What Incognito Mode Can and Cannot Protect

A couple weeks ago, someone online posted a comment saying you can stay “safe and secure” online due to using the web browser’s incognito mode.

Is this true. Does incognito mode really prevent someone from ever tracking you online?

Short answer: no

Long answer:

People believe the myth that the incognito mode – on your web browser – will keep you safe and private. However this is not the case.

Incognito mode only does the following:

  • prevents web history from being logged locally
  • prevents download history from being logged locally
  • prevents cookies & cache data from being stored locally

In other words, incognito mode will prevent someone from spying on you, just by opening the web browser and viewing the web history and downloads.

Now what does incognito mode not protect against?

  • Malware on the system — Any malware on the system will be totally unaffected by your use of incognito mode.
  • IT department — Your IT department will still be able to track your Internet usage on their network. This is especially true if you use their local DNS resolvers. They will know what websites you visit, regardless of your use of incognito mode.
  • Internet Service Provider — Unless you make use of a VPN service, your ISP will definitely know where you go online, regardless of your use of incognito mode.
  • Government surveillance — Of course, incognito mode will be of no use to you here. Also, even using a VPN will not help much if you are being targeted by a government.

In addition, if you have your web browser logged into a service (e.g., Google Chrome logged into Google), they can track your browsing habits regardless of being in incognito mode or not.

The link below helps prove that any browser being in “private” or “incognito” mode (whatever you want to call it) does nothing to prevent 3rd parties from spying on you.

https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit-idUSKBN23933H


Posted in Computers, Internet and Servers, Security, Software, VPN

Should I Use Another DNS Resolver?

Should I switch my current DNS resolver?

If you are just a regular Internet user (not self-hosting anything), and you are currently using your ISP’s DNS resolver, I would switch to a 3rd party DNS service (e.g., Cloudflare).

However if you are self-hosting anything (e.g., email), then I would opt for running my own DNS resolver for reliability.


Here are my opinions on the three typical ways to get DNS.

ISP DNS Resolver:  usually OK performance / no privacy

  • Works out-of-the-box with your Internet service.
  • Since you are using servers they control, always assume your ISP is logging your DNS requests (no privacy).
  • Sometimes an ISP actually has worse DNS resolvers (slower, less secure) than a 3rd party DNS service.
  • Many years ago, I made use of my ISP’s DNS resolving services. They would occasionally go down every few months. It made it look like the Internet was down, but it was just their DNS resolvers that were down, which caused software to fail since they could not resolve domains to connect to services.

Third-Party DNS Resolver (e.g., Cloudflare, OpenDNS):  good-to-excellent performance / potentially less private

  • 3rd party DNS resolver may be logging your DNS lookups, regardless of what their Privacy Policy says.
  • Can be faster than your ISP’s DNS resolvers. This is due to 3rd party DNS services having a very large network infrastructure. They can handle large amounts of traffic with ease.
  • Cloudflare does support DNS-over-TLS. However this is just encrypting your connection to Cloudflare. When Cloudflare retrieves the DNS records for you – assuming they do not have a cached copy – that connection of theirs is unencrypted. This means the DNS records Cloudflare gets for you can be manipulated by a 3rd party, outside of Cloudflare’s control.
  • Encrypting your DNS does not prevent your ISP from seeing what domains you are going to, if the web-server you are connecting to does not support both the TLS 1.3 protocol and the ESNI extension. This is due to the fact the SNI (Server Name Identification) gets sent from the web-server in plain text. With this information, your ISP can effectively see which domains you are visiting, regardless if your DNS is encrypted via Cloudflare or another 3rd party service.
  • Unless you are using a VPN service, your ISP will still have to route your connection to the website (they can see the web-server’s IP address). This may give away where you are going on the Internet, even if your ISP cannot read your DNS queries.

Self-Hosted DNS Resolver (e.g., Unbound):  OK-to-good performance / potentially more private

  • Useful if you want to have reliable lookups, since you are cutting out the middle-man handling your DNS requests (you are going directly to the source, instead of having someone else do it for you).
  • If you are self-hosting web services (e.g., web and email), it is recommended to run your own DNS resolver. While not necessary, this will help prevent interruptions to your services.
  • While there is no worry about the DNS resolver keeping logs (you are running it, after all), there still is the possibility of your ISP and/or other entities sniffing your DNS lookups and keeping a log that way. This is because DNS is inherently insecure (not encrypted).
  • Unbound runs on many different operating systems (e.g., FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows).
  • Unbound does require some knowledge of DNS to be setup properly. Users who have little to no experience with DNS servers may find setting up Unbound to be difficult.

