Letting Go of Google

I have used Google for years, mostly in the form of Gmail.  In Your Ultimate Security Guide: Windows 7 Edition I wrote about Gmail.  I threw in some well-deserved praise about Google’s security; it is very, very good.  Google offers one of the most user-friendly two-factor systems I have used.  They alert you when your account is logged into from a new IP and browser.  Your entire sessions is HTTPS encrypted, and encrypted inside of Google.  From a security standpoint it’s hard to complain about Google.  Privacy is another matter completely.

As Bruce Schneier recently pointed out, Google wants you to be secure from everyone except Google.  Google keeps your data safe from hackers and the NSA (they say), but they don’t keep it safe from themselves.  Google scans all your emails, records all your searches, remembers what videos you’ve watched, and what sites you go to when you leave Google.  And it never forgets.  Though I never created a Google + account, don’t log into YouTube, and don’t upload files to Google Drive, Google still knows an incredible amount of information about me.  That information will be remembered forever.  It will be accessible with warrants.  It may be seen if Google is hacked (Google holds a lot – a lot – of data and is a target because of it).  It will still be sold to advertisers.  And I don’t like that.

DDG_Full_Vertical.2x

I have managed to subvert much of Google’s ability to track me through with several tools.  I don’t use Google’s browser, Chrome.  Instead of searching through Google I use DuckDuckGo, a search engine that doesn’t collect or store data about its users.  Another very good tool is Disconnect Private Search, a browser add-on for Firefox and Chrome that routes all your searches through a “light” VPN.  Google doesn’t know who sent the request and can’t track me (Disconnect Search also allows you to use Bing, DuckDuckGo, and Yahoo!).  I also configure my browsers to delete history and cookies each time it is closed and I close it frequently.  I run BleachBit or CCleaner several times a day, too.

I have also been a fairly heavy Google Voice user.  I liked Google Voice because I could give out a GV number instead of my “real” number.  I could get calls, texts, and voicemail from my phone or computer, and the most compelling feature was its price: free.  I have managed to subvert this, too, through Silent Circle.  Though I have to pay for it Silent Circle offers me security from everyone, not everyone-but-them.

These steps seem simple in comparison to finding a suitable substitute for Gmail.  Other “mainstream” (read: free) email providers scrape emails, too, and unfortunately I don’t have the confidence in my own technical accumen to run my own email server.  Through the last several months, however, I have managed to piece together a workable email solution.  Unfortunately there is no sole-source replacement for Gmail, but with paid services like KolabNow and free ones like ProtonMail I know my communications are, if not more secure, at least more private.

You should also know that if you contact me, your communications are stored privately and securely on email servers that are not scraped for advertisments.  The email address to which the contact form on this site links is a ProtonMail email address.  Additionally, I have removed Google Analytics from this site.  I do not have access to any data about the individuals who visit my site, whether specifically or in aggregate.  When I initially set up this blog I thought it would be a good idea to see how often the site was visited, but I quickly realized that I had become part of the problem.  This is my mea culpa.

Why YOU Need a Virtual Private Network

Using a virtual private network (VPN) is an important part of strong digital security.  A VPN can accomplish several tasks.  First, it creates an encrypted tunnel to a remote server through which your traffic transits.  This means that anyone inspecting your traffic (from internet service providers to malicious hackers) will capture nothing but unusable, encrypted data.  For best security I recommend using the OpenVPN or IPSec encryption protocols.  Next, because your traffic appears to originate from a remote server your IP address is not correlated with your browsing.  This is important: if you visit a website that logs your IP address they can use the IP address to find your geographical location, your internet service provider, and all your visits to that site.  Using a VPN server that hundreds of other people also use makes you less distinctive and protects your physical location.  Lastly, VPNs can be used to help bypass geographical restrictions.  If you are in a country that blocks certain content you can use your VPN to connect to a server in another country, bypassing geographical restriction.

IPv6 Test

I recommend strongly against using free VPN services.  The recent story about a free VPN known as Hola! last week is an excellent reminder of why paying for a VPN is worth it: Hola! was selling the bandwidth of anyone who had their plugin installed, sometimes to malicious users who conducted botnet activity.  This opens users up to a number of security risks.  Free VPN providers have also been known to monetize by collecting and selling user information which defeats much of the raison d’être for a VPN.

To determine if your VPN is leaking information about you or how much information you are leaking if you are not using a VPN, Private Internet Access (with which I am an affiliate) has some helpful links.  They will test whether your DNS is leaked, if your IP address is leaked when you send an email, and if your IPv6 address is leaked.

Though I like Astrill, Private Internet Access, and WiTopia, there are pleny of great VPN options out there.  Most are under $100 per year and offer a great many features.  This is a very small price to pay for the disporportionate level of security and privacy they provide.

Fixing Firefox’s WebRTC Vulnerability

Earlier this year a major vulnerability called the WebRTC vulnerability was discovered in Windows machines running Chrome and Firefox.  This vulnerability can compromise your privacy by allowing websites to see your true IPv6 address despite the use of a VPN.  When using a VPN any site you visit should only see the IP address of the VPN’s exit server.  This prevents them from correlating you with your visit with your geographic location, and building profiles based on your IP address.  To test your system and see if your IP is leaking you can visit https://ipleak.net/.

Thankfully this vulnerability is very easy to correct in Firefox but it cannot be corrected through the “Options” dialogue.  To correct it go to your URL bar in Firefox and type “about:config.”  This will open a menu where power-users can make many adjustments to the application (many of these adjustments can be made through the Settings, but many cannot).  Bypass the warning and scroll down to “media.peerconnection.enabled.” This setting is “true” by default.  Double-click this line which will toggle the value to “false.”  This is all that is required to turn off WebRTC and secure this vulnerability.

WebRTC Vulnerability

There are add-ons for Chrome (WebRTC Leak Prevent and ScriptSafe) that are intended to defeat the WebRTC vulnerability.  It has been reported that these add-ons can be bypassed by a malicious adversary and should not be relied on.  However, if you must use Chrome you should enable one of these add-ons.

For full protection use Firefox and adjust as described above.  Using NoScript may also help mitigate this vulnerability.