This question is coming from someone who has little technical knowledge. I can get around on a computer just fine, download and install programs, access and change system settings, but I was not a computer science major and have not done a lot research.

From what little reading I have done, it seems like the most secure way to encrypt your data and remain private on the internet (from a home network) is to use both a VPN and the Tor (onion) network.

I have just been using DuckDuckgo with no VPN. I did change my DNS Server to Cloudfare.

I would love to read your replies especially if you are a professional in networking, data security, computer programming, etc.

I don't really have anything to hide. I'm not accessing the dark web. I don't visit questionable websites. I just don't like the idea of being tracked, having someone knowing my location, and want to keep my personal data private.

So one thing that I just did about two weeks ago was leave DuckDuckGo and spin up a docker of SearXNG. It basically searches various search engines but doesn't pass trackers to the engines so a profile doesn't get generated on you. I then set up a Tailscale so I could use it while I'm mobile.

I'd recommend taking a look at using Unbound instead of Cloudflare if you want to get rid of that last point of DNS contact. I run unbound on my Pi-hole.

gumby579 said:

---

So one thing that I just did about two weeks ago was leave DuckDuckGo and spin up a docker of SearXNG. It basically searches various search engines but doesn't pass trackers to the engines so a profile doesn't get generated on you. I then set up a Tailscale so I could use it while I'm mobile.

I'd recommend taking a look at using Unbound instead of Cloudflare if you want to get rid of that last point of DNS contact. I run unbound on my Pi-hole.

---

Thanks! I'll check these suggestions out.

OK, I've been working in this field for a CDN vendor and now a security vendor for a while, and for general web browsing, to sites for normal activities, it's pretty pointless these days to go to any extremes on attempts to not be tracked. Outside of marketing and ads most critical sites have to track activities of individual sessions for security reasons, due to the sophistication of threat actors these days. So going to any site that deals with financial transactions (purchases, investment, and banking) you're going to get tracked.

With that said, most people don't realize there is a large difference between privacy and being tacked online these days. Whether good or bad, most companies don't care about your private details, because they don't have to. Metadata collected about your sessions allow for companies to build profiles about you without knowing who you really are. Easiest analogy is like being a prisoner with an ID number. But another quick analogy is frequenting stores in the real world. People that work there will recognize you, people that work in supporting roles for the building will recognize you, they will all start to learn and understand the patterns you have when visiting and shopping without ever really knowing who you are. So, they are passively tracking you, but not actively taking in information about you specifically. Being online is like that only in the extreme because everything can be observed thanks to the way websites are built.

In my humble opinion, I would only really attempt to avoid being tracked for scenarios where I'm looking for information or digging into sites where I would want it dissociated from my main online persona. To do that you need to utilize virtual machines and VPN connections that encapsulates all traffic coming out of the VPN at the very least.

Now, that doesn't mean I don't use methods to limit the amount marketing metadata collected about me and/or ads being delivered to devices on my network (I use pihole and unbound and use duckduckgo and other browser instead of google), I just also know that going past those levels has a very steep level of diminishing returns on limiting tracking without breaking functionality.

One thing that I'm moving more and more doing is using separate random aliases for just about everything.

The idea is that if someone tries to get information on me to figure out a password or answers to security questions, the name they look for information on has nothing to do with me.

As it is, when answering security questions any more, my answers are NEVER answers to the actual questions. For example:

What is the name of your favorite teacher? The New York City Space Needle
What is your favorite hobby? Eating really big trees
What is your mother's maiden name? The fifth of November

My favorite is when you can create your own question:
What is the answer to the next question? The answer to every question is three.

Of course, you have to write it down.

Also, I don't reuse passwords on the Internet. I do have a few hundred devices protected from the Internet with the same password -- I tried using different passwords for each, but that created all kinds of problems as I lost track of which password went for which device.

In general, my passwords are non-sensical passphrases whenever possible. For example:
Beat the hell out of the zenzizenzizenzic
Land of the Hollow Chocolate Walrii

(As if Walrii plural for Walrus?)

Sometimes I use something that looks like an ingredient in a recipe
75 # Rancid Oysters

The thing to keep in mind that in general, the longer the password, the better. A 30 character nonsense passphrase.

For e-mail, I try not to give two web sites the same e-mail. Using a '+' alias, I generally create the e-mail address for a site by appending a '+'', the time in 24 hour format, and an abbreviation for whoever I am creating the e-mail for. For example, eric76+0329ta@example.com. This doesn't always work because some idiots refuse to accept a '+' as a valid character in an e-mail address.

For banks and credit card companies, I have a separate e-mail address that is just for them. Nobody but them ever sees the e-mail address. The idea is to have an unusual e-mail address that is nearly unguessable so that if I receive an e-mail from the bank or credit card company to my normal e-mail address, I have an immediate strong suspicion that the e-mail is bogus.

