Category: Security & Privacy

Chromium’s feature to limit installed extensions is still great

Posted on by Martin Brinkmann

Browser extensions are great. They improve usability and functionality on the Internet. From blocking ads and tracking over creating screenshots to improving password management or games.

All extensions come with a manifest file. This file defines rights and permissions. One of these sets the websites the extension is designed to run on. This can be a single website, part of a domain, or on the entire Internet.

Chromium has a great usability feature to limit the access of extensions. You can use it for the following:

  • Allow an extension to only run on sites you select.
  • Block an extension from running automatically. Make it run only when you want it to.

This may sound complicated, but it can increase privacy or performance significantly. Here is how you use the feature.

Limiting extensions in Chrome and other Chromium-based browsers

Chrome menu to limit extensions

Make sure you have one extension installed. This works in Chrome, Brave, and many other Chromium-based browsers.

  1. Right-click on the icon of the extension in the toolbar of the browser. Some extension icons may not be displayed. You find them when you click on the general extensions icon in that case.
  2. Move the cursor over “This can read and change site data”.
  3. Select one of the following options:
    • When you click the extension: this prevents the extension from running automatically when the website is opened. You need to click on its icon to load it.
    • On “sitename”: this allows the extension to run on the active website.
    • On “all sites”: this allows the extension to run on all websites (it is configured for).

Some notes:

  • Functionality of some extensions may be reduced or not available when you select the click to run option. A prime example for this are ad blockers, which need to run when the site loads.
  • When you select the option to run an extension on a specific site, it is set to “click to run” on any other site you have not picked.
  • You may modify the setting at any time.

The list of allowed sites is manageable. You find it under Chrome menu > Extensions > Details of the extensions.

There you see “site access”, which lists all allowed sites. You may also add new sites there, if you prefer that.

Closing Words

The ability to restrict extension access in Chrome can be mighty useful. While it depends on the installed extensions, it may limit extension access to sites that you want to use the extensions on.

Sometimes, you may need extension functionality on a single site only. With this feature, you can do that exactly.

Mozilla has the feature “under development” apparently, but this has been the case for more than three years. Will it ever be a part of Firefox? I do not know.

What is your take on the feature? Do you use it actively, or is it the first time you hear about it? Let everyone know in the comment section below.

Obscura client macOS

Obscura VPN partners with Mullvad to create two-party VPN service

Posted on by Martin Brinkmann

VPN services offer an excellent way to improve privacy while online. To be precise, good VPN services do, while bad ones either leak your data or sell it outright.

Mullvad is considered to be one of the best when it comes to online privacy. The Sweden-based provider gets audited by third-parties regularly and offers several options to purchase access anonymously.

Mullvad announced this week that it has entered a partnership with Obscura VPN.

The core idea is simple: Obscura VPN uses Mullvad’s servers as exit nodes for its customers. This means, in essence, that the traffic of Obscura VPN customers flows through two independent systems.

In other words, neither Mullvad or Obscura have full control over the data. This may remind you of how Tor operates, or how some VPN services offer multi-hop connections.

The latter pushes the connection through two or more servers in different countries to improve privacy. The difference is that a single VPN provider is in control of all servers.

As for Tor, it uses a three-hop system and comes close to what Obscura offers. Tor is largely operated by volunteers, which means that it can be slow at times and that denial of service attacks happen regularly on top of that.

I published a guide about using multiple VPN services on a single system. It involves virtual systems, which allow you to chain-link as many VPN connections as you like.

Privacy by design, says Obscura

The system that Obscura uses to protect the privacy of users connected to the service. Source: Obscura

Obscura claims that the system that it uses never sees a user’s browsing history while using the VPN. Here is how Obscura explains it on its website:

  • Obscura uses Mullvad for exit hops. This means that it does not know which websites users access.
  • Mullvad operates the exit hops, but it does not know the customer. Obscura says that it is masking a user’s real IP address when traffic is relayed to the exit server.

