UPDATED: An intermediate checklist aimed at reducing privacy leaks, attack surfaces and identifiable information on Chromium. Ensure you back up your Chromium profile before applying changes. I will update and add to this page as regularly as possible as I learn more, sources and further reading is located at the footer. This article will not go into detail to the methods that sites gather your habits and information, that is a tome in itself, but needless to say, data brokers love the browser’s default settings.
- Be sure to use Chromium (which is open-source), not Google Chrome. The latter is based on Chromium, but phone-home tracking and analytics are added, as well as proprietary components, search term tracking and indefinite search history. Even better, use Firefox, which has far better privacy controls.
- Note that Chrome extensions from the webstore are compatible with Chromium. However, also note that on every startup of Chromium, it will check back with Google for extension updates, thus tying your IP with your browser. This also applies to forks such as SRWare Iron.
- Chrome extensions will usually track you by default and send information back, including browsing history, cookies, authentications and more. Read more here.
- On startup, Chromium will also attempt DNS resolution of a [random 10-14 character sequence].[ISP domain].[ISP TLD]. This is presumably to identify if any DNS or captive portal redirection is happening.
- Avoid signing in with your Google account to the browser, as this ties your browser habits to your Google account. Incognito mode, Tor or VPNs will be ineffective.
- Be selective about what extensions you install, assess if you absolutely need to install it. Even if not malicious, addons may harvest your information. In place of some search addons, you can create your own search operators by right-clicking on search fields in adding keyword searches.
- If you absolutely must install questionable add-ons, create an alternative separate browser profile.
- There is no Chromium available for Android, I would recommend Firefox for Android instead. You’ll have to figure out bookmark porting on your own. Be sure to check out my Android Privacy guide as well. Avoid the proprietary closed-source Google Chrome / Apple Safari / Microsoft Edge.
- Don’t leave yourself logged into various sites. Cookies can be read across sites if there is an embed from that site’s origin. Use a password manager (like Lastpass or ChromeIPass) to automatically fill login forms as required.
- Canvas Fingerprint Block – Self explanatory, stops fingerprinting via canvas.
- uBlock Origin – Adblocker, very comprehensive hosts lists, can be used with uMatrix together.
- HTTPS Everywhere – enforced HTTPS connection if available, by EFF.
- Private Extension – Reduces fingerprinting via hiding headers, plugins. Also cleans.
- Referer Control – Allows controlling of HTTP referer.
- Vanilla Cookie Manager – Cookie whitelisting and periodic cleaning.
- WebRTC Leak Prevent – As the name states, stops WebRTC leaking your real IP, which can occur even if you’re using a VPN.
- Adblock / Plus, adblocker with dubious practices, bloated, use uBlock Origin.
- uBlock – Use uBlock Origin instead. uBlock (non-origin) is the imitation version. Story here.
- Disconnect – Anti-tracking protection, obsoleted by uMatrix/uBlock Origin.
- Ghostery – Anti-tracking protection, closed-source, obseleted by uMatrix/uBlock.
- Privacy Badger – Uses patterns and heuristics to block trackers, obseleted by uMatrix/uBlock.