Online privacy and security are critical components to ensuring that your personal data isn’t leaked all over the Internet every time you surf the web. Your personal data is a valuable commodity for companies such as Google, Facebook, and others that sell your information to advertisers for profit. And on the nefarious side, your personal data can be used by cybercriminals in phishing attempts, identity theft, or a number of other crimes that being on the receiving end of would be bad.
So then what tools, technologies and settings should YOU be using to safeguard your online experience? Well – that’s not a super easy question to answer because each individual’s tolerance for privacy vs. convenience is going to be different. For example, you may want to install some browser plug-ins that are a one-time set it and forget it style of privacy improvement, but you don’t want to go through the hassle of turning on a VPN proxy service every time you go online.
In this article, I’m going to make your life easier by showing you my TOP 5 privacy tips featuring different tools and safeguards you can implement that will greatly decrease the chances of exposing your personal data online, and you can pick and choose which of these tools you are most comfortable with. Let’s get started!
Tip #1: Browser Selection
The Internet browser that you choose to use can make a huge difference in your online privacy profile. Check out how some of the most popular browsers compare in terms of privacy on privacytests.org.
The Brave Browser tops the list here – their main focus is on privacy. They even tell you exactly that the first time you launch their browser:
Brave has a ton of built-in privacy protections. They call these Brave Shields, and you can click the Brave logo to the right of the URL bar in the browser to see specifically what has been blocked on any given website.
These Brave Shields give you automatic protection against a number of tracking technologies. For example, they have third-party ad & tracker blocking, they block cross-site cookies, and they randomize browser fingerprinting, which is a way that companies can detect who you are based on multiple semi-identifiers that are slightly different about each person’s computer setup such as the size of the browser window or your computer hardware details. Fingerprinting takes all of these seemingly independent statistics and combines them together to form a unique fingerprint that can be used to track you across multiple sites. By randomizing your fingerprint, websites have a much tougher time figuring out who you are.
You can dive deep into exactly how the Brave Browser accomplishes all of these privacy protections by visiting brave.com/shields. But one of the nice things about Brave is that it’s based on Google Chrome, which is the most ubiquitous browser on the Internet – most if not all websites are compatible with Chrome, so you’re very unlikely to break websites when you’re using Brave – that is, if you take the default privacy settings…if you opt to enable some of the more advanced or aggressive protections, Brave warns you that some sites may break.
The other nice thing about Brave being Chrome based is that all of your Chrome browser plug-ins should also work with Brave. Bottom line is that if you’re a Chrome user who is looking to beef up your privacy protections, the Brave Browser is an easy way to accomplish increased privacy without changing your browsing experience much.
A second runner up to Brave is Firefox. Firefox has most of the same privacy and security protections as the Brave browser including tracking protection, cross-site cookie protection, fingerprinting protection, and DoH (DNS-over-HTTPS) – we’ll talk more about DoH a little bit later in this article.
Firefox has been around for a long time, and has successfully navigated some of the browser wars that have left other browsers on the trash heap of history. Firefox is owned by Mozilla – a company who holds privacy at the forefront of everything that they do. (Quick side note, Brave’s founders also came from Mozilla).
One other honorable mention is the DuckDuckGo browser for iOS and Android, which by default includes ad tracker blocking, forced HTTPS and more. Plus, it has a really cool flame animation anytime you want to clear all tabs and data.
By using a privacy-focused browser such as Brave or Firefox, you’re already very well protected against a lot of the devices companies use to track your Internet habits on a single site, or when surfing site-to-site.
Browser Plugins
There are a number of browser plugins available that will help ensure privacy when surfing around the Internet. Many, if not all, of these plugins are available by default in Brave and Firefox, but for those who want to stick with Chrome, Edge, or another browser, these can greatly help improve privacy.
HTTPS Everywhere – I’m mentioning this plugin even though I already know that it has officially hit its sunset date in January 2023. The purpose of HTTPS Everywhere (created by EFF – the Electronic Frontier Foundation) was to force HTTPS (secure HTTP protocol running on port 443 instead of the insecure port 80) for every website that you browse to – and if a website was HTTP only without a companion HTTPS version, the site was either blocked, or you were warned about the insecure nature of the site you’re about to visit.
This functionality has now been built in to all of the most popular browsers, but it’s not necessarily enabled by default – so let’s go over how to enable it.