Obscura is available for $6 per month as a starting offer. The regular price is $8 per month according to the website. Users can pay via Credit Card or Bitcoin over Lightning.

One downside right now is that there appears to be a client for macOS only.

Closing Words

The idea behind Obscura VPN is interesting. Combine two VPN services to increase security. The new company still has to prove itself and pass audits. The app code is open source, which is a good start. Support for additional platforms is a must.

What is your take on this? Do you use a VPN service? Would you use a service that offered Obscura’s system? Please leave a comment down below to let us know.

NordVPN says new Whisper protocol circumvents VPN filters, but details are scarce

Posted on by Martin Brinkmann

Using a VPN makes sense in a lot of situations. To protect your data when using networks that you do not have full control over, to protect your data from being sold by your ISP, or to access content that would be blocked otherwise.

Services and ISPs may use filters to limit the use of VPNs. This may lead to scenarios where you cannot access specific content while using a VPN.

NordVPN says that it has created a solution for the problem. Called NordWhisper, it is designed to disguise VPN traffic.

The company describes it in the following way:

While standard protocols using obfuscation techniques are effective on networks that prevent access to essential services or public resources, NordWhisper steps in when VPN-specific blocks make connecting to these networks more challenging. This protocol ensures users can browse securely in restricted networks.

NordWhisper mimics regular web traffic, making it more difficult for network filters to identify it. Essentially, it blends in with ordinary internet activity, providing users with a reliable way to browse on restricted networks while maintaining the same strong encryption and security as other VPN protocols.

One downside to using NordWhisper is that it may “be slower than other protocols” due to the way it works.

The feature will be integrated into NordVPN’s applications. First on Windows, Linux, and Android, but all other platforms will also be supported at a later point.

The feature has been in testing for some time. NordVPN customers may check for the availability of the new feature in the following way:

  1. Open the NordVPN application.
  2. Select Settings > Connection.
  3. Activate the menu next to VPN Protocol.

NordWhisper is listed as an option there, if the feature is available already. Tests will show how effective the new protocol really is and whether it can also be used for relatively mundane activities, such as accessing Netflix content in another region.

Regarding VPNs, do you use them? If so, which is your favorite and why? Feel free to leave a comment down below.

Microsoft Edge

Microsoft Edge: scareware blocker is now available

Posted on by Martin Brinkmann

Microsoft has added a new security tool to its Edge browser. Called Scareware Blocker, it is designed to detect and prevent attacks that fall under scareware.

Good to know: Scareware attacks use pressure to get users to do something that they should not. Common types are warnings about viruses found or that data has been leaked or accessed.

The goal of the attack is to gain access to a user’s computer system. Scareware attacks may display phone numbers that are made to look like tech support numbers. When a user calls these numbers, agents at the other end of the line try their best to gain access to the users device, for instance using remote computing.

Scareware often uses a browser’s fullscreen mode to prevent that users go back or run other searches to find out more about what is displayed on their screen.

Tip: long-pressing the ESC-key will always get you out of Fullscreen-mode.

Microsoft Edge: Scareware Blocker

Microsoft announced the new security tool in 2024. It is now available as a preview in Edge.

Here are the key points of the feature:

  • Scareware Blocker needs to be enabled, at least currently while in preview.
  • It complements Defender SmartScreen, which blocks known scareware pages and sites already.
  • The blocker uses machine learning on the local computer to determine whether a webpage is running a Scareware attack potentially.

If Scareware Blocker’s analysis concludes that a webpage is likely running a scam attack, it is existing fullscreen mode automatically and displaying a warning to the user.

A suspicious site is intercepted by Edge. Source: Microsoft

It is possible to select continue to go back, which is useful if it is a false positiv. The close page button enables users to close the page instead. All other options to close the page are also available, as fullscreen mode is no longer active thanks to the intervention of the security feature.

Users may report scareware attacks to Microsoft. This helps Defender SmartScreen “detect scareware outbreaks across multiple machines”. Users may also report false positives to Microsoft.

Microsoft admits that Scareware Blocker won’t detect every scam, but that is true for any security feature or software.

How to enable Scareware Blocker in Microsoft Edge

Enable the feature in the Settings to use its protective functionality.

Note: the feature is only available in Microsoft Edge for Windows at the time of writing.

Here are the steps to enable the feature in Microsoft’s web browser:

  1. Open Microsoft Edge.
  2. Select Menu > Help > About Microsoft Edge to make sure the browser is up to date.
  3. Open Menu > Settings.
  4. Select Privacy, search, and services.
  5. Scroll down to the Security section on the page.
  6. Toggle “Scareware blocker” to enable the feature.

You can repeat the process at any time to disable the security feature again.

0-click attack promises to narrow down a user’s location geographically

Posted on by Martin Brinkmann

Internet users have a few weapons in their arsenal when it comes to disguising their location. Some have good reasons for wanting to do that, from making sure that activity cannot be traced back to them to watching streaming content that is available only in other regions, or paying less for certain goods and services.

Deanonymization attacks try to locate a user through various means. A simple one uses a device’s IP address to find out information about a user.

Deanonymization using Cloudflare

A security research has discovered a new method, one that does not require any user interaction at all. It relies on Cloudflare, which operates one of the largest content distribution networks and certain services, that use Cloudflare for caching.

The main idea behind the attack is this: Cloudflare caches content and there is a way to check cached content on Cloudflare. All you have to do is send a unique file to a user before checking Cloudflare caches for hits. Cloudflare does not cache the unique file in all datacenters, if it is accessed only by a single user.

As a result, you get a hit in a datacenter that is close to the user. Usually, it is the nearest datacenter. Cloudflare operates hundreds of data centers in the world. While that still means that you get a radius of a few hundred kilometers or more, you can still narrow down a user’s location, provided that no other means of disguising the location are used.

The researcher describes the attack using Signal and Discord. In Signal, there are two options. The first sends an image to a user, which requires that the target opens the conversation. If the target has push notifications enabled, this one-click attack turns into a 0-click attack, as the attachment is shown already as part of the notification. All it takes afterwards is to check CloudFlare datacenters to find the one that has cached it (first).

On Discord, users can use custom emojis if they have a Nitro subscription. They can show the custom emoji in their status, which means that anyone opening the profile of the user may have their approximate location checked using Cloudflare.

Combined with GeoGuesser, which is a private Discord bot, it could be used to narrow down a user’s location.

Closing Words

While the attack still means that a radius of several hundred kilometers is returned, it may be possible to combine this attack with others, or use it regularly.. The attack may provide important information on its own, but if done regularly, it could help identify a user who is moving around a lot (e.g. for work).

There is little that users can do to prevent this kind of attack. One option is to disable the auto-accepting of attachments and media, another the use of VPN servers or other means of disguise.

Google Search

Google Search: mobile results get simplified URL views

Posted on by Martin Brinkmann

The URL, which is the site address of webpages, offers essential information to Internet users. It allows Internet users to verify that they are on the right website or verify links before they are visited.

The details: Google announced that it is stripping the address of results on Google Search on mobile so that only the domain name is shown.

Here is how this looks like on mobile now:

Google Search on mobile shows the domain name only.

Google Search displays the domain name only from now on. Google reasons that the full URL is not that useful on mobile devices anyway, as it is cut off usually because of limited space on the screen.

The change applies to mobile search only. Desktop users continue to see the full address using breadcrumbs.

Notably, this comes just a week after security researchers uncovered a malvertising campaign on Google Search that allowed threat actors to display fake source domains in Google ads.

Can you still check the address in Google Search on mobile?

Google Search on mobile: display address

Google has not implemented a straightforward option to display the address of a linked resource before visiting it.

A tap on the menu icon next to a result displays various information about the source that Google collected, but not the full address. It is only displayed when you activate the “more about this page” link.

The page that is loaded then displayed the linked URL, but often cut off.

Two workarounds remain at this point:

  • Long-press on a result to display to display various options. These differ from browser to browser, but they may display the address fully or at least partially.
  • Use share functionality by long pressing on a link in the search results. You can then share the link or use other options, such as copying the link.

The better option, if you want full addresses shown on mobile, is to switch to another search engine. Most display the full address.

Closing Words

It is true that the full address is usually not displayed on mobiles. While the new results page looks more pleasing to the eye, it strips users of a way to verify the target of a link displayed on Google Search.

Google could at least have added the full address to the summary page that users can open when they tap on the three dots next to a result. It would even be possible to display it on multiple lines, so that it is visible in full.

Alas, no such option has been implemented.

What is your take on this? Do you mind the removal off the information on Google Search? Feel free to leave a comment down below.

European Consumer Organization renews criticism of Meta’s “pay-or-consent” policy

Posted on by Martin Brinkmann

Meta’s attempt to appease consumer rights organizations in Europe continues to draw sharp criticism from consumer protection groups.

The company introduced a pay-or-consent policy on its main platforms as a response to the European Union’s Digital Markets Act.

The policy gives users of its platforms two options: give Meta consent for advertising and tracking, or pay a monthly subscription fee to avoid that.

The European Data Protection Board rejected Meta’s initial model. Meta launched a second version of its policy in late 2024. While Meta made some adjustments, the underlying principle remained the same. Users still had to choose between ads and being tracked, or a paid subscription.

According to the European Consumer Organization, the second version of Meta’s pay-or-consent model falls short again.

Key Criticisms:

  • The subscription model appears to be a superficial compliance attempt
  • Users are not provided a genuine choice about data usage
  • Meta continues to collect excessive user data
  • Alternative service options remain fundamentally unequal

The new version of Meta’s pay-or-consent policy fails to address the fundamental problems consumer groups identified in the tech giant’s pay-or-consent initial approach.

Agustín Reyna, Director General of the European Consumer Organisation (BEUC), describes the changes as cosmetic only and that the revised version is not giving users “a fair choice” either.

The new policy breaches EU law in “numerous counts” according to the BEUC.

  • Using misleading practices and unclear terms and confusing interface design to steer users towards Meta’s preferred option;
  • Not giving to users the possibility to consent fully freely to their data being processed, while the tech giant does not minimise the data it collects from users;
  • Meta degrades the service to users who do not consent to the use of their personal data.

BEUC calls on several European Institutions and organizations, including the Irish Data Protection Commission, the PCC-Network and the European Commission, to take action against Meta.

The full report is available here.

Google Needs to Strengthen Ad Security After Latest Malvertising Incident

Posted on by Martin Brinkmann

A recent incident has shown another security vulnerability in Google’s advertising platform: advertisers can display URLs of legitimate websites in their ads while redirecting clicks to malicious destinations.

This deceptive practice has recently been exploited in a concerning incident. Here is what happened.

The popular macOS package manager Homebrew became the target of cybercriminals in a sophisticated phishing campaign. Developer Ryan Chenkie discovered a fraudulent website being promoted through Google Ads that impersonated the official Homebrew platform.

The attackers employed a classic typosquatting technique, registering the domain “brewe.sh” to mimic Homebrew’s legitimate domain “brew.sh.”.

The cybercriminals booked ads on Google’s advertising platform to lure unsuspecting users into their trap. While the target URL was different, the ad on Google Search showed the address of the legitimate website to searches.

In other words: A glance at the address would show the correct address to searchers. A click on the ad, however, would load the malicious website instead.

The fraudulent site was professionally designed to appear identical to Homebrew’s official website. However, instead of providing legitimate software, it distributed malware through compromised cURL downloads. According to reports, the malware specifically targeted user passwords.

The main takeaway for users: do not trust the address, title, or ad text that Google displays on Google Search. Better yet, use a content blocker to get rid of these ads entirely.

Google has apparently reacted to this particular ad and plans to “stop similar patterns in the future”.