Summary Chart

Easiest out-of-the-box solution | best for people who just want things to work ISP DNS resolver
Best performance | good for people who want more performance than what their ISP provides 3rd-party DNS (e.g., Cloudflare, 1.1.1.1)
Best reliability & maybe a little more private | best for people who self-host web services (e.g., email) self-hosted solution (e.g., Unbound DNS software)

Posted in Computers, Internet and Servers, Operating Systems, Security

Are Web Browser Extensions Safe to Use?

Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their web browsing data (e.g., browsing history, password credentials, what they type into a website, etc.) would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Here is an example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).


Posted in Android, Computers, General, Internet and Servers, Security, Software

How Secure are JavaScript Password Generators?

Many people use online services to generate secure passwords.

There is this idea that since your web browser is the one generating your passwords locally on your computer (via JavaScript) instead of someone else’s computer (e.g., web server), this is supposed to keep someone from getting a hold of your password.

Is this really the case? Are passwords generated locally with JavaScript really secure from being stolen?

Technically, no. Why? Well there are a few reasons why generated passwords (via JavaScript) can be compromised.


the [Math.Random] JavaScript function  –  Any JavaScript password generator that uses this function should be considered insecure. This is because the Math.Random function does not provide cryptographically-secure results.

A good, secure alternative JavaScript function to use is window.crypto.getRandomValues(array).

Summary: Using any JavaScript password generator that makes use of the Math.Random function is not wise, since this JavaScript function was never intended for high-security situations.


web browser add-ons  –  Many people use web browser add-ons (such as Ad-blockers) for their everyday browsing. What most people are unaware of is that many of these add-ons have permissions that allow the add-on to view the content of the web pages the user is viewing.

The problem? If someone has installed a malicious add-on, their “secure” JavaScript generated password would have been sent to the add-on’s creator. Now I am not implying that every single web browser add-on does this, but there is a very high potential that this can happen.

Would only using open-source browser add-ons be a safe option? Well open-source add-ons would definitely lower the chance that someone would get away with spying on you. However open-source projects do not have a spotless security track record either. There is still some risk.

Even Mozilla themselves warn about this problem with web browser add-ons (also called extensions).

Update 12/05/2019:  Here is another example of what I am talking about (https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/).

Summary: Several add-ons have the potential to spy on their users (including locally generated JavaScript passwords).


computer malware  –  This reason is arguably the most common cause of compromised passwords…malware. Malware has the potential to do anything it can to your computer (including reading your computer’s clipboard – what you copy & paste). This will instantly compromise your JavaScript generated password (and any other sensitive information on your computer, e.g. credit card numbers).

While Windows-based systems have more malware available for them, Mac and Linux are not completely in the clear either. As more people start using these other OSes, more and more malware will be created for them.

Android (the very popular Linux OS used on smartphones all over the world) has a good number of malware created for it.

Summary: Computer malware has the potential to instantly compromise your JavaScript passwords.


surveillance software  –  Some people have to use computers provided by their employer. Some employers put surveillance software onto their computers to track and monitor their employees’ usage of those systems.

The tracking software will monitor your computer screen, keystrokes, what you browse, install, etc. In other words, any generated password (JavaScript or no) on these computers will be compromised. It is advised to use non-work computers for generating passwords, or anything else that is not work related.

Summary: Assume any work computer is being tracked. Always use your own personal computer for anything non-work related.


So does this mean that I should never use any online password generators at all?

No, but just keep in mind that a JavaScript password generator, while technically a little more safe than having your password generated on a server and sent across the Internet (using TLS encryption), does not really provide a lot of extra security.

Summary: Using JavaScript (or anything else) to locally generate passwords on your computer, cannot keep your passwords completely safe from being compromised.


Posted in Android, Computers, Internet and Servers, Operating Systems, Programming, Security, Software