This is why I use 'browser isolation', which is a way to separate different types of surfing activity into different buckets. Currently the best way to do this in Firefox is to create multiple profiles, or in Chrome, you can simply add a different user/persona.
Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.
It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.
At risk of being depressing, it's worth knowing that a dedicated profiler can reconcile accounts across all of the protections you've mentioned - not just as a targeted attack, but algorithmically.
There are a lot of fingerprinting tricks which transcend cookie restrictions and user profiles. The battery percent/value one will reconcile all accounts on one device (as will several other like fonts). If you log into one bucket on multiple devices, it becomes possible to traverse devices and reconcile one-device profiles via the shared profile. If I were truly paranoid, I would only trust "separation" if it involved a clean account on a clean device on a clean network.
None of which is to say that you shouldn't do this! I do lots of privacy things which aren't bulletproof, and I think other people should also. Fighting common tracking structures is still progress, and tools like bucketing and Privacy Badger are great ways to do this.
It's just also worth noting that dedicated profiling will break all but the most pathological defensive measures.
What about virtualization? It seems to me that something like Qubes might not at present protect against this (I don't know what information is available to guest/isolated domains on that system), but could be made to? One can easily lie to a browser about battery status and fonts from the OS too, for example.
I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.
It's very difficult to prevent side channel thumbprints—something as simple as traceroutes, wifi hotspots, caches (DNS, routing) can be uniquely identifiable. Add on top of this biometrics like how you type, how you move your mouse, etc, and it becomes very difficult to avoid concerted tracking efforts.
Of course, if you're not pissing off state actors, you're probably fine with qubes/tails.
if you're not pissing off state actors, you're probably fine
Thank you, this seems to be a point that is often ignored. Most of us don't need to hide our trail from a full wing of CIA analysts, just drive-by snooping and the like. (It of course doesn't help the Snowdens of the world)
I usually prefer to think of the middle case: someone with a grudge against me, who would love to blackmail me if they could get the dirt, and who has money to hire some blackhats and buy some zero-days and set up spear-phishing—but who doesn't actually have any access to the things that states get by default by sending fancy letters with Important Signatures.
It's interesting to work through the case of an absurdly rich private actor, because it works out differently for diferent companies; for some, they can just get a "man on the inside" to leak out your data easily enough, while for others (e.g. Gmail) the employees themselves aren't trusted to access user data, and have been firewalled/ACLed away from it to prevent just such intrusions. State actors get pretty much the same "help" from every service (save for the rare Lavabits of the world) but corporate actors get a rather unpredictable response landscape.
Presuming you are being pursued by a state actor, isn't using a computer at a library or Internet cafe enough to thwart most of that? Especially if you're using asynchronous store-and-forward protocols like NNTP or Freenet, where you can be long-gone from wherever the computer you used was, before anyone else ever sees "your" activity.
I remember at least one security expert commenting that if he ran an actual attack, his precautions would be "sitting in a computer lab using a stolen library card". Physical anonymity is by far the best cure for some of these things.
Qubes VMs cannot get the battery state. Assuming that the user didn't install custom fonts, the font list should be the same across all the installs.
I think Qubes closes most of the low hanging fruit in this space, but completely preventing fingerprinting is very hard and there are probably ways to leak identifying info.
Indeed, you can take this a step further and assign each bucket its own VPN, with JS turned off to minimize fingerprintability. You can even setup multiple virtual machines with multiple screen resolutions on each to further divide up your sessions, making your surfing modified beyond recognition. It might take a weekend or two to wrap your head around VMs and VPNs, but it's worth it.
Also, if you're paranoid about your VPN provider spying on you, you can install HTTP nowhere: https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/ to further compartmentalize the risk of spying. DNS, however is tricky to obfuscate, so I would recommend surfing under broad and generic domains, like TWITTER.com and places like REDDIT.com which often scrape and proxy the content from other sites so you don't need to visit those sites explicitly.
Not necessarily. The amount of bits needed to fingerprint somebody is substantially lowered doing this, and although you stand out by taking extra steps like this, it's substantially better than a large portion of the configurations you do see.
Of course if your threat model is such that nation states are targeting you, either passively, or actively, then TOR is fitting in most cases, but TOR can prove to be overkill in most cases.
For example, if I'm surfing a website which blocks TOR, I can use a JonDoFox[1] profile to visit a website with a VPN, and achieve better-than-most anonymity for my needs, albeit not as rigorous as what TOR provides, but at least my connection has rudimentary protection from passive eavesdropping.
