The Cafes » Privacy

Privacy Tip #3: Block Referer Headers in Firefox

Elliotte Rusty Harold — Sat, 21 Oct 2006 21:41:31 +0000

When you follow a link from one page or site to another, the browser usually sends a Referer [sic] header to the server to tell sites where you came from:

GET /test.phtml HTTP/1.1
Host: cafe.elharo.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051130 Firefox/1.5
Referer: http://blog.elharo.com/blog/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

In general this is a good thing. However, unscrupulous sites can and do abuse this information to violate visitors’ privacy and track them across the Web. In combination with cookies, it’s especially dangerous. In Firefox, you can disable the sending of the Referer header completely, and in general I recommend you do so. Here are the steps:

Type “about:config” in the location bar, and press return.
In the filter box, type “referer” and press return. This should leave you with one preference, network.http.sendRefererHeader. This is probably set to 2.
Right click on network.http.sendRefererHeader and select “Modify”
In the dialog that appears type “0″ and press OK:
Close the window.

This completely disables the referer header. This is normally what you want, though it may occasionally break a few sites that check the referer header to prevent deep linking or framing of its content. (It breaks WordPress, for example.)

If you run into problems, try setting sendRefererHeader to 1 instead. Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.

There’s also a boolean network.http.sendSecureXSiteReferer preference. If true, referer headers are sent for https the same as they are for http (i.e. controlled by network.http.sendRefererHeader). If false, referer headers are not sent for https connections. The default is true, and that’s probably OK; but if you like you can set this to false by toggling the value:

That’s it. You’re done. Taking these steps significantly reduces the ability of sites to track and profile you.

Privacy Tip #2: Mailinator

Elliotte Rusty Harold — Thu, 19 Oct 2006 16:16:21 +0000

Companies are really fond of collecting information from you they don’t really need before letting you read their website, check out demos, and download free-as-in-beer software. Occasionally they ask for this for free-as-in-speech software. One technique they use to make sure you give them your information is to e-mail you your username or password or license key. That way, even if the user is named “Barney Rubble” they’ve got a pretty good idea of your real e-mail address.

Certainly you good set up a free account on HotMail or GMail, and use that to register. However that takes time and effort. If you use the account more than once, they can cross-correlate your registrations on different sites. There is, however, a better solution: Mailinator.

Paul Tyma’s Mailinator is based around a really simple idea. It’s a web mail server that accepts any e-mail from anyone. No prior registration is required. You don’t have to tell Mailinator the e-mail address exists. When mail shows up for BarneyRubble@mailinator.com, the server accepts it. To check your mail just got to the mailinator web site and ask it for BarneyRubble’s e-mail. Your registration credentials will be waiting for you.

This is about as simple as it could possibly be. There’s no password, no registration, nothing to get in your way. Messages are only stored for 24 hours after they arrive, so do in check in soon, though.

The only caveat is that anyone who knows your e-mail address can also read your mail, so don’t use it for personal e-mail, and/or pick a really weird e-mail address like SimildudeXLink23@mailinator.com. This isn’t intended to replace PGP for private e-mail, but it does a great job of keeping your private information out of the hands of spammy corporations.

Privacy Tip #1: Subscribing to mailing lists without registering

Elliotte Rusty Harold — Sun, 19 Mar 2006 05:31:51 +0000

Many mailing lists are hosted on Yahoo Groups or Google Groups. When you subscribe to such a list, these companies attempt to collect lots of personal information from you and make you agree to some ridiculous and onerous terms. For example, Yahoo hides its terms in a five line text field, but if you scroll down this includes almost 5,000 words of legalese including such gems as

You agree to indemnify and hold Yahoo! and its subsidiaries, affiliates, officers, agents, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys’ fees, made by any third party due to or arising out of Content you submit, post, transmit or otherwise make available through the Service, your use of the Service, your connection to the Service, your violation of the TOS, or your violation of any rights of another.

In plain English, Yahoo wants to bill you for their own attorney fees. Overall, though Yahoo’s terms are better than most. Still they’re not something a legally sane person wants to agree to. Fortunately, you don’t have to.

To subscribe to a Yahoo Groups mailing list simply send a message from the address you you wish to subscribe to listname-subscribe@yahoogroups.com. The same trick works for Google groups, except you send the message to listname-subscribe@googlegroups.com.

Neither company advertises this feature since they really want to get you to agree to their terms and collect as much personal information from you as possible. However at least for the moment you don’t need to provide it.