[GUIDE] Configure Chrome for Privacy and Security

Yes i know that but will it works if i check to delete all cookies on close ?

EDIT : it fails for me, if i allow cookies (and not for session) and then check to delete on close all cookies are deleted.
About cookies extension why is it necessary to be logged on with google account ?

 

Not sure then.

 

Is there any reason for not being able to edit old posts?

Anyways, HTTPS Everywhere using WebRequest API is now in Alpha from the EFF
https://www.eff.org/files/https-everywhere-chrome-2012.2.9.crx

 

Thanks for the heads-up. Is there any advantage/reason to use this instead of KB SSL Enforcer?

 

Right now KBSSL enforcer is undergoing a rewrite to take advantage of WebRequestAPI. The EFF is doing the same thing but theirs is more public, so we can take advantage of it.

 

Move Chrome Profile to RAMDisk
You can move Chrome's profile to a RAMDisk. This allows you to clear the profile and reset it to a previous state without having to worry about that data being saved or recoverable in any way. There could also potentially be performance benefits.

1) Download and install RAMDisk
http://memory.dataram.com/products-and-services/software/ramdisk

2) Open it up, allocate some memory over - at least 300MB. You can check your User_Data folder to see the size it currently is.

3) Format it as FAT32 and "Start RAMDisk"

4) Go to My Computer, right click the RAMDisk, format it to NTFS.

5) Go to RAMDisk and save it somewhere. Stop and restart RAMDisk.

6) Right click your Chrome shortcut and add " --user-data-dir=*:\User_Data" no quotes where * is the directory (for me it's J:\)

7) Set chrome up the way you like it. Visit some sites, get it all good and ready. Close Chrome, save the ramdisk.

Now everytime you stop and start ramdisk (startup/shutdown) your Chrome profile will be exactly as it was. Any information that happened after that save in step 7 is completely wiped with no way to recover it.

I also use SRP to block execution from here.

 

If you're using Windows Vista/7/8, you can also either set the browser to a low integrity level and also to the browser's profile, and as soon as you finish configuring the profile, just restore the integrity level to medium, with the flags NoWriteUp and NoExecuteUp.

Or, leave the browser with the default sandbox, and apply a high integrity level to be the browser's profile, as soon as you finish configuring it.

Any change done in memory to the settings will be reverted back to the original state. Nothing will be written to the profile either.

 

m00n, how can one set the NoWriteUp NoExecuteUp flags?

And wouldn't setting Chrome to a low integrity prevent downloads?

 

I knew you'd be asking! Good questions, indeed.

OK. First thing first. To set NoWriteUp, NoExecuteUp and also NoReadUp - (You can't apply NoReadUp to the profile, otherwise the browser can't read it and will ask you for an alternate place where to store it!) - you'll need to use Mark Minasi's tool chml.

Place at System32, so that you can call directly from within the command-line, without having to specify the full path to it.

I'll give an example, on how you could do it.

chml "C:\Users\<username>\AppData\Local\Chromium\Chromium - Wilders Profile" -i:h/m/l -nw -nx

Never forget to apply the -nw, whenever you specify either -nx or -nr. Where it says -i:h/m/l, it means that you'll be applying an integrity level (-i) of high, medium or low.

There's built-in help in the tool, which you can call... just type chml. I think it will suffice; otherwise type in chml with-some-wrong-data. The website also has great help!

Yes, it would. Unless you do two things. First, create a folder with a low integrity level, where you'll be downloading your files. Second, apply a low integrity level to AppData\Local\Temp folder, without inheritance. chml allows you that; just read the help.

If you truly want to apply an explicit low integrity level to Google Chrome (chrome.exe), then you could keep two batch files in your desktop or two shortcuts calling chml, with the specified parameters. One would be used to apply a low integrity level, without inheritance; the other one would be used to restore the medium integrity level to AppData\Local\Temp.

I hope this ain't much confusing. But, it's already late and am going to bed in a moment and don't want to delve much into it, otherwise I may say something that isn't accurate - I'm tired..

 

All looks good to me - thanks.

 

If you have issues implementing it - if you're following that route - say a word, and I'll see if I can assist you.

Anyway, I'm glad you started this thread!