Brave and Google Chrome – To enable always-on secure connections in Brave or Google Chrome, go to Settings –> Privacy and Security –> Security and then flip on the switch for ‘Always use secure connections.’
Firefox – Settings –> Privacy & security –> scroll all the way to the bottom –> set HTTPS-Only mode to ‘Enable HTTPS-Only Mode in all windows.’ You can also add exceptions to this rule, or sites that are exempt by clicking the ‘Manage Exceptions’ button.
Edge – in Edge, this setting is a bit trickier to find and enable. It *should* be enabled by default, even though you can’t see the setting by default. To check if you can see the setting, go to Settings –> Privacy, search, and services and then scroll down to the ‘Security’ section. If you see ‘Automatically switch to more secure connections with Automatic HTTPS,’ then you’re all good – just make sure that setting is enabled and select ‘Always switch from HTTP to HTTPS.’ Keep in mind that this may break any non-HTTPS sites that you visit.
If you DON’T see the setting above under ‘Security,’ you have to first enable it. To do so, navigate to edge://flags/#edge-automatic-https in the Edge browser and then set ‘Automatic HTTPS’ to ‘Enabled.’
Once this setting has been Enabled, Edge will want you to restart the browser, and then you should be able to find it in Settings –> Privacy, search, and services.
So while HTTPS Everywhere is now defunct – you should still be enabling this setting in whichever browser you use. By using HTTPS, you’re helping to ensure the safety of the sites you visit by requiring valid, secure SSL certificates.
Ad Blockers – there are a number of ad blocker plugins available for your Internet browser. The purpose of an ad blocker is pretty straight forward – they block ads! The most obvious reason you would want to do this is to prevent sites from getting your browsing data and using it for advertising, but they also block nefarious individuals from using ads to do nefarious things. The US Federal Bureau of Investigation even recommends that users use ad blocking extensions due to the prevalence of these attacks.
If you’re using the Brave browser, it has ad blocking built in, so adding an ad blocking plugin is fairly redundant – but users on Chrome, Firefox, or Edge should definitely have one of these plugins installed and enabled.
Some of the most popular ad blocking extensions include AdBlock Plus, AdBlock, and uBlock Origin. These ad blockers work by checking any URL you visit (and the URLs that those web pages make calls out to), and it blocks any of the domains that are on their block lists. Typically, the built-in block lists are perfectly fine, but advanced users can add their own block lists as well.
uBlock Origin for instance is a lightweight, free, and open-source ad blocking and content filtering browser plugin that is available for Chrome and Firefox.
When you surf to a website, uBlock Origin will analyze the page and block any of the elements that may be tracking you for advertising purposes. In the screenshot above, you can see that uBlock Origin blocked 27% of the links on slashdot.org – and if you click ‘More’ it will expand out so that you can see the actual domains and links that were blocked.
Another good option for browser plugin-based ad and tracker blocking is Privacy Badger from EFF. Unlike the other browser extensions that block based on block lists, Privacy Badger blocks based on objectionable behavior, or in other words, it learns to block invisible trackers. The way they explain it is that domains are blocked if they’re sent a Do Not Track signal, but are still observed collecting data.
While these ad blocking browser plugins will help to protect you from unwanted ad domains in your browser, what about other devices in your network such as your smart TV’s and gaming consoles? For those devices, you’ll want a network-wide ad blocker such as PiHole or AdGuard Home – we’ll discuss these a bit later in this article.
Tip #2: Use a Private Search Engine
Let’s face it – the BIG search engines, namely Google and Bing, make their money off of your data. So even if you are using a private browser, and even if you’re surfing through a VPN proxy service, just by using these search engines, some of your data is getting leaked and used for advertising.
Brave has its own private search engine available at search.brave.com – this search engine is enabled by default in the Brave browser, but you can go to Settings –> Search Engine and change this to a different default search engine if you prefer a different one.
Using a private search engine means that your search history and personal data is never saved and used for advertising purposes. Your IP address is not logged, and you’re not presented with targeted ads.
Besides the Brave search there’s also DuckDuckGo who provides a suite of plugins for browsers that include their private search, ad blocking, and encryption enforcer (HTTPS everywhere). Or you can just set them as your default search engine provider in your browser.
Another privacy-focused search engine is Startpage. I admittedly don’t know too much about them, but they appear to have all of the same good privacy policies as Brave and DuckDuckGo.
