self-made weak encryption, RetroShare uses a special version of industry standard Openssl library, trusted by banks and other organizations.
    Absolutely no vendor lock-in: you own your RetroShare network. There is no 3rd party vendor whom you have to pay, or who may go out of business and force you to migrate to another product.
    Retroshare - Wikipedia, the free encyclopedia -

    RetroShare Brings Anonymous File-Sharing To the Masses | WebProNews -
    Posted 03-13-2012 at 08:33 PM by craigevil craigevil is offline
  6. Old Comment
    Use moblock/Peerguardian

    PeerGuardian -
    PeerGuardian helps protect your privacy by blocking many ranges of aggressive IPs while you use P2P.
    moblock-deb: Debian packages for MoBlock and PeerGuardian Linux -
    moblock-deb provides packages related to IP blocking software, similar to PeerGuardian: In order to protect your privacy internet traffic is blocked based on large lists of IP address ranges. The packages are PeerGuardian Linux (pgl), and its precessors moblock, blockcontrol and mobloquer.
    Use the appropriate Blocklist:
    I-BlockList -
    blocklist -

    For help setting it up Ubuntu has a nice doc:
    MoBlock - Community Ubuntu Documentation -

    Why is this so important you might ask:
    Copyright Cops Team with ISPs to Crack Down on Music, Movie Pirates | PCWorld -

    Hack the Planet!!!!!!!!!!
    Posted 03-19-2012 at 02:19 PM by craigevil craigevil is offline
    Updated 03-19-2012 at 02:47 PM by craigevil
  7. Old Comment
    If you use Google apps and have an Android phoneiPhone or a BlackBerry you should setup 2-step verification.

    How it works -

    If you want to turn on 2-step verification and own a smartphone, we recommend you use the Google Authenticator app -- a mobile application available on Android devices, iPhones, and BlackBerry devices -- to generate verification codes. The application doesn't require an Internet connection, mobile service, or a data plan to generate verification codes.

    Signing in using application-specific passwords - Accounts Help -
    Posted 03-27-2012 at 04:08 PM by craigevil craigevil is offline
  8. Old Comment
    Some useful apps:

    Tribler secure p2p client
    Tribler is a social community that facilitates filesharing through a peer-to-peer (p2p) network. A p2p network is different from a centralised service, where every user downloads his files from one central server. With p2p, the user/downloader is also an uploader to another user. This way, there is no central computer required that provides every file to all users.
    Jitsi (SIP Communicator)
    Secure video calls, conferencing, chat, desktop sharing, file transfer, support for your favorite OS, and IM network. All this, and more, in Jitsi - the most complete and advanced open source communicator.


    Encrypted password storage
    Password protection with a master password
    Encrypted Instant Messaging with Off-the-Record Messaging (OTR)
    Call encryption with SRTP and ZRTP for XMPP and SIP
    Call encryption with SRTP and SDES for SIP
    DNSSEC support
    TLS support and certificate-based client authentication for SIP

    On-line provisioning
    Provisioning server discovery via DHCP and mDNS (Bonjour)
    IPv6 fully supported by SIP and XMPP
    Call history
    Missed call notifications
    Systray notifications (using Swing, Growl or libnotify)
    Drag and drop support for file transfer
    Integration with Microsoft Outlook and Apple Address Book
    Support for LDAP directories
    Support for Google Contacts
    SIP specific

    On-line contact list storage with XCAP
    Secure signalling with TLS
    DTMF (SIP INFO, RTP RFC 2833/4733, inband)
    Message Waiting Indication (RFC 3842)
    XMPP Specific

    DTMF (RTP RFC 2833/4733, inband)
    Posted 04-05-2012 at 08:53 PM by craigevil craigevil is offline
  9. Old Comment
    Some interesting links:

