After long time of dragging my feet, I have decided to beging writing CyberDragon 2. It will use Blink rendering engine, same as what google uses but without the bad google stuff (phoning home). Will kick within week or so *very* barebone version for testing purposes only. That test version will have the following, hardcoded stuff: - Tracker blocker based of list of regular expressions (huuuge list, need to optimize it in final version) - XHR (AJAX) requests outside of domain blocked - External scripts outside of domain blocked (like NoScript lite version, more user friendly) - Iframe sandboxing - cookies store only in RAM - HTML5 local storage disabled - WebGL disabled - Hyperlinkg auditing (<a ping> attribute) disabled And that's it for test version: no settings, tabs, logos,skins,history,bookmarks, extensions or even possiblity to download stuff. (but you can watch YouTube videos tought )
Thanks https://audiofingerprint.openwpm.com/ https://browserleaks.com/canvas https://browserleaks.com/webrtc
WebAudio API I can block. Canvas blocking little trickier, I don't know if I should block it, generate random data or just send "empty" data.
First quick test version availble Code: https://www.orwell1984.today/CyberDragon2_test.tar.xz Extract, change owner if needed (aka chown -R user:user CyberDragon2_test) and then run with ./CyberDragon2 It will first load generic.txt and domain.txt into memory and then start optimizing the included regular expression. You don't need to let it run all the way to 100% but it might make things more smoothly. Fast computer and lot's of memory recommended. On my 16 GB 2.5 Ghz comp it takes around 138 seconds to complete optimizing domain.txt after that go to, for example, https://www.youtube.com/watch?v=5D9FP5ZJuwo and see the trackers roll in the terminal. If you need to whitelist something take a look of whitelist.txt If you need to tweak javascript stuff take a look of some of the scripts in scripts directory
Forgot: You need to have Qt5 QWebEngine installed. For fedora dnf -y install qt5-qwebengine should be enough. Adapt for your own distro
Some more progess made with tracking protection. I realized that it's much smarter and faster to check the tld of each URL against sublist(s) that only contain tracker regular expressions for that tld. That way I could split the gigantic 700 000+ list to half, with one half having all the rest of tld in their own small separate lists and the another half belonging to .com. In addition, I made this test version smarter too in other ways: You see those "previously blocked tracker found" messages above? They mean that tracker has already been blocked once and there is no need to waste time doing the time consuming regular expression checkup but can instead looked directly from hash table which much much more faster. However, in previous version it did not save that list to anywhere. Now it saves Everytime, you start it, it will read file trackers.txt and preload the internal blocking list with all the trackers encountered from previous session. And when you end it, it will save an updated version of that trackers.txt. So in a word, CyberDragon 2 test got more intelligent, easier to manager (individual lists instead of one big list) and faster. Still, there is room for improved (especially that .com list needs still optimizing) Here's the new version of the test: Code: https://www.orwell1984.today/CyberDragon2_test2.tar.xz
Update: Managed to remove 130 000 worth of duplicates from com list. Here is the new updated one with "just" 224 857 entries. Copy over lists/com Code: https://www.orwell1984.today/com
Some boot options from Grub2 menu...These will probably still change before first beta release of QEMU and VirtualBox ready stuff. Idea is that everytime you start it, your VM will be in tabula rasa state: no saved cookies,eTags,HTML5 local storage from previous session...nada! And your DNS queries are handled by bundled local Unbound DNS caching server that have following goodies: - QNAME minimisation enabled by default (your DNS stuff will be less usefull for snoops) - Local Root DNS! That's right, you have a copy of zones of Root DNS servers. Why that's important? It's important because even thought DNS infrastructure uses heavily caching there is still chance that some of the queries is not in the cache (any cache!) and when that happens, it ultimately travels all the way to the top of Root DNS servers. That has impact on performance as well as your privacy (bigger chance to snoop your DNS stuff). With local Root DNS (that are keeped in sync from time to time) that never happens. So this with addition to above QNAME minimisation, makes your DNS stuff going out very scarce. In theory, also the next level below Root DNS servers, the TLD servers, could be copied also but unfortunately very few TLDs actually give you copy of their own zone data .... (If somehow all the TLDs would start sharing their zone data too, then you would be practically carrying the whole DNS stuff locally in your CD/USB! ) - DNSSEC: If you wan't to make sure your DNS stuff is not spoofed then this is absolutely must - Option to use DoT (DNS-Over-TLS): Encrypted DNS to bunch of public DNS servers that provide the service. Queries are also randomized, so that not all queries go to same server provider. - Adblocking. Move the (sub)domain blocking stuff from CyberDragon browser blocking lists to DNS server handling. It makes more sense and also makes the browser own blocking list much more smaller. And of course... - Option to use Tor Few screenshots of boot options: Plain unencryped UDP with local Root DNS and root hints (no forwarding to middle-men aka Google, OpenDNS etc.) Good for bypassing DNS-level censorhip but not very private. Fastest option. Fallback to TCP. https://www.orwell1984.today/cname/cyberdragon_udp.png Same like above but *only* uses TCP. Slower than UDP but more resistant to spoofing attempts. https://www.orwell1984.today/cname/cyberdragon_tcp.png TCP + DNSSEC (Don't even think using DNSSEC with UDP! If you try, I can quarantee that most of the time your DNSSEC stuff will not fit into UDP datagram size and fragmentation will occur...meaning: performance impact!) https://www.orwell1984.today/cname/cyberdragon_dnssec.png Same as above but with Tor added to mix https://www.orwell1984.today/cname/cyberdragon_dnssec_tor.png DoT https://www.orwell1984.today/cname/cyberdragon_dot.png DoT + DNSSEC https://www.orwell1984.today/cname/cyberdragon_dot_dnssec.png And finally DoT + DNSSEC + Tor. Most private option of all but also most slowest. Also important note: DNS TCP support was never optional. Even in the old days, if the DNS server was correctly coded/configured, and the UDP query failed, the DNS client was supposed to switch to fallback TCP and resend the query! And now there is actual RFC that makes this thing clear and also gives guidelines of updating your TCP DNS server code to make the performance reach almost UDP level. https://tools.ietf.org/html/rfc7766 https://www.orwell1984.today/cname/cyberdragon_dot_dnssec_tor.png
First 1.9.0 BETA version of CyberDragon OS/Browser VM ready now. You need either VirtualBox or QEMU-KVM (please read the included Manual in the file first before trying) https://www.orwell1984.today/cname/CyberDragon-1.9.0.tar.xz