Keep in mind, VPNs are a countermeasure only and do not provide perfect privacy, but you can lessen the information gathered using the techniques I outlined. Surf under generic domains, and block traffic downloaded en clair
The problem is that even if the number of bits on the fingerprint shrink, you're also lowering the selection size.
It's a tradeoff, you can overdo it and certainly end up less anonymous than before.
A bigger fingerprint might make it easier to identify you but if there are more fingerprints, there might also be more fingerprints that are exactly the same, thus being drowned by the mass.
Be sure to use a common window size, though. If you pick a nice size with your mouse (as I always do), your window size is almost certainly unique when paired with just a few more bits of info.
This page didn't, because it only profiles third party cookies - that is, your browser explicitly admitting which sites you're logged into. Privacy Badger, Disconnect, or uBlock will all handle that, as will simply disabling the browser setting.
That was pretty much my point: this is a "nice" profile. One that targets unintentionally identifying image like browser window dimensions can easily track you despite all of those precautions.
What I really want is something like this and it opening containers automatically based on url sets.
So going to facebook would go to the facebook set automatically and isolate facebook. But I don't have to manually open the "facebook profile" to do the switch. Same with twitter, amazon, google*, youtube, apple, etc.
If you have multiple accounts, you can have the interface pop up a "choose your subcontainer" automatically with the new google container or whatever. All browsing in that container would then stay in that subcontainer until you close it.
Yeah, as long as it only activates that container based on typing in facebook or going to a bookmark, not just any random site hitting that URL. Which would then probably break following links to those sites - could you trigger it based on a normal navigation to that domain, but not based on some other site trying to fetch an image from it out of the blue?
For anyone wanting to do this, the profile and no-remote command line options[1] may be useful if you want to create shortcuts to launch specific profiles
You might also want to consider using a different theme[2] in each profile to help avoid mixing them up if your running multiple instances simultaneously.
My initial use case for this was adding the lets encrypt staging certificate authority to the trusted root certificate authorities in a profile only used for testing.
Slightly easier way is to use the Disconnect/Privacy Badger extensions, along with uBlock Origin. It does a lot to prevent cookies from leaking across sites.
If you're still worried, I'd take the time to learn and use uMatrix (https://github.com/gorhill/uMatrix) in addition to uBlock. For me, uMatrix has replaced Privacy Badger and other similar addons because they're no longer needed. It requires a bit more effort to maintain though.
Great advice. I use Chrome for Google, twitter, and Facebook, and another browser for everything else. This isn't quite as good as your approach, but gives me some web platforms isolation.
There in lies the problem, all those Facebook widgets on various 3rd party websites are used to track you. If you block FB's network ranges then it gets much harder for them to do that.
In effect you are "using" Facebook whether you want to or not; this is the issue some people have with shadow FB profiles.
Shouldn't disabling 3rd party cookies also prevent this kind of attack? The request for the facebook/twitter favicon is being made from a non-FB/TW page and so the login cookie won't be sent.
This would depend upon how the browser implements its 3rd party cookie blocking. If it only blocks setting cookies, but still allows existing cookies to be sent, then there would be no protection.
I've had a fantasy of not just using different browser profiles (effectively) for each site, but routing requests for each site through a different personally-run cloud-hosted proxy.
Someday maybe I'll get around to setting it up. Maybe.
Or you can enable basic privacy settings on about:config, NoScript, etc. I get "No platform" both on my phone and Desktop (though I don't have any social networks, I created a Facebook account to test).
Firefox Nightly has container tabs available right now and they are fantastic! Only thing missing is a shortcut / better way to open a different type of container tab.
Lately I've been using Opera Incognito with free builtin VPN for all general browsing and I highly recommend it. (I use Chrome to stay logged in to email).
Having one profile, or even an entire dedicated browser just for Twitter/FB ensures the login is not spilled over into other sites. If you're surfing the web heavily, I would recommend spawning a new private window so cookies, and other artefacts are not bleeding into your session.
It sounds like common sense, but many people have cookies and login information persisting for years at a time in their browsing sessions. The Mozilla Firefox team are planning to introduce a feature which makes compartmented surfing sessions a lot more user-friendly by separating sessions into tabs. Currently, the 'profiles' feature of Firefox is not user friendly and requires a bit of tinkering with the filesystem.