Mac Internet Security
A blog for learning how to securely browse the internet.
« Back to blog
Mac Internet Security
This blog may look more intimidating than it really is. Trust me. It's very simple and worth it. All you need to do is just follow the instructions
The internet serves as a tool for corporate monopolists and government surveillance.
Protect yourself and if possible make power itself transparent.
Exercise your 5th Amendment right to remain silent so as to not incriminate yourself and protect your privacy.
The Supreme Court has held that "a witness may have a reasonable fear of prosecution
and yet be innocent of any wrongdoing. The privilege serves to protect the innocent
who otherwise might be ensnared by ambiguous circumstances."
"The more you sweat in peace, the less you bleed in war"
Anne Frank was arrested. She was turned-in to the police by a law abiding citizen. The warrant for her arrest was based on information her father had given to the authorities ten years prior.
Your rights matter because you never know when you're going to need them. Privacy allows freedom of action according to your own will.
This blog is written for most people who just want some basic protection - Firefox and a VPN are essential.
I also point to additional steps one can take such as Bitcoin, Tails, Tor, Whonix, anonymous remailer, etc.
You chose your security level.
Everything in this Blog is legal.
Browsers and their plugins remain the best attack vector to deliver malware, leak data or drive-by attacks.
FIREFOX IS ESSENTIAL
Firefox is Open Source and is built with a commitment to privacy.
Google and Microsoft compromise your privacy.
So let's short circuit them.
FIREFOX EXTENSIONS
1. uBlock Origin
2. HTTPS Everywhere
3. Privacy Badger
4. Canvas Defender
5. Decentraleyes
6. iTube Studio (for fun)
uBlock Origin setup. Click icon then dashboard. Prevent WRTC and block media elements and remote fonts
FIREFOX PREFERENCES
in Firefox Preferences click on GENERAL Scroll down to Network Settings and click the
Settings button. In the box that opens, scroll down to Enable DNS over HTTPS, where it can be disabled.
in Firefox Preferences click on HOMEAt Homepage Custom URL copy and paste the following so Startpage uses EU Servers and does not filter your results
uncheck
Web Search
Top Sites
Highlights
Snippets
in Firefox Preferences click on SEARCH and make
Startpage your default search engine
Disable Search Suggestions
in Firefox Preferences click on PRIVACY & SECIRITY
Check on Stict and only when Firefox is set
Check delete cookies and site data when….
Remember browsing & download history
Clear history when Firefox closes
Check Show alerts about passwords……
Uncheck Use a master password
Address Bar uncheck all 4
Permissions > Settings and Block all
Also Block pop-up windows
Check Warn you when websites try to install add-ons
Prevent accessibility services from accessing browser
Do not block dangerous & deceptive sites so as
Not to be tracked. If you use the instructions in this Blog your well protected.
Do not allow Firefox to collect anything
Certificates: Ask every time & Query OCSP
One-Click Search Engines check Startpage
about:config: Some of these changes are critical
(with copy and paste this goes fast)
This is updated for Firefox version 79.0. Some of these changes may appear counter intuitive. Trust me or do your own research.
For a string (text) or a number preference, click the Edit button and enter a new value. Click on the checkmark to save the change.
Managing Mozilla/Firefox DOM Storage Privacy. Disable DOM Storage pseudo-cookies by typing about:config into the URL bar.
Press the button "Accept the Risk and Continue" to the about:config page.
That will bring up an extensive list of internal browser configuration options. Type "storage" into the filter box. You should see an option called dom.storage.enabled. Change it to "FALSE" by double clicking on it.
general.warnOnAboutConfig to FALSEbeacon.enabled = FALSE
browser.cache.disk_cache_ssl to FALSE
browser.cache.disk.capacity to 0
browser.cache.disk.enable to FALSE
browser.cache.memory to FALSE & max.entry.size to 0
browser.cache.offline.capacity to 0
browser.formfill.enable to FALSE
browser.safebrowsing.downloads.remote.enabled = FALSE.
browser.safebrowsing.malware.enabled to FALSE
browser.safebrowsing.phishing.enabled to FALSE
browser.send_pings to FALSE
browser.send_pings.require_same_host to TRUE
browser.sessionstore.max_tabs_undo = 0
browser.sessionstore.privacy_level to 2
browser.urlbar.speculativeConnect.enabled to FALSE
camera.control.face_detection.enabled to FALSE
datareporting.healthreport.uploadenabled to FALSE
dom.battery.enabled to FALSE
dom.event.clipboardevents.enabled to FALSE
dom.event.contextmenu.enabled to FALSE
dom.webnotifications.enabled to FALSE
geo.enabled to FALSE
media.eme.enabled = FALSE
media.gmp-widevinecdm.enabled = FALSE
media.navigator.enabled to FALSE
network.cookie.cookieBehavior to 1
network.cookie.lifetimePolicy to 2
network.dns.disablePrefetch to IRUE
network.dns.disablePrefetchFromHTTPS to TRUE
network.predictor.enabled = FALSE
network.predictor.enable-prefetch = FALSE
network.http.speculative-parallel-limit to 0
network.IDN_show_punycode to true
network.http.referer.XOriginPolicy = 2
network.http.sendRefererHeader change to 0
network.http.sendSecureXSiteReferrer to FALSE
network.http.referer.trimmingPolicy to 2
network.IDN_show_punycode to TRUE
network.dnsCacheEntries to 0
network.dnsCacheExpiration to 0
network.dns.disablePrefetch to TRUE
network.prefetch-next to FALSE
privacy.firstparty.isolate to TRUE
privacy.resistFingerprinting to TRUE
privacy.trackingprotection.enabled to TRUE
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true
security.ssl3.dhe_rsa_aes_128_sha to FALSE
security.ssl3.dhe_rsa_aes_256_sha to FALSE
security.ssl.require_safe_negotiation to TRUE.
security.ssl.treat_unsafe_negotiation_as_broken to TRUE
security.tls.version.min to 3
signon.autofillForms to False
webgl.disabled to TRUE
media.peerconnection.enabled to FALSE (Disables WebRTC)
These last two are essential so as not to leak your IP Address when using a VPN
ROUTER SETUP IS ALSO ESSENTIAL
Do not plug-in directly to your modem but use a router with it's firewall turned on. Set it up securely using WPA/WPA2 encryption, disable DMZ mode, change SSID name, change Admin password. Turn off UPnP and create a static IP address and use Port Forwarding if not using a VPN. If you use a VPN DO NOT port forward. AirVPN does that for you
MALWARE
Occasionally scan your computer with MALWAREBYTES
MAC OS X
(If not using a VPN)
1. Go to System Preferences. 2. click on Network. 3. click Advanced. 4. Select the DNS tab and add 208.67.222.222 and 208.67.220.220 to the list of DNS servers & remove all others. 5. Click OK. This will help internet speed and security.
PASSWORDS
Normally it is recommended to use 12 to 14 characters but as computers get faster at cracking I use 17. Use letters (upper & lowers case}, symbols, punctuation marks, numbers. Don't use these letters: A E I L N O R S T or these numbers 1 2 3 0.
"ENCRYPTION WORKS" -Edward Snowden
VPNs provide privacy. Privacy protects data. TOR provides anonymity. Anonymity protects you.
1. AirVPN
So you can use AirVPN (no logs, 256-bit AES encryption) ($60.03/year}. Your internet usage is encrypted and your IP Address is changed. In my case people see a Swiss IP address. I suggest you choose Switzerland TCP (more secure) or UDP (secure and faster) as your server and also use Neomailbox ($50.00/yr) for email. Their servers are located in Switzerland - outside the jurisdiction of the US & EU and they don't have secret laws or secret courts hidden from public scrutiny. It's a neutral country with strong privacy laws. Their awesome and I have used them for years. I suggest you install two Swiss AirVPN servers so you'll have a backup. Free services don't have an incentive to protect your privacy. Don't use a Proxy - only a VPN. For the more serious use a throw away free Hushmail account to join AirVPN. Use an alias. Pay with Bitcoin. Connect TOR to AirVPN and not the other way around. You could use Tails. Becoming a relay for Tor gives additional security through obfuscation. Buy Bitcoin only while using TOR. Use a Mixer. No WiFi, Bluetooth, or web cam.
TUNNELBLICK is a small program that you would be using to join a VPN. You can use it as a automatic Kill Switch should the VPN server disconnect (maintenance, etc) to enforce internet traffic can only be sent over the encrypted VPN tunnel. Instructions here. To begin go to System Preference > Security > advanced and put your computer in Stealth Mode.
As soon as you log into a site — whether it’s buying something on Amazon or just checking Twitter — you’ve revealed who you are. The same goes for credit cards and PayPal . The way around it is Bitcoin. So don't become a target of the NSA/FBI - sex online with someone under 18 years of age or a terrorist. Do not access any sites that could identify you like Facebook and Webmail. Have a separate computer for logging into sites like Sprint etc. Anytime you login to a site you are exposed. So use a VPN server
If you use a VPN for both your private and public internet activities, connect to a different VPN server for each type of activity.
I suggest you use a server in Switzerland with UDP for public internet activities and a server in Spain with TCP for private activities.
Never login to any site with the Spain server. Switching severs is easy with Tunnelblick,
2. ExpressVPN
For $40 a year more than AirVPN you can increase your internet speed and security with ExpressVPN.
LITTLE SNITCH
The first time you launch Little Snitch, you may feel as though your are being bombarded by dialog boxes, asking you for Internet Access. Don’t worry – this is only the initial configuration, where Little Snitch finds out which applications you wish to allow. If you trust an application, then clicking the any connection Forever tab ensures that you will not be notified again in the future when the app tries to access the Internet. Yes, I agree it may be a tad irritating at the front end but it’s only temporary. Once Little Snitch learns your preferences, the permission boxes that appear will be fewer and farer in between.
I suggest that you block any connection forever rules quicklookconfig and SubmitDiaginfo. Then paste this command in Terminal qlmanage -r cache and hit return which will clear quicklook's history.
WIRELESS
If not using a VPN (duh) when at a wireless hotspot go to System Preferences > Security and turn on your Firewall, click advanced and put your computer in Stealth Mode. Being Hard Wired is faster and more secure than Wi-Fi
NO SPOOKS
REMOVE all Google spyware from your computer (Google Chrome, Google Earth, etc). Google’s business is, literally, mass surveillance. Google is a major contractor to the US government, including the NSA as well as several military contractors. Snowden revealed the NSA has direct access to Google's servers. There’s a reason it's services are free. You’re the product, not the customer.
PROTECT YOUR PRIVACY
Email me for help or suggestions: kitanotech@neomailbox.net Special Thanks to Erin!!!
Updated 23 Dec 2021
]]>