 

sorry for the delay

i update to the last version and it works everything great
thanks

may i ask a question about TrafficLight , does it check the script and content of the site?
is the best? can i uninstall ghostery?

about PasswordFail is there a component for firefox too?

thanks
cheers

 

may i ask a question about adblock?

there several versions
AdBlock 2.5.19
Adblock Plus (Beta) 1.2
AdBlock+ Element Hiding Helper

i did notice about Adblock Plus (Beta) 1.2 a high cpu consume and some glitch , like the manually update feature

did you notice the same behavior ?

thanks
cheers

 

I haven't noticed any high cpu or issues like that. I haven't really been looking for it though and I usually am on a fairly powerful computer.

You can always try asking on the ABP forum - the dev is very active.

 

I've found an interesting behavior when applying a medium integrity level with NoWriteUp and NoExecuteUp to Chromium's profile.

When I had a low integrity level applied to it, I could never see any download attempts. It made sense, as the browser couldn't communicate with AppData\Local\Temp.

But, with the medium integrity level applied to the profile, I actually get to see the download attempts. The downloads fail, of course, but I do get to see the attempts. Despite the fact that the browser still cannot communicate with AppData\Local\Temp?

This made me question myself if the Temp folder located at the Chromium profile has some connection to AppData\Local\Temp, which would make sense for the download attempts to be seen... Then again, I'm possibly 100% wrong about this...

Anyway, an interesting behavior...

 

Before installing Adblock plus i got a message saying that the extension might access all my data in all web sites...

Is safe to install this?

 

It has to access all the data in order to know what to block. Safe? Do you trust the developer? If you do, then yes. If you don't...

 

I don't know the guy!

Is there any other "less intrusive" way to block ads? maybe other extension? I'm running Chromium in Bodhi Linux...

 

You don't? ... that's OK... I don't know him either.

Hosts file, perhaps? You can trust it not to spy on you.

I had some issues with ABP with Chromium on Windows, so I'm just sticking with a hosts file. I'd say more than 95% of the ads are blocked, except for ads that are stored like domain_name/ads/etc... or something like that. I can live with that.

I'm also blocking trackers. I decided I don't want to waste more system resources for the sake of privacy.

That said, I downloaded Privoxy and may see if I like it enough to keep it. Who knows... (I took a look at AdFender (for Windows), but didn't like it.)

 

Yes, i rather prefer the ads than explicity agree to give access to all my data in all web sites... I'll try to check the HOSTS file option, thanks!

 

M00n I've set Chrome to LI. I can download without having to set my temp file to LI.

I've also set my RAMDisk profile to:
chml "E:\Use" -i:l -nw -nx

 

I suppose that's good for you? But, what temp file? I suppose you meant Temp folder? I'm also wondering if the RAMDisk has any influence in that?

All I can tell you is what happens here. Which I'm glad it does happen.

Just in case, execute Google Chrome and open Process Explorer/Process Hacker and verify the real integrity level of chrome.exe.

A higher integrity level object can raise a lower integrity level object to its own level. I'm wondering if that's what's happening?

 

Another privacy related idea is disabling disk caching in order to kill Etags once the browser closes - see here. It works in Ubuntu but I'm not sure how this switch has to look like in Windows.

 

Haha, I was half asleep while writing - yes, the temp folder from your post:

I didn't need to do this.

Does Chrome use the temp folder? I usually just have a .part download before it's confirmed in the downloads folder.

It's possible that the RAMDisk is influencing this.

Process Explorer verifies that every process is at low integrity.


@Tlu - the switch works the same way. I'm using it right now, though to increase the cache.

 

As I previously mentioned in one of my posts, when I used to have both chrome.exe and the profile @ low integrity level, then I wouldn't even see any download attempts, nor *.part/*.crdownload. In Chromium they're now called .crdownload. I never paid enough attention to this names.

But, when I started running chrome.exe @ low integrity level and the profile @ medium integrity level with -nw -nx, then I started to see the download attempts, but all I get is a *.crdownload file(s) in my Downloads folder. The browser simply cannot initiate any downloads, at all. I mean, with this approach it can initiate them, but they fail. That's what I meant.

To download, I need to apply a low integrity level to AppData\Local\Temp.

Could you give it a try without using RAMDisk? Create a different profile for testing purpose in the HDD. After you configure this profile to your liking, apply a medium integrity level to the profile folder, and apply the flags -nw and -nx.

Try to download something and see what happens. (If you're willing to give it a try, that is. )

I'll post a screen shot in a few moments, showing what I get when I try to download using Chromium.