For example, 3.14159265358979323846264338372@example.com. Think having pi is too obvious? That's not pi. Pi to that many digits differs a bit. Remember that the maximum length of the username of an e-mail is generally 64 characters.

And the total length of the entire e-mail address is 255 or 256 characters. Thus, 3.14159265358979323846264338372+american_express_centurian_bank+3.14159265358979323846264338327@example.com is a perfectly valid e-mail address. Note, however that American Express doesn't seem to like a '+' sign in an e-mail address.

So, to sum it up, when possible:
1) stay anonymous whenever possible
2) never use a real answer for a security question
3) use nonsensical passphrases, preferably with at least one obscure word or play on words
4) use '+' aliases in your e-mail
5) create special e-mail addresses for banks, credit cards, and other sensitive sites

As for the actual question asked regarding web browsing, it doesn't hurt to reinstall the operating system from scratch on a regular basis. Back up your data frequently. On my main workstation, I can wipe the hard drive, install a new operating system, restore my most important data from backups (about 60 gigabytes), and be back up an running in an hour or so.

If you want to go up from there, use virtual machines. Create a virtual machine for the web browsing that is refreshed from scratch every time you open it. The idea is that should an attacker manage to write something malicious to the virtual drive for that OS, when you log off (do it frequently), you come back to a clear, untouched virtual machine when you need the browser again. If you really want to get serious about this, use the Qubes OS: https://www.qubes-os.org

I am way too paranoid about certain links I have been sent and when I need to go to those I actually launch a VM with an Ubuntu image and check them through that. If the site has some way of infecting a Linux machine at least it's isolated.

Geez. It's becoming too much to be on the internet..

I forgot one important tip.

Don't let your browser save your login information. It is possible that a malicious attacker could retrieve that information and use it to log in to things like your bank and credit card accounts and even your TexAgs account.

Use a password manager instead. It can also create random passwords so that you don't use the same password on every site. I strongly prefer passphrases so I still create my own for most purposes.

Sure, it is a bit of a pain in the neck to use a password manager when you start your browser, but then you don't have to worry so much about attackers from China using your TexAgs account to post a bunch of crap. As an added bonus, your bank accounts and credit card accounts should be more protected from the attackers.

There are a number of password managers out there. I'm currently using the one from Protonmail but there are plenty of others.

Appears youre already trying way too hard, and you probably dont need to add a bunch of new layers. Attackers are like any criminal, they stalk easy targets. You're in a good place relative to the population at large. And i wouldnt worry about banking, they will make you whole in cases of fraud.

JSKolache said:

---

Appears youre already trying way too hard, and you probably dont need to add a bunch of new layers. Attackers are like any criminal, they stalk easy targets. You're in a good place relative to the population at large. And i wouldnt worry about banking, they will make you whole in cases of fraud.

---

I wouldn't bet on the bank making you whole. There are some things that they are required by law to take care of, but it doesn't necessarily apply in all cases. For example, they often claim that if it involves Zelle, you sent it to them voluntarily and it isn't their problem.

Scammers often want you to log into your bank account while they are connected to your computer. Don't expect the bank to cover you for your own mistakes,

As for attacking, it is most likely that most of us will never be singled out for attack, but that can happen. More likely, they are hitting tens of thousands of people with scams at the same time. For example, in the last three days, I have received three bogus e-mails purported to be from American Express. The fact that they are not to the correct e-mail address make them extremely easy to detect.

Trying way too hard? Not at all.

Another advantage about using a password manager.

There are people out there who will register domains for typos of popular web sites. Often, the typo domains will be much different, but they can try to mimic the real web site to try to steal your credentials and log in as you. Also, if you click on a link from an e-mail or something, the link can take you to a different web site that appears to be the one you are trying to connect to.

Imagine connecting to your bank, but instead connecting to a different site run by scammers who get your username and your password, enabling them to log into your bank as you and transfer your money out.

If you use a password manager, the password manager will key off of the url. Suppose that your bank's site was texagsbank.com and your login to texagsbank.com is gigemags and password is "eat my blue aardvark 2022" Then, if a scammer creates an identical looking website at texagesbank.com (see the extra 'e') and you go there, everything looks normal so you log in. Now they have your username and password and will be in there pronto. If the web site posts a message saying "We are upgrading our systems, please wait two hours and try again.", then you might not realize that anything is wrong.

If, on the other hand, you use a password manager, the username and password will be associated with texagsbank.com. A site named texagesbank.com might as well be lunarlosers.com as far as your password manager is concerned. When you connect, the password manager won't have a username and password for texagesbank.com, giving you a chance to find and correct the issue. If your password manager doesn't have a username and password for the site, you should know that something is wrong.

So find a password manager and use it. If nothing else, it may help save your bank accounts from being depleted by scammers in Russia.