In this Apple-user-oriented and safari-and-mail-centric guide to improve privacy, security, and speed for the Average Joe online experience, I suggest some extensions, applications, and components for both macOS an iOS. I don’t pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else.
Internet privacy and online anonymity are extremely hard to achieve, if not impossible, because of increasingly pervasive and aggressive data mining practices and global mass surveillance programs. Truth be told, in most cases, we willingly give-up a lot of our data, personal life, and details in order to use convenient free services. Like social networks, email, DNS, blog engines, cool sites, communities, communication apps and so forth. Moreover, the use of services and software that one thought to be safe, private, and secure that ain’t really so, give a false sense of security/privacy, and this is possibly even more dangerous. Because we all change our behavior if we are not being watched or, at least, we won’t do socially unacceptable things if we know we are being watched. It’s just our natural behavior.
Big data serving immoral marketing strategies isn’t the only issue here. There are intrinsic serious privacy concerns and quite worrisome related potential dangers that people often don’t take account of (or care about) whenever they share very personal data on these platforms. Most of us aren’t even aware we leave a significant trail in everything we do, both online and offline, and that all of this contributes to very accurate profiling. In fact, even if you don’t have any social network account or don’t explicitly agree to be tracked and profiled, they (social networks or otherwise) do have a profile of you.
The broad invasion of privacy we’re all subject to can have dire consequences. Take identity theft and all it can lead to as an example. What’s worse, most of the time it’s not entirely one’s fault if some fall victim of identity theft because of data breaches caused by some companies negligence or mistakes in an ever more digital life.
So, should you be willing to learn how to protect yourself against unfair practices or at least mitigate them, Kevin Mitnick’s “The Art of Invisibility” it’s a good start. Mind, it is not the panacea. Most of the outlined technologies and techniques in the book are common knowledge and are easily feasible. On the other hand, the required care to fully achieve what’s taught in the book demands a pretty serious commitment that most of us could not just be arsed to even think about it. In all fairness, it’s close to impossible to keep up with those goals and be stealthy for the average Joe (including me). But that’s ok, we are not Edward Snowden or Julian Assange after all. You might even argue that “I’ve nothing to hide…” Well… It. Ain’t. Quite. So. I strongly advise that you read the book nonetheless. If anything, for general knowledge.
Having said that, while I personally couldn’t take on Mitnick’s precautions fully, the book got me thinking about how to mitigate, at the very least, some of the data mining and improve both my security and privacy in my day to day online presence whilst keep using the software I usually use (as opposed to switching to something else) and not compromising my online experience, in terms of usability, too much.
The web is plastered with advertisements masked as unbiased articles and guides. Most of the times these rank high in search engines too, making it hard to discern what’s legit from the crap. But there are plenty of good resources out there to help you understand them better. Some of these give you the tools to make an educated choice, some others give you precious advice on how to improve your situation.
However, as valid as these resources may be, most of them are centered around technologies I don’t want to switch to. This post is a small and humble contribution to those and it aims to make it a little better/safer for Apple users who are using and love Safari and Mail. Be it on macOS or iOS.
Based on this preamble, I don’t pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else. If you have better options and they are compatible with my premise I’d like to hear about them, if you please sharing them.
Again, I don’t claim to have the definitive solution. There’s is neither a single book nor a single product that can make you absolutely secure and, to that extent, grant you absolute privacy. Remember: security is not a product. It’s a process.
Also, the reasons behind why using a VPN, end-to-end encryption communication tools, and what-have-you is a good idea, will not be discussed here and their benefits are taken for granted. I assume that you, the reader, know about them or are, at least, interested enough in finding out for yourself. There are already copious resources that take care of explaining why these tools are beneficial. Thus, I’ll just point out the ones I use and unbiased websites to help you choose your very own favorite or get suggestions to improve your online privacy and security.
Lastly, should you be surprised by the fact that some of the services mentioned here require a payment, I’d like you to know that I’m in no way affiliated with any of them. Part of the reason you should pay for them is that of “if something is free, then you are the product”. No matter how many arguments are brought against this mantra, it’s still very valid and, besides the usual suspects, there have been cases of free plugins exploiting and selling your data to companies that their product should protect you from in the first place. This is why I’ll try to suggest alternatives following a more ethical approach, a transparent philosophy and are open source, whenever possible.