To change your default browser in Brave or Chrome, simply go to Settings –> Search Engine. If the search engine you’re looking for doesn’t appear in the list, you’ll have to do some extra work. For example, in Chrome, you can set your default search engine to DuckDuckGo out of the box, but Brave Search isn’t in there.
To add Brave (or any other search services) to Chrome, from Settings –> Search Engine, click ‘Manage search engines and site search.’
Notice that there’s no Brave in the Search Engine list – to add it, click ‘Add’ next to Site search.
You can then add Brave Search like this:
Once you’ve added Brave to Chrome, you should now be able to select it as a default.
But really – it would just be a heck of a lot easier to use the Brave Browser which has Brave Search enabled by default…and also uses the same Chromium engine as Google Chrome.
Tip #3: Use DNS over TLS (DoT) / DNS over HTTPS (DoH)
Since we’re already in our browser settings – let’s talk about DNS over TLS (DoT) and DNS over HTTPS (DoH). Both of these protocols are used to encrypt DNS queries – or in other words, if someone in-between you and the DNS server you’re making requests to sniffs out your DNS queries, they wouldn’t be able to see the domain you’re trying to request with DoH enabled. I’m mostly going to be referring to DoH in this section, though both of these can be used fairly interchangeably – they both encrypt your DNS queries, but the work at different layers of the OSI network model (a bit more advanced than I want to dig into in this video). DoH is just more fun to say.
All of the modern browsers support DoH – it just has to be enabled…BUT – your upstream provider needs to have the ability to receive encrypted DNS requests. Many of the upstream DNS servers I’ve already mentioned in this article (Cisco/OpenDNS, Cloudflare, etc.) can do this no problem – and in fact, many of them are also pre-configured for use in your browser.
There is an excellent article that discusses DNS over HTTPS, and can show you the latency to various DNS over HTTPS providers. This same article shows you how to enable DNS over HTTPS in many different browsers – it’s just another setting you have to specifically enable.
How to enable:
Brave / Chrome
Firefox
Edge
If you’re using a network-wide ad-blocking DNS server such as PiHole or AdGuard Home, you can still use DoH – but it’s a bit more complicated. Your network devices will be using the PiHole for their DNS, and then the PiHole or AdGuard server has to use DoH to connect out to their upstream DNS resolvers.
Tip #4: Use a VPN Proxy Service
VPNs are an excellent way to help safeguard your privacy online, but they do take a little bit to get used to. VPN services mask your location and WAN IP address by securely connecting you to a server in the cloud somewhere (you can usually pick your geographic location), and you surf through the VPN provider’s IP address(es) instead of your own. When you visit a website, they don’t see your actual location and WAN IP, which can be used to track and identify you, they only see the WAN IP address of your VPN provider.
VPN providers typically have mobile apps, browser plugins, or standalone applications for your PC, and in most cases, it’s as easy as flipping the VPN ‘on’ and you’re protected.
Keep in mind though that by using a VPN, you’re not automatically completely private. For example, if you are surfing the web through a VPN, but are logged into Google for email/docs/whatever, Google still knows who you are – they just see you coming from a different IP address.
Another drawback to using a VPN is that not all services allow you to use an anonymous VPN proxy service to access their services. Streaming services such as Netflix, Disney+, and Hulu have caught onto this and actively block you from logging in from one of these VPN services – especially the most popular ones.
Other services may be affected as well – I own a Telsa Model 3, and the Tesla app will not connect to my car if my VPN proxy service is enabled. So this is what I mean when I say that it takes some getting used to – there will be times when something isn’t working, and then you realize that it’s not working because your VPN is enabled. Turning it off will ‘fix’ the issue.
Another great use case for a VPN proxy service is whenever you’re connecting to a public WiFi network such as a hotel, coffee shop, or event venue. You don’t control these wireless networks, so you don’t know who may be listening in on your traffic. Enabling a VPN proxy from your device out to the VPN provider means that your data is protected when using these public wireless networks. Again though – you may be required to disable your VPN proxy for a captive portal to pop up. I’ve had instances at hotels where my VPN is enabled on my iPhone, and when I try to connect to the hotel’s WiFi, it never pops up the captive portal page that lets you connect. Once VPN is disabled, it works fine – and then once connected, you can re-connect the VPN no problem (usually).
