Chromium Privacy / Security Checklist

UPDATED: An intermediate checklist aimed at reducing privacy leaks, attack surfaces and identifiable information on Chromium. Ensure you back up your Chromium profile before applying changes. I will update and add to this page as regularly as possible as I learn more, sources and further reading is located at the footer. This article will not go into detail to the methods that sites gather your habits and information, that is a tome in itself, but needless to say, data brokers love the browser’s default settings.

General Tips:

  • Be sure to use Chromium (which is open-source), not Google Chrome. The latter is based on Chromium, but phone-home tracking and analytics are added, as well as proprietary components, search term tracking and indefinite search history. Even better, use Firefox, which has far better privacy controls.
  • Note that Chrome extensions from the webstore are compatible with Chromium. However, also note that on every startup of Chromium, it will check back with Google for extension updates, thus tying your IP with your browser. This also applies to forks such as SRWare Iron.
  • Chrome extensions will usually track you by default and send information back, including browsing history, cookies, authentications and more. Read more here.
  • On startup, Chromium will also attempt DNS resolution of a [random 10-14 character sequence].[ISP domain].[ISP TLD]. This is presumably to identify if any DNS or captive portal redirection is happening.
  • Avoid signing in with your Google account to the browser, as this ties your browser habits to your Google account. Incognito mode, Tor or VPNs will be ineffective.
  • Be selective about what extensions you install, assess if you absolutely need to install it. Even if not malicious, addons may harvest your information. In place of some search addons, you can create your own search operators by right-clicking on search fields in adding keyword searches.
  • If you absolutely must install questionable add-ons, create an alternative separate browser profile.
  • There is no Chromium available for Android, I would recommend Firefox for Android instead. You’ll have to figure out bookmark porting on your own. Be sure to check out my Android Privacy guide as well. Avoid the proprietary closed-source Google Chrome / Apple Safari / Microsoft Edge.
  • Don’t leave yourself logged into various sites. Cookies can be read across sites if there is an embed from that site’s origin. Use a password manager (like Lastpass or ChromeIPass) to automatically fill login forms as required.

Recommended Extensions:

Redundant Extensions:

  • Adblock / Plus, adblocker with dubious practices, bloated, use uBlock Origin.
  • uBlock – Use uBlock Origin instead. uBlock (non-origin) is the imitation version. Story here.
  • Disconnect – Anti-tracking protection, obsoleted by uMatrix/uBlock Origin.
  • Ghostery – Anti-tracking protection, closed-source, obseleted by uMatrix/uBlock.
  • Privacy Badger – Uses patterns and heuristics to block trackers, obseleted by uMatrix/uBlock.




One thought on “Chromium Privacy / Security Checklist

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s