Second steps toward online privacy
In this guide we describe a number of plugins that help improve your privacy, and others that need to be disabled to keep you safe. We focus on enforcing encryption as well as removing third-party links and ads on pages that leak information which are often used to analyze your browsing habits.
This guide is part of a series about online privacy:
- Privacy is a universal right – an introduction to what privacy is and why it's important.
- First steps toward online privacy – simple tools to improve your online privacy habits.
- Second steps toward online privacy – you are viewing this guide.
A brief note about plugins
Always be careful when installing plugins. You are essentially installing software that executes in your browser and could spy on all of your activities. The plugins recommended here are ones that we at Mullvad trust and use ourselves, they're all open source, and they are compatible with the Firefox browser. Although we recommend using Firefox, some of the plugins below also work in other browsers.
Ensure security with HTTPS Everywhere plugin
The difference between HTTP and HTTPS
You may have noticed that some website addresses begin with "http" while others start with "https". The extra S in the latter prefix signals that the communication between the browser and the web server for that website is encrypted. HTTPS protects the content of the communication from eavesdropping and being tampered with or forged.
Although most websites today support both versions, many only make use of the non-encrypted HTTP option.
If the site you are visiting is using HTTPS, you will notice a small green padlock in the address bar of your browser.
We encourage you to refrain from entering private information such as credit card numbers and other sensitive details on websites that do not show the green padlock. Think carefully about whether or not the business on the other end of that site is one that you trust.
Advantages of HTTPS Everywhere
The HTTPS Everywhere plugin enforces the usage of HTTPS whenever possible by requesting the secure version of links. You still need to watch for the green padlock in case the site does not support HTTPS at all.
HTTPS ensures that no one, including your VPN provider, can see or intercept what you are doing. It is easy for a site to forget the HTTPS prefix on a link. HTTPS Everywhere makes sure that this does not happen.
Installing HTTPS Everywhere
When installing this plugin, you have the option of whether or not to send the certificates that you receive to the creators of the plugin. From a privacy standpoint, choosing not to is a good option. However, as the plugin was created by the Electronic Frontier Foundation, an organization whose work we believe in, we see no harm in allowing this. Doing so helps to build a list of possible threats, so-called man-in-the-middle attacks.
Some sites do not load properly with the plugin. You can disable the enforcement of HTTPS on these sites:
- Click on the plugin's "S" icon located in your browser's menu bar.
- In the list of websites, find the site you are visiting.
- Click once to disable the rule for that site. Click again to enable it (in the example below, we are visiting the website GP.se).
Block ads with uBlock Origin
Most websites display ads which are provided by a small number of very large ad providers. These providers acquire information about who is visiting which website and can therefore map almost everything you do online. This information can be used to target you individually, i.e. break your privacy, which is why you often see ads that are relevant to your recent web activity.
uBlock Origin is a free and open-source, cross-platform browser extension for ad blocking and other content filtering. The extension is available for several browsers: Safari, Chrome, Edge, Firefox, and Opera.
Prevent third-party links with Privacy Badger
The few ad providers mentioned above are the same ones that put trackers on websites which track you across other sites. They can collect a large amount of information about individual users and their surfing habits which allows them to easily target people individually.
Privacy Badger is a plugin that automatically analyzes and blocks any tracker or ad that violates the principle of user consent. In other words, it blocks external websites that seem to be tracking you.
Remove cookies using Self-Destructing Cookies
Cookies are bits of data sent from a website and stored on your computer while your browse that particular site.
They are used in many ways, such as to remember your activity on a website while you browse. For example, they help remember which items you've placed in an online shopping basket or that you've recently logged in so that you don't have to do so again the next time you visit.
Cookies and sometimes information that is used to track your behavior often remain stored on your computer even after you're no longer browsing a site.
Self-Destructing Cookies automatically deletes cookies and their tracking info as soon as you leave a website. Websites are only permitted to identify you while you actually use them and will not be able to follow you across the entire web.
This plugin may therefore have the unwanted side effect of logging you out of a site as soon as you close the tab or window. However, the plugin allows you to whitelist websites that you trust.
Protect from IP leaks with Disable WebRTC
WebRTC is a communication protocol that allows users to have video and audio communications directly in the browser without any plugins installed. An unfortunate side effect is that it can, by default, leak your actual IP address from behind your VPN. Your real IP is therefore at risk of being exposed, stripping you of your anonymity.
The Disable WebRTC addon fixes that, thereby making VPNs more effective.
Disable Adobe Flash
Adobe Flash is used to display flash content on websites. The Adobe Flash Player browser plugin has a bad track record of serious security and privacy problems.
Protect yourself by disabling this plugin in your preferred browser.
- Open Firefox.
- Click on the the Settings icon represented by three horizontal lines in the top right-hand corner.
- Click Addons, then Plugins.
- Scroll down the list and look for any Shockwave- or Flash-related object. Click on the drop-down menu next to each one and select Never Activate.
Internet Explorer (IE)
- Open IE.
- Click the Settings icon represented by the gear-like image in the top right-hand corner.
- Select Manage add-ons from the drop-down menu.
- Under the Show drop-down, select All add-ons.
- Finally, select Shockwave Flash Object; in the bottom right-hand corner, select Disable.
- Open Chrome.
- In the address bar, type "about:plugins".
- Navigate down to Adobe Flash Player and select Disable.
- Open Safari.
- Click on Safari in the Menu bar and then Preferences.
- Click on Security.
- Click on the ‘Website Settings…’ button next to ‘Allow Plugins.’
- Select ‘Adobe Flash Player’ from the left-hand menu. In the drop-down menu When visiting other websites, select ‘Block’.
Disable the Java Applet plugin
The Java plugin software allows applets written in the Java programming language to run inside various browsers.
Security experts are constantly advising that you disable this plugin in your browser. It opens up a number of holes that can allow criminals to steal passwords, credit card numbers, and other personal information. And, as you may have read in the news, new security holes are popping up all the time.
Follow the steps above for the Adobe Flash plugin but disable all Java plugins instead.