So who are the best VPN providers then? Well – that’s a tricky question, and mostly it just comes down to Coke vs. Pepsi style personal preference. I will say however, that for as much money as NordVPN throws at influencers to hawk their wares, I tried it out myself a few years ago and found it to be way too dumbed down for me.
I personally use and recommend Private Internet Access. This is a bit controversial since they were purchased by Kape Technologies back in 2019, a company previously known as Crossrider who was notorious as a company associated with malware and adware. They have since also purchased many other VPN providers such as ExpressVPN and CyberGhost. So a very good idea to be skeptical about who is behind the scenes at Private Internet Access. In fact, since that acquisition in 2019 I’ve only put out one video where I even mentioned Private Internet Access as my VPN provider – I still use them personally, but I am well aware of the skepticism, so I stopped promoting them almost entirely. Bottom line is that if you can’t completely trust the company that owns your VPN service, you definitely should not be using that service.
However, since I have been using PIA since about 2015 or so, and even since the acquisition, I have not noticed any changes in the service, and I quite like their application design and feature set. Since the Kape acquisition, they also have not changed their ‘No logs’ policy. They don’t store any personally identifiable information about you including your DNS queries, IP address, timestamps, browsing history, or bandwidth consumption. This claim has been independently verified and also proven in court.
So understandably, many folks will not want to even chance using Private Internet Access – so what are the other options out there?
Mullvad VPN is considered one of the most secure and anonymous VPN services available today. Mullvad is based out of Sweden, and they have an independently verified no logging policy similar to Private Internet Access. They don’t ask you for any personal information when you sign up – not even your email address, and they allow you to pay for their services in a number of ways including anonymously with Bitcoin and other cryptocurrencies.
Another popular choice is Proton VPN – a company that prides themselves on being privacy advocates. Proton is one of the most trusted names in Internet privacy and security with a company focus on making Internet privacy accessible to everyone. Proton VPN even has a free version of their product, but I would highly suggest investing in one of their paid plans if you have the ability to do so.
Bottom line is that by using a VPN proxy service, you’re masking your online identity by encrypting all of your traffic out to a 3rd party location before it heads out into the big bad Internet. Your ISP no longer has the ability to see what you’re up to, and websites you visit will have a tougher time figuring out who and where you are.
Tip #5: Network-wide Ad Blocking
We’ve already covered a number of ways to do ad blocking on your devices and in your Internet browser – but what about your other devices? Those smart TV’s, smart appliances, gaming consoles, and anything else that should be connected into a secure, segregated IoT network – many of those devices phone home and report in on your activities for advertising purposes. In my home network for instance, my Roku devices are extremely noisy – making thousands of calls out to the Internet that are blocked by my PiHole.
You can prevent your devices from making DNS queries to domains that are solely used for advertising purposes by changing up your DNS servers.
So the idea here is that when you sign up with an ISP, they give you some DNS servers that you can use to perform lookups of domains on the Internet. When you need to go to CrosstalkSolutions.com for example, your computer first has to resolve the name CrosstalkSolutions.com into an Internet address (IP address) that your computer understands. This is called a DNS lookup.
When you use your ISP’s DNS servers for performing DNS lookups, they know your IP address, and they know the websites you’re trying to resolve into IP addresses. They can use this information to learn more about your personal data and surfing habits.
You can switch to using public DNS servers such as Cloudflare’s 1.1.1.1 DNS servers which offers enhanced speed, plus they don’t log your data or sell it to advertisers.
Using something like Cloudflare helps your privacy a bit, but it doesn’t filter any of your traffic or block adware and malware domains. But there’s an answer for that as well! Cloudflare also offers 1.1.1.2 which filters out malware, and 1.1.1.3 which filters out both malware and adult content. You can read all about these services here.
So simply by changing your DHCP server to hand out these special IP addresses for DNS to your devices, you’re more secure, and more private – but is that enough? It really depends on your tolerance for ads and control over what’s blocked. If you’re OK with the ‘default’ filtering that Cloudflare and other public DNS servers provide, and you trust that they’re blocking what you want to block, and you’re OK with having no visibility into WHAT specifically they block…then sure – you’re good at this point.
I should also mention that there alternatives to Cloudflare’s malware and adult content blocking out there – a couple of honorable mentions are Quad9 and Cisco’s Family Shield (OpenDNS).