    Decentralized and Open DNS To Defeat Censorship -

    How to hide emails from government snooping | The Raw Story -

    An invincible file-sharing platform? You can't be serious -

    Living in Orwell's world: how to disappear completely online -

    Guide for IRC Chat Setup & Anonymous Interneting -

    How to secure your computer and surf fully Anonymous BLACK-HAT STYLE -
    Posted 04-07-2012 at 04:13 PM by craigevil craigevil is offline
    Updated 04-21-2012 at 02:45 PM by craigevil
  10. Old Comment
    Use Torchat
    Description-en: decentralized instant messenger built on top of the Tor Network
    TorChat is a peer to peer instant messenger with a completely decentralized
    design, built on top of Tor's location hidden services, providing strong
    anonymity while being very easy to use
    Top most relevant feature TorChat claims, above from text messaging and file
    sending, rest on the difficulty someone would experiment trying to find out
    where you are communicating from
    In the condition someone might be observing you and sniff your internet traffic
    connection, the person will find highly difficult to find out:
    - Where your contacts are located
    - To whom you are sending or receiving from
    - What you send or receive, as everything is end-to-end encrypted
    Feel free to contact me using Torchat, my ID 66xqbnluradutbaz
    Posted 04-09-2012 at 02:32 AM by craigevil craigevil is offline
  11. Old Comment
    Posted 04-09-2012 at 02:54 AM by craigevil craigevil is offline
    Updated 04-21-2012 at 02:47 PM by craigevil
  12. Old Comment
    Be afraid be very very afraid:
    House Passes Cybersecurity Measure CISPA
    Posted 04-26-2012 at 07:41 PM by craigevil craigevil is offline
  13. Old Comment
    Some interesting articles about using bittorrents.

    How to Boost Your BitTorrent Speed and Privacy -

    How to Completely Anonymize Your BitTorrent Traffic with BTGuard -

    How to Pirate Software Without Getting Caught -

    How to Make Your VPN Even More Secure -

    How To Anonymize and Encrypt Your BitTorrent Traffic - How-To Geek -

    How to Completely Mask & Anonymize Your BitTorrent Traffic Using Anomos
    Posted 05-31-2012 at 08:26 PM by craigevil craigevil is offline
  14. Old Comment
    Google Screenwise: Get Paid for Sharing Your Internet Use in Chrome with Google -

    Only wish they gave you a Amazon giftcard rather than Barnes & Noble.

    But what the heck, go ahead and use Chrome for a 5 minutes a day, and get a $5 B&N gift card every 3 months. Be sure to visit a lot of pron sites
    Posted 06-05-2012 at 10:48 AM by craigevil craigevil is offline
  15. Old Comment
    How to prevent Google from tracking you
    Google Chrome Tracking -
    Firefox makes unrequested connections -
    New Tab Page – show, hide and customize top sites
    Posted 06-17-2012 at 01:56 PM by craigevil craigevil is offline
    Updated 06-18-2012 at 11:16 AM by craigevil
  16. Old Comment
    Tor info:

    TheTorProject - YouTube -
    Tor legal info

    Tor Project: Installation Instructions -
    if your ISP blocks Tor you may still be able to use it with the use of Tor bridges:
    Tor Project: Bridges -
    Legal FAQ for Tor Relay Operators -
    Tor Project: Relay Configuration Instructions -
    Electronic Frontier Foundation | Defending your rights in the digital world -
    List of Tor Relays
    Advanced Tor network usage: relays, hidden services and more - Kimpl | Kimpl -
    How to Bypass Internet Censorship -
    Tor bridges in the Amazon Cloud -
    Posted 06-18-2012 at 09:17 PM by craigevil craigevil is offline
  17. Old Comment
    Blocking Facebook Web Trackers At The Firewall For Extra Privacy | HowtoForge - Linux Howtos and Tutorials -
    Posted 11-12-2012 at 02:06 PM by craigevil craigevil is offline
  18. Old Comment
    How to use the Internet in Stealth Mode

    The FBI's Cookie Caper and the VPN Imperative

    Securing your data and online communications

    Semi-anonymous Internet Access
    Posted 12-08-2012 at 01:25 PM by craigevil craigevil is offline


All times are GMT -5. The time now is 08:22 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration