Questions about HTTPS

If you want to test your browser a bit more thoroughly, spend some time at http://browserspy.dk/ Much of the information collected by this sites tests is done with javascript. You could pass most of their tests by disabling javascript, and break most of the websites you'll visit in the process. The best way to control this snooping/data collection and still keep websites usable is to control javascript. This is where browser extensions like NoScript come in. If you really want to learn to control the content of the allowed traffic, use Proxomitron and route your browser traffic through it. Proxomitron is a free standing web filtering proxy that controls and modifies traffic on the fly. It's one of those rare timeless designs that doesn't become obsolete, limited only by the users ability to create rule sets. You can find Proxomitron, rule/filter sets, utilities, and a forum dedicated to it at http://prxbx.com/. Unlike NoScript, Proxomitron works with any web application that can be configured to use a local proxy, even Internet Explorer. One thing before you consider it. Proxomitron is not for the casual user. It's not a "set and forget" application. Proxomitron is to web content what classic HIPS is to the operating system. Using it to its abilities is an education in itself.


Regarding the shields up tests, did the test with the VPN show your IP or that of your VPN? I don't use a VPN and don't know what their specific internet requirements are. When I need greater anonymity, I use Tor. If I understand VPNs correctly, they need a port opened to their server(s). With a 3rd party firewall, you can limit the allowed traffic to it's open port to just those IPs used by the service. That's one of the strengths of software firewalls (not the Windows built in firewall) over hardware firewalls, the ability to be very specific in regards to the traffic you want to allow. Hardware firewalls block/allow traffic to individual PCs and/or whole networks/subnets. Software firewalls control traffic to individual applications. IMO, both a necessary on a tightly secured system, especially if it runs any type of server application.

On the subject of traffic control, another thing you might take a good look at is UPnP (Universal Plug and Play). At one time, UPnP could be exploited via flash player and used to open a port through a firewall/router. Like so many other things, it's a tradeoff between security and convenience.

Regarding an OS with all the security and privacy features built in, I believe some of the Linux versions are built for just that purpose. The hardware is a whole different problem. Available hardware is not designed with security and privacy in mind. Unless you're an extremely skilled coder, you're stuck with vendors drivers, firmware, etc, which may not share the same goals. I've also had a idea for a live CD that I