In today’s age, online privacy and security is more valuable than ever. These are some changes that I made to mitigate the amount of information about me that floats around on the web.

Browsers

Firefox

For everyone, the browser is one of the most used applications. With prolonged use, browsers learn more about you and your habits. Using one that is connected to your search engine, social media accounts, and shopping sites only exacerbates this issue.

I break that link by using Firefox. Out of the box it’s not the most secure browser, but it can easily be configured to be much safer. It’s perfect for activities that come with ads and trackers such as casual browsing, reading blogs, or consuming media.

Some of the addons that I use with Firefox:

  • uBlock Origin - The best content blocker. It blocks ads, tracking, and malware domains.
  • ClearURLs - Clears urls of tracking information such as referrals or other information.
  • Decentraleyes - Improves your privacy by emulating CDN with local resources.
  • HTTPS Everywhere - Enforce visiting secure sites with https instead of http.

There are also a few about:config tweaks that I made, which you can set for yourself with this guide.

ungoogled-chromium

In the rare case that a website doesn’t work with Firefox, I use ungoogled-chromium. This is a Chromium fork that replicates Chrome without integration of Google services. It’s developed by a small team but has worked well for me so far.

Search Engine

DuckDuckGo

I recently switched my search engine from Google to DuckDuckGo. I deleted as much of my data as I could from Google’s servers, and so I was not getting personalized results anymore. DuckDuckGo is also a little bit less effective in their search results. Yet this is a trade I’m willing to make sure to prevent my search engines tracking me.

DuckDuckGo has a leg up in their customization. For example, one of my favorite features is infinite scroll. This will continue to load results through scrolling rather than pagination. There are also choices for aesthetic features, such as centered results and dark mode. I can also change the font, which I set to SF Pro Display from Apple.

DNS

With my browsing content encrypted with HTTPS Everywhere, the next step is to encrypt DNS requests.

Mac

DNSCrypt

I use the DNSCrypt protocol with the dnscrypt-proxy as a client. To install in on Mac

1
brew install dnscrypt-proxy

Then you can configure the settings how you want it in /usr/local/etc/ in the dnscrypt-proxy.toml file. I wanted to block ads and malware on the DNS level (with uBlock Origin being an additional layer for peace of mind). To do this, I added AdGuard DNS to the server list that I use. There are also many other great public servers that you can use.

1
server_names = ['adguard-dns-doh', 'cloudflare']

From there, you can start the service with

1
sudo brew services start dnscrypt-proxy

Check that the service is running with sudo lsof +c 15 -Pni UDP:53. If you changed the listening ports, reflect that in the command after UDP:. You should see your command listed.

1
2
COMMAND        PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
dnscrypt-proxy 178 root    9u  IPv4 0x9dd59d9c654b6511      0t0  UDP 127.0.0.1:53

However, you won’t be using this DNS until you tell your Mac to use it. You can do this with

1
networksetup -setdnsservers Wi-Fi 127.0.0.1

or by going into System Preferences->Network->Wi-Fi->Advanced->DNS and adding 127.0.0.1 to the list. You can leave your current DNS as a fallback in case this fails, but I set up AdGuard as backup, and then Cloudflare. To confirm that you set this up correctly,scutil --dns | head and you should see a list of your DNS resolvers.

1
2
3
4
5
6
7
8
9
DNS configuration

resolver #1
  nameserver[0] : 127.0.0.1
  nameserver[1] : 176.103.130.130
  nameserver[2] : 176.103.130.131
  nameserver[3] : 1.1.1.1
  nameserver[4] : 1.0.0.1
  flags    : Request A records, Request AAAA records

To confirm that dnscrypt-proxy is working run, dig in the terminal and confirm that the server address is 127.0.0.1#53. Your output should look something like this.

1
2
3
4
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 27 18:37:51 PDT 2020
;; MSG SIZE  rcvd: 239

Also, you can test DNSSEC validation - dig google.com.

1
2
3
4
5
; <<>> DiG 9.10.6 <<>> +dnssec google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

And failure - dig www.dnssec-failed.org.

1
2
3
4
5
; <<>> DiG 9.10.6 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Privoxy

I also use Privoxy to filter ads and other content with their default configuration.

1
2
brew install privoxy
sudo brew services start privoxy

You need to tell your Mac about this new proxy, which you can do with

1
sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118

or by going into System Preferences->Network->Wi-Fi->Advanced->Proxies and enabling HTTPS. Ensure that its set with scutil --proxy.

1
2
3
4
5
<dictionary> {
  HTTPSEnable : 1
  HTTPSPort : 8118
  HTTPSProxy : 127.0.0.1
}

Check that your proxy is working with ALL_PROXY=127.0.0.1:8118 curl ads.foo.com/ -IL.

1
2
3
4
5
6
7
8
HTTP/1.1 403 Request blocked by Privoxy
Content-Length: 8800
Content-Type: text/html
Cache-Control: no-cache
Date: Sun, 28 Jun 2020 19:39:26 GMT
Last-Modified: Wed, 08 Jun 1955 12:00:00 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache

iPhone

1.1.1.1

1.1.1.1 is a free VPN by Cloudflare that encrypts the traffic of your phone while also improving DNS. I always leave this on, as its safe and important to use over any WiFi, and even your cellular network. I’ve seen no network speed slowdowns from this VPN, and so I always leave it on no matter what I’m doing.

AdGuard

As an extra layer of security while browsing on my iPhone, I use AdGuard. It’s a great content blocker that works with Safari.