If however you want more control over your DNS queries and what’s blocked, you need to implement a network-wide ad-blocking DNS server. These are relatively easy to set up and use, and you can import as few or as many blocklists as you feel comfortable with – there’s always a fine balance between usability (no issues with normal surfing) and too much blocking.
My personal favorite network-wide ad-blocking DNS server is PiHole. PiHole is designed to be installed on a Raspberry Pi, but can also be installed into a virtual machine, in Docker, or on a number of various operating systems. I recently created a full step-by-step tutorial on how to set up and use PiHole that you should definitely check out!
Another great option for hosting your own DNS is AdGuard Home, which is basically the same concept as PiHole.
The advantage of these DIY DNS servers is that you have a lot of insight into your network statistics, your block lists, and since they’re local, the cached DNS lookups save you a bit of bandwidth.
Bonus: TOR Browsing
I’m not going to dig too far into TOR in this article, but it’s definitely worth mentioning. TOR, or The Onion Router, is a free and open-source method of enabling anonymous surfing on the Internet. It works by sending your traffic through multiple TOR nodes so that instead of connecting directly to a website, your connection is routed through a twisted path of 3 different network connections before finally exiting TOR and hitting the destination website.
While this doesn’t completely anonymize you and your traffic, it does encrypt all traffic from point A to point B (which also makes it quite a bit slower). The first TOR node knows who you are – and passes your traffic to the 2nd node. The 2nd node knows where the traffic came from and where it’s going, but it knows nothing about you or your IP address. The 3rd node knows that the traffic came from the 2nd node, and where it’s going, but it has no idea where it originally came from.
The reason I mention TOR is because it’s built into the Brave browser – you can easily launch a new private window with TOR:
One thing to keep in mind is that a Brave private window with TOR doesn’t provide all the same privacy protections as using the official TOR Browser – it’s just a standard Brave private window that’s routed through TOR nodes.
Launching a new Brave private window with TOR will take a few seconds to set up as it finds your route through the TOR network – once it’s ready, you’ll see this notification:
Also check out this note which explains more about Brave’s private window with TOR:
Here’s a fun test you can do when you’re in a Brave private window with TOR – head on over to whatismyip.com and see what you get – chances are your IP is going to be ‘Not Detected.’
A speed test through TOR gives us just a fraction of our Internet speed – using TOR isn’t about speed…it’s about keeping yourself as anonymous as possible.
Bonus #2: Tails – the Nuclear Option
When you absolutely have to have the highest level of privacy possible, you may want to consider Tails Linux. Tails Linux is a full operating system that is completely portable – it runs off of a USB stick, and you can choose to boot from that USB stick when you fire up your computer. It leaves no trace on the host computer that it was running whatsoever, and has numerous privacy-centric features and applications pre-installed.
For example, by default when you log in, you connect to WiFi (and it won’t even save your wireless network information unless you enable persistent storage), and then Tails immediately connects to the TOR network and has the TOR Browser built is as default.
So effectively, Tails allows you to temporarily turn any computer into a secure machine. Everything you do in Tails is wiped out when you shut it down as it runs entirely from the RAM of the host machine.
Tails Linux is a fun project to play around with even if you don’t need the nuclear option privacy that it provides – check it out! It only takes a few minutes to download and burn onto a USB stick!
Final Thoughts
By implementing some or all of these suggestions, you are going to go a long way towards protecting your identity online from advertisers and other bad actors. Security and privacy is always a balancing act between convenience and safety, but at the bare minimum using a secure browser, using a private search engine, and firing up a VPN proxy whenever possible is going to greatly reduce your identity footprint online – form these habits and you’ll never want to go back to non-private surfing again!
Do you have any more privacy tips that I should have included in this article? Any mistakes/issues/comments, please let me know down below!
If you have found this useful, please consider buying me a coffee or a frosty cold beer!
Or you can always check out some of the awesome merch in the Crosstalk store:
Comments 2
Is there an easy way to use DNS over HTTPS (DoH) or TLS (DoT) with the Unifi Dream Machine? Specifically thinking about encrypted 1.1.1.1 for my whole home network.
I highly recommend you setup your DHCP server in your UDM for DNS1: 1.1.1.1 DNS2: 1.0.0.1
you can check your device by going to https://1.1.1.1/help to confirm.