How to regain control over the secret life of your most important app

TL;DR: Pretty much every website uses third-party code that could track or be malicious. You could stop that in most part, without giving up the website functionality installing a browser extension described below and adjusting it properly to your browsing habits. At the end of the article you’ll find a way to download a configuration file that speeds the process up.

Modern web browsers have grown into creatures resembling, to a large extent, the very operating systems they run on. Yes, I’m looking at you, Chrome/ium. I haven’t found any research on it, but I’d wager that almost all the people using desktops or laptops have a browser open in the background at any given time. As a consequence of their nature and footprint, browsers attack surface is much bigger than any other regular application. Yet when you look at what they are driven by, it’s mostly content outside your control! Unless you’re submitting forms all day, the vast majority of requests initiated by your browser will be in response to external stimuli, which are likely to modify the Document Object Model (DOM).

Of course designers and programmers go to great lengths to mitigate those dangers, but paranoid security conscious type individuals (& organizations) never like to bestow safety so easily into the hands of others. Back in the days of using Windows as my primary operating system, I loved the feature of ZoneAlarm firewall which displayed a notification any time any process tried to access the Internet along with buttons to grant or deny the request. For a very long time it’s been bugging me that I couldn’t conveniently see and influence where my browser sends data. Thus, I was excited to discover that a similar concept had been implemented for Chrome and Firefox.

Enter the (u)Matrix

I stumbled upon uMatrix a couple of months ago. Unsurprisingly, it has been occupying the first place in my personal ranking of Firefox extensions ever since.

It has evolved from http-switchboard, which split into uBlock Origin and uMatrix itself. While uBlock focuses on pre-defined list of requests to block, its cousin acts like a configurable firewall, preventing the browser from making certain types of requests in various contexts – visited domains. Let’s say you visit your favourite blog, which loads some JavaScript off facebook.com. With uMatrix you can block exactly those requests without affecting content fetched from other domains when visiting that blog.

By default, there are no restrictions on loading anything from the domain you’re visiting and its subdomains. All the other domains, however, are restricted to only serve images and CSS. The extension comes with several lists of known malicious and tracking domains, where nothing is fetched from. It goes without saying that everything is configurable and in fact pretty soon after uMatrix is first enabled you discover that it breaks the Internet.

With great power comes great responsibility

Isn’t it empowering to finally know all the places your browser is calling when you visit your favourites? Frankly, I never knew many of the blocked tracking domains existed. Some of them pop up in the dashboard regularly. That said, before you jump straight in and install uMatrix in every browser under your management, let’s take a look at the immediate repercussions of doing so.

Most places on the Web these days are better described by the word *application* than *website*. Media-rich content and large quantities of JavaScript abound. Unfortunately, that means that the experience of browsing those sites is going to be severely affected with default settings of uMatrix. The effects range from disappearing or misaligned menus to completely broken apps like Google Docs to you being greeted with a blank page. Yep, there are sites out there that just won’t load at all without 3rd party JavaScript. Graceful degradation, anyone?

Usually once you’ve loaded a page and glanced at the dashboard it’s obvious what needs to be allowed to load. More often than not, however, loading one script causes a request to yet another (sub-)domain, so it may take up to six “allow-reload” cycles until you get the page fully working. In most cases, once the main page is okay you need to allow a couple more cells until the login area/form is functional, if the site has one.

Bending the rules

Naturally, the initial ‘learning’ phase depends on how many websites you visit most often. For me, after a week of regular browsing and adjusting the matrix I was able to come back to previous level of comfort. That is, with the added peace of mind that all the AdWords and Facebook tracking code is no longer following me everywhere I go.

I realise that a week of clicking around and mashing F5 (refresh) just to browse might seem to be too much. Therefore I want to share with you my curated rules file that you can import straight into uMatrix. It contains a minimal set of rules necessary for the following web apps sans tracking at the time of writing:

  • airbnb.com
  • amazon.com
  • atlassian.com
  • bitbucket.org
  • booking.com
  • currencyfair.com
  • disqus.com
  • docsend.com
  • easyjet.com
  • facebook.com
  • fast.com
  • github.com
  • google.com
  • klm.com
  • linkedin.com
  • mailchimp.com
  • mailgun.com
  • meetup.com
  • mouser.com
  • nationalexpress.com
  • nationalrail.co.uk
  • noip.com
  • opennic.org
  • openstreetmap.org
  • paypal.com
  • protonvpn.com
  • ryanair.com
  • skype.com
  • slack.com
  • toggl.com
  • trello.com
  • twitter.com
  • vimeo.com
  • whatsapp.com
  • youtube.com
  • zoho.com
  • zoho.eu

Fetching scripts from code.jquery.com and ajax.googleapis.com is allowed for all domains.

Furthermore, it enables referrer spoofing and User-agent spoofing for every domain. It makes it harder to fingerprint your browser and doesn’t break any of the sites I visit on a regular basis.

Sign up to our newsletter to receive the configuration file along with the installation instructions! You’ve now got a foundation to build upon.

I hope this helps making your online identity less exposed, even if just by a tad. I’m waiting to hear about your experience of uMatrix!

Leave a Reply

Your email address will not be published. Required fields are marked *