Closing Words

One of the main problems of advertisement on the Internet is that it is regularly abused by cybercriminals. Even Google, with all its money that it earns from advertising, seems uncapable of putting an end to this abuse.

It is a trust issue and the only way of protection is to use content blockers. The added benefit of this is that users save potentially gigabytes of data each month,, speed up browsing on the Internet and improve your privacy.

This is why my website does not have any ads. You can still support me though, for instance by subscribing to my newsletter here.

Mullvad

Mullvad VPN: quantum-resistant tunnels enabled by default

Posted on by Martin Brinkmann

Mullvad announced this week that it has enabled quantum-resistant tunnels in the VPN’s Windows client. The company plans to enable the feature on its mobile clients for Android and iOS in the future as well.

This comes just a few months after Mullvad added protections against AI traffic analysis to its VPN.

What are quantum-resistant tunnels? Put simply, it is hardening the connection to the VPN with stronger protections against attacks.

Mullvad notes that the previously used system has no weaknesses, but that more powerful computer systems could attack it successfully. The company mentions quantum computers specifically.

The updated security protects the connections against potential future attacks that could utilize computer systems that are more powerful than those available today.

Here is the paragraph that describes the improvement in technical terms:

The feature prevents such a future attack using post-quantum secure key encapsulation mechanisms for exchanging a pre-shared key for WireGuard. The algorithms currently used are Classic McEliece and ML-KEM.

With this new app release we switched to the NIST standard ML-KEM from the earlier Kyber standard, but this is essentially a minor revision of that standard.

Windows users can check Settings > VPN settings > WireGuard settings > Quantum-resistant tunnel to configure the feature. It should be enabled on Windows by default, provided that the latest VPN client update has been installed already.

Mullvad VPN should highlight the use of the feature with a quantum-resistance feature indicator.

Closing Words

Mullvad continues to improve the security of its VPN. The latest addition should future-proof connections of customers against potential quantum-computer-based attacks.

Now it is your turn. Do you use a VPN? If so, which and why that one? Feel free to leave a comment down below.

Mozilla removes Do Not Track from Firefox and suggests alternative, but there is a better one

Posted on by Martin Brinkmann

Mozilla plans to remove the Do Not Track feature from Firefox. The idea behind it was simple: inform websites that the user of the browser does not want to be tracked.

What looked good on paper did not work well in the real world. Many sites ignored the header, which made it ineffective as a privacy tool.

Related:

Mozilla removes Adjust marketing integration from Firefox Mobile

Mozilla confirmed the removal of Do Not Track on its bug tracking website.

Global Privacy Control is the alternative

Global Privacy Control was created by several companies in 2020 as a successor to Do Not Track. The core difference to Do Not Track is that it is designed to be mandatory instead of optional, at least in some regions where consumer laws are in place.

Firefox users may enable the feature in the following way:

  1. Select the Menu button and then Settings.
  2. Switch to Privacy & Security.
  3. Check “Tell websites not to sell or share my data” under Website Privacy Preferences.

Is there a better alternative?

Whether advertisers, Internet sites, marketing companies, or other companies and services that track users honor the new Global Privacy Control feature is not in the control of the individual user.

Yes, some companies may get sued if they do not, but there is a good chance that this won’t reach mass adoption in the coming years and that tracking continues to take place.

That leaves taking care of tracking as good as you can by yourself. In fact, installing a content blocker and disabling third-party cookies are two of the best options in that regard.

While you could do more, these methods alone will block the bulk of tracking that you would otherwise be subject to on today’s Internet.

So, pick uBlock Origin and install it in a browser that is not operated by a multi-billion Dollar company. Then, open the Settings of the browser and disable third-party cookies.

Note: in some rare, very rare, instances, third-party cookies may prevent functionality on a low number of websites. If that is the case, you may still set exceptions for these sites while keeping third-party cookies blocked for every other site.

Now it is your turn. Do you enable privacy features such as Do Not Track or Global Privacy Control? What do you to block tracking on the Internet?