To both make a point of how simple it can be to mitigate risks, and to encourage you to continue reading this post, I’ll start with the one regarding Mail and requiring the least effort: email tracking. It is a sneaky and deceitful practice that went from sacrilegious to an unnoticed, widespread, and abused practice, easily accessible to everyone. It’s also very hard to effectively defeat. The only effective method to mitigate it today, according to the conclusion of Englehart in this article, is to disable remote content from automatically loading in your emails. The only downside is that you get uglier emails but they would be safer. It’s a good compromise and you still retain the choice to view the email in your web browser, should you want to. So, go to Mail preferences and disable remote content, on both macOS and iOS.
To prevent macOS Mail from downloading remote content:
To prevent iOS Mail from downloading remote content:
“It’s that easy…”
Another easy expedient is to switch to a more privacy oriented search engine than Google. Safari offers DuckDuckGo by default, use it. and this is good for most people. However, I find StartPage to be closer to my needs. I like the search results better and, most importantly, it offers to click on anonymized proxy links right beside the search results.
2. If you would like to try out StartPage, you just need to install the official Safari extension by clicking the “Add to Safari” on the homepage.
My personal preference setup for StartPage has the address bar search set to active and empty tabs and windows on load. This way it’s faster to use and it won’t require loading https://www.startpage.com/ every time you open a new tab or a new window (which is a bit annoying and very slow). YMMV.
Of course, there are more privacy-oriented search engines you could use, but I prefer to only list the most famous DuckDuckGo and my favorite alternative.
The only thing I dislike about StartPage is that it won’t integrate into Safari as a selectable search engine in the “Search” preferences tab, but probably this is not entirely StartPage’s fault. Perhaps if we ask Apple nicely for it to be integrated as a selectable search engine from the “Search Engine” menu, it will happen as it did with DuckDuckGo in OS X Yosemite and iOS 8.
There are a plethora of extensions available for Firefox and Chrome, perhaps far too many. In comparison, Safari extensions are little. Worry not, most of the needs discussed in this post are very well covered by them. The missing EFF extensions are certainly a minus, but we can live without them until the technical reasons why these are missing will be addressed. You should note that EFF applauds new Apple privacy technologies implemented in Safari, so we are a little safer than before.
Nevertheless, I do encourage lobbying for changes in Safari to enable things like HTTPS Everywhere and hardware and biometric authentication standards like Fido U2F and UAF. Especially because Apple does already care about their users’ privacy and integrates biometrics in their products. Perhaps if we ask Apple nicely, again, we might see those implemented soon enough.
Now, although Apple continuous efforts and EFF praises are encouraging, this is the list of extensions I suggest you’d use (yes, all of them):
TrafficLight: a helpful extension that points out threatening sites (for malware and phishing attempts) each and every time you access them. A simple semaphore metaphor will help you discern those sites right within the search results as well.
uBlock Origin: the best ad blocker and filtering extension. It’s open source. It’s effective. It’s customizable. It doesn’t spy on you. It doesn’t sell your data. You should enable all of the lists in the “3rd-party filters”, with the exception of languages you don’t care about and experimental ones. Especially enable the “Social” filtering ones. With the latter enabled, you won’t have social buttons to click on to share on social networks, but at least you can mitigate very accurate profiling, which by the way affects even people who don’t have any social networks account.
Wipr: lightweight and efficient ad, tracker and many other annoyances blocker.
Better: ethical and effective content blocker.
UntrackMe: while it’s not perfect as it doesn’t catch them all, it removes the tracking tags from (e.g.) articles you may open with an RSS reader.
JS Blocker: if you’ve ever used NoScript for Firefox or ScriptSafe for Chrome, it’s time you rejoice! JS Blocker is amazing, effective and not as intrusive as the afore-mentioned ones. It even helps to prevent canvas fingerprinting.
Syndicate: should you be still using an RSS reader and have uBlock Origin blocking social buttons (which blocks RSS icons too), you need this to subscribe to RSS from Safari directly.
CheckShortURL: the last one here is not an extension but a very useful tool you should bookmark and make it an habit to use. Why? briefly, shortened URLs could link to potentially dangerous site or pages without you knowing until you actually click on them. This tool expands it for you safely and give you the opportunity to check for the destination link (it also provides ways to check the final URL reputation and for viruses). As you’ll see in my next post, my network blocks short URLs unless I whitelist them on my router so I’m kind of forced to use such service. You’ll get used to it quickly and it can save you some hassles.
So far we’ve improved our browsing and email privacy a little (more on emails later), but you should also take care to improve your security as well. If the many and ever-growing data breaches taught us anything, is that people are very careless when it comes to Internet security. These dumps demonstrate that this is especially true with password security: most of the times using very simple to crack passwords and, what’s worse, using the same passwords all over the place. Besides passwords, there are many other computer security aspects that you should be aware of and should be taking care of, but this is beyond the scope of this section. So, without further ado, these are the external apps I use and recommend you’d use too:
1Password: a password manager is a must. Full stop. The one I like and find most convenient is 1Password. There are many out there and you are free to choose the one you want beyond this recommendation, but do use one. Also, there have been developments in password security, so choose one that allows different kind of passwords to be generated and kept safe.
Cookie 5: cookies are one of the tools in the arsenal of marketers, data miners, and, believe it or not, crackers. It doesn’t take much effort to be a little safer. Cookie 5 is a good app toward that goal that is very set-and-forget like.
Wifi Spoof: spoofing your MAC address it’s going to help your identity masking and possibly save you from some hassles, however small. It is a good practice to follow and it’s also one of the things suggested by Kevin Mitnick in his book.
BitDefender Antivirus: yes I know… you think Mac is intrinsically safe from, and there are no such things as viruses and malware for Mac. Well, long story short: that’s simply not true. In fact, even Apple has a brief official page about it. Albeit the number of existing macOS malware are risible in comparison with that other operating system, and many argue against antivirus in general, I strongly suggest you use anti-virus and anti-malware (but avoid the crap!!!). Again, it’s your choice to either install one or not. Especially, it’s your choice which one to use. I like BitDefender. Remember, there’s no perfect product. Choose the one you think it’s best but avoid freeware and adware.
Cryptomator: should you be using a public cloud file service like Dropbox, it’s best if you add an extra layer of protection (both for privacy and security). Cryptomator is open source, it’s pay-what-you-want and it’s fairly easy to use. It will improve your privacy against surveillance and render file leaks less effective. I haven’t tested it on iCloud but it doesn’t sound like a bad idea. Remember the fappening? While it’s true that it was a phishing attack (as opposed to an iCloud fallacy), it is also likely true that if an additional layer of encryption would have been in place, it would have probably been harder to get those files in the clear.
If you don’t know what a DNS is and why it’s crucial to the Internet, just think about it as a taxi you jump on every time you want to be taken to a website. Every single time you digit an address into your browser, there’s a DNS doing the hard work for you (taking you to that address with its taxi). Because of this, a DNS knows a lot about your online activity. There are many free DNS services out there and most of them promise to be anonymous or not to spy you. I don’t really trust them. There are some exceptions though. Like hackers’ collective run DNS and privacy advocates run DNS. However, as you’ll see later, a good enough DNS to use is the one provided by your VPN service. But what if you do not have a VPN? Which one to use, among the many freely available? Well, it’s a compromise. My favorite one, besides the one provided by my VPN when I’m not connected to it, is Quad9. For a few simple and solid reasons you can read about on their site: security, performance, and privacy.
Quad9 has a very simple to follow DNS configuration guide, so I won’t repeat it here.
One more piece of advice on DNS, for completeness sake, is DNS Crypt. More info on Wikipedia. Though it doesn’t provide end-to-end security, it protects the local network against man-in-the-middle attacks and helps to prevent DNS spoofing. This falls more into DNS security than privacy, and I’m not entirely sure how good DNS Crypt usage is, in this context, after all. Feel free to explore and use it though, but keep in mind that Quad9 is enough to the main point discussed here.
As anticipated in the disclaimer, I won’t go over the reasons why using a VPN is a good thing. However, I don’t want you to fall for advertisements articles and videos in your web search, so I’ve picked these three random videos among the most neutral I could find: 1, 2 and 3, and this very good article to make you understand some of the benefits and the reasons why using a VPN is a must nowadays. I strongly recommend reading the article, since it also discusses proxies, TOR, and the combined use of VPN and TOR together.
Now, a VPN is only as good as its privacy and logging policies and the legislation it falls into. You should be checking with the resources at the bottom of this page and choose for yourself. Again, there’s no perfect product, and this is true for VPNs too. I personally use Mullvad VPN and this is what I’d advise you’d use too. Even if Sweden is probably going to implement harsher laws against this kind of services very soon. Yes, Mullvad is Swedish for mole.
There are a few good reasons and features why I like Mullvad, among them: they don’t ask for your identity when you create an account, they have a zero logging policy, they accept Bitcoin payments, their articles and guides are very good, and they already support and implement Wireguard servers (as an experimental Linux feature only).
You’d be flabbergasted if you’d know that email was never meant to be secure and private, how easy is to read your emails for somebody eavesdropping or how high are the risks involved in sending personal details over email. These are the reasons why you should use encryption at all times in all of your communications, not just emails, and take some precautions when sending emails. Better still, use a privacy-oriented email service. Like for VPNs, I encourage you to check with the resources at the bottom of this page and choose for yourself. I do use a specific one but I might change it soon, therefore I won’t spend much time talking about it here2.
Having said that, I’d like to give you some hints:
Choosing the email provider is important, of course. Once you have one, you should also know how to use encrypted emails though. You should know that using GPGMail with Mail is a breeze, once you have created your GPG key-pair and have taught yourself how to do this whole encryption business. Luckily for us, GPG Suite offers a very well detailed and easy to understand how-to. Easy peasy.
As a last note, I’d like you to know about DarkMail. It is very promising, but far from to be deployed anytime soon (if it’s still alive at all). Keep an eye on it nonetheless.
One thing should be clear by now: you should not be using Skype, WhatsApp, Messenger or any not so safe and pretty much entangled with data mining and in the mass surveillance circle instant messaging app. Perhaps you think you are safe because you are using Telegram, Signal3, WhatsApp4 or even ChatSecure and XMPP5. While the latter is better than the former, they are not quite it. I personally use and strongly advise you to switch to Wire6. It’s open source, it’s reliable, it has a strong security argument, great features and its security it’s regularly and independently audited. It also compares favorably with all of them (scroll down to the bottom of the home page for a comparison table). Besides, it’s also cross-platform: it is available for iOS, Android, Linux, Windows, macOS and Web browser clients. You can use it to make voice and video calls; send text messages, files, images, videos, audio files and user drawings depending on the clients used. It is hosted within the European Union and protected by European Union laws.
If you have read the disclaimer, you can recall that the web is plastered with advertisements masked as unbiased articles and guides. Besides paid articles written only to promote certain services, one particular category of shitty malware disguised as useful software you must avoid at all costs is the “scammy cleaning family”. Yes, I’m referring to all of the infamous Mac cleaning utilities, whatever their names are and whatever they claim to be doing for your own good: do not trust them and do not ever install them. They will either install malware or be malware themselves, infesting your Mac and making your life worse. Furthermore, they are a pain to eradicate.
There is a lot more software that will install or integrate malware, adware, and tracking within its app, like uTorrent for example, but I cannot list them all. Not to mention all of the tricky malware you might incautiously install if you visit porn sites or free streaming sites. Just beware of what gets in your Mac. By the way, should you be doing torrents, use qBittorrent.
Another important piece of advice is that you should also avoid software cracking. As you may have guessed, it’s not free. The cracked software it’s very likely to be infected with any kind of malware. That’s often the payoff for their efforts. If you really want free, then use Free, Libre and Open Source Software available for the Mac platform. Most of it is available via Homebrew and very easily installable.
The above is only a brief representative example of dangerous sites, mischievous articles, not-so-great services, and dangerous software habits. I can’t know about all of them but I brought up these examples also to take us a step back: malware does exist on Mac and you do need to protect against it.
So far we’ve mainly discussed macOS. This is partly because iOS doesn’t really allow the same level of sophistication, so the iOS part is going to be shorter. However, since Apple introduced content blocking on iOS, it is a good idea to take full advantage of this as much as we possibly can. The other reason is that some of the software and extensions I introduced earlier will be used for iOS as well. We can take advantage of VPN and encryption, as well as using our favorite DNS and most of the things we’ve discussed so far. Now, I won’t go over the topics again and I’ll just list components and apps you should be using on iOS, with some additions:
DuckDuckGo: you should use Safari with DuckDuckGo on iOS too.
Purify: uBlock Origin and JS Blocker are not available for iOS. Purify is the best option to blocks many annoyances in one small and easy to use application.
Wipr: lightweight and efficient ad, tracker and many other annoyances blocker.
Better: ethical and effective content blocker.
OpenVPN Connect: the official OpenVPN client. Look no further. Here’s how to use it with Mullvad VPN. You should always use a VPN when connected to a public wifi. To be even safer, use a VPN even when you are on your cellular network as well.
DNS Override: if you want to take advantage of using a safer DNS on iOS as well, DNS Override is the app you are looking for. I haven’t found anything better than this so far, so this is it for now. It’s extremely configurable and very well-thought. You can set your rules per network and forget about it.
iPGMail: this is kind of the best equivalent to GPG Suite I could find for iOS. iPGMail integrates with the iOS Mail application and makes the process of sending or receiving secure private messages simple. Your best bet for encrypted emails on iOS so far.
iOS Antivirus?: the way that iOS works make it so that antivirus is not needed, at all. Perhaps one day we’ll get the same level of sandboxing and security for macOS too.
These are some must watch videos about the topics we’ve discussed in this post.
Edward Snowden: Here’s how we take back the Internet: the right to data privacy, he suggests, is not a partisan issue, but requires a fundamental rethink of the role of the internet in our lives and the laws that protect it.
Christopher Soghoian: privacy researcher Christopher Soghoian sees the landscape of government surveillance shifting beneath our feet, as an industry grows to support monitoring programs.
Mikko Hypponen: How the NSA betrayed the world’s trust: this video puts things into a wider perspective. Worldwide, in fact.
Bruce Schneier: The security mirage: the feeling of security and the reality of security don’t always match, says computer-security expert Bruce Schneier.
Juan Enriquez: Your online life, permanent as a tattoo: a very short video about the permanency of our Internet habits.
Glenn Greenwald: Why privacy matters: in this searing talk, Greenwald makes the case for why you need to care about privacy, even if you’re “not doing anything you need to hide.”
Zeynep Tufekci: We’re building a dystopia just to make people click on ads: eye-opening insight about the force driving the modern digital dystopia. It puts things into perspective. Hint: it’s not only about ads.
Jennifer Golbeck: Your social media “likes” expose more than you think: watch this talk to find out the surprising things Facebook (and others) can guess about you from your random Likes and Shares.
Cathy O’Neil: The era of blind faith in big data must end: algorithms decide who gets a loan, who gets a job interview, who gets insurance and much more – but they don’t automatically make things fair.
Malte Spitz: Your phone company is watching: what kind of data is your cell phone company collecting? This is an interesting take on data retention.
Government Surveillance: Last Week Tonight with John Oliver: if you are not worried about your privacy by now, perhaps the dick-pics program could help you understand better.
Mikko Hypponen: Three types of online attack: cybercrime expert Mikko Hypponen talks us through three types of online attack on our privacy and data – and only two are considered crimes.
Gary Kovacs: Tracking our online trackers: an interesting video about behavioral tracking. Personal data can make your browsing more efficient; cookies can help your favorite websites stay in business.
Avi Rubin: All your devices can be hacked: could someone hack your pacemaker? Avi Rubin shows how hackers are compromising cars, smartphones, and medical devices, and warns us about the dangers of an increasingly hack-able world.
Christopher “moot” Poole: The case for anonymity online: this talk raises questions about the power – and price – of anonymity.
One last piece of advice is about common computer security knowledge. Albeit being common knowledge, it’s neglected by most people more often than you think. It’s for this reason that most universities have dedicated pages. You’d think that higher education students would be educated enough and blah… nope! I find the Berkeley resources to be very valid, informative and easy for anyone to understand. You should browse around. Also, I’m going to reiterate some of these common best practices concepts here, again:
I think that’s enough for a sample of the common best practices. Should you be thinking I’m being paranoid, this is a good time to suggest to browse around the valid Berkeley resources once more, to remind that marketers steal your credentials when you are visiting websites, and to suggest a couple of more books read:
I can guarantee you’ll be both surprised, astounded and gobsmacked to learn what is even remotely possible for crackers to do with the right motivation.
In my next post, I’ll be sharing my LEDE configuration and considerations. It will not be too technical but it’s going to definitely aim at a slightly geekier Joe. In that post, I’ll point out what extra components I’ve installed and what kind of configuration made my home wi-fi a little safer for all the family members to use, just by connecting to it and with zero-knowledge of anything discussed in this very post or in the next one. I’ll also share my scripts to automate custom builds. Stay tuned.