6 minute read

Your browser can reveal an alarming amount of information about you.

Surprisingly enough, or not too surprising, when you visit a website there is a surprisingly large amount of identifying data being sent to the website you are communicating with.


Cookies are pieces of information that a web site can send to your browser. If your browser “accepts” them, they will be sent back to the site every time the browser accepts a page, image or script from the site. A cookie set by the page/site you’re visiting is a “second party” cookie. A cookie set by another site that’s just providing an image or script (an advertiser, for instance), is called a “third party” cookie.

Cookies are the most common mechanisms used to record the fact that a particular visitor has logged in to an account on a site, and to track the state of a multi-step transaction such as a reservation or shopping cart purchase. As a result, it is not possible to block all cookies without losing the ability to log into many sites and perform transactions with others.

Unfortunately, cookies are also used for other purposes that are less clearly in users’ interests, such as recording their usage of a site over a long period of time, or even tracking and correlating their visits to many separate sites (via cookies associated with advertisements, for instance).

With recent browsers, the cookie setting that offers users the most pragmatic tradeoff between cookie-dependent functionality and privacy is to only allow cookies to persist until the user quits the browser (also known as only allowing “session cookies”). Tails does this automatically by the way with Iceweasel.

Recent Cookie-Like “Features” in Web Browsers

In addition to the regular cookies that web browsers send and receive, and which users have begun to be aware of and manage for privacy, companies have continued to implement new “features” which behave like cookies but which are not managed in the same way. Adobe has created “Local Stored Objects” (also known as “Flash Cookies”) as a part of its Flash plug-ins; Mozilla has incorporated a feature called “DOM storage” in recent versions of Firefox. Web sites could use either or both of these in addition to cookies to track visitors. It is recommended that users take steps to prevent this.

Managing Mozilla/Firefox DOM Storage Privacy. If you use a Mozilla browser, you can disable DOM Storage pseudo-cookies by typing about:config into the URL bar. That will bring up an extensive list of internal browser configuration options. Type “storage” into the filter box, and press return. You should see an option called Change it to “false” by right-clicking and choosing Toggle.

Managing Adobe Flash Privacy.

Adobe lists advice on how to disable Flash cookies on their website. There are some problems with the options Adobe offers (for instance, there is no “session only” option), so it is probably best to globally set Local Stored Object space to 0 and only change that for sites which you are willing to have tracking you. On the Linux version of Adobe’s Flash plugin there does not seem to be a way set the limit to 0 for all sites and therefore its use should be limited or avoided. Luckily Tails does not have flash installed, but in case you are not using Tails be aware of this.

If you absolutely need to watch a video online, find a way to download the video to your computer and watch it that way. This takes the browser out of the loop of processing a video for you and eliminates those Flash cookies which help identify you.


Javascript is probably the grand daddy of all vulnerabilities in internet browsing. The majority of exploits, malware, viruses and other computer take overs happen because of Javascript code executing in your browser. Javascript has many uses. Sometimes it is simply used to make webpages look flashier by having them respond as the mouse moves around or change themselves continually. In other cases, javascript adds significantly to a page’s functionality, allowing it to respond to user interactions without the need to click on a “submit” button and wait for the web server to send back a new page in response.

Unfortunately, javascript also contributes to many security and privacy problems with the web. If a malicious party can find a way to have their javascript included in a page, they can use it for all kinds of evil: making links change as the user clicks them; sending usernames and passwords to the wrong places; reporting lots of information about the users browser back to a site. Javascript is frequently a part of schemes to track people across the web, or worse, to install malware on people’s computers. It is best to disable Javascript (about:config in URL bar search for Javascript and Toggle it to disabled) unless you absolutely trust the site or use the browser add-on NoScripts that comes with Tails and is available in Firefox to at least selectively block malicious scripts. Disabling Javascript outright is the best option though, and gumby has added a suggestion that can make it even easier to do this.

Supposedly NoScript doesn’t block all Javascript even when it is enabled and no sites are on the whitelist. Not sure about that claim but I’ve seen people make it. There’s a Firefox add-on (which also works in Tor Browser) called toggle_js which lets you toggle the about:config javascript.enable parameter through a toolbar icon so you don’t have to go into about:config. I find it quite useful.

Javascript can also reveal an alarming amount of information about you even if you are using TOR or a VPN, including your browser plug-ins, your time zone, what fonts you have installed (flash does this as well) and of course most browsers will send your user agent, meaning they tell the website what browser you are using and in some cases your operating system! Some of these details may not seem very important, but collected as a whole, it can make it easier to identify who you are online by almost generating a finger print of you with your specific settings related to your browser. Then as you hop around from site to site with your finger print, correlations and patterns can be drawn from this and eventually linked to you if you are not extremely careful.

Luckily, Tails and Whonix overrides the majority of this identifying information, so as long as you use Tails with Javascript disabled, or at the very least with NoScripts (Flash is disabled automatically) then you can cut down on the amount of information you share. Needless to say, it is not always possible to browse with Tails, so these are things you need to be aware of when you are browsing with regular browsers on your native OS with your browser of choice.

See what your browser is revealing about you at this page below. Do not visit it from your real IP address, since this page will be linked to the Silk Road forums from the moment I make this post part of my thread. As a result, you may wish to search online for other sites that check what information your browser is revealing about you. If you are confident in your OpSec abilities, use the one below.

Updated: 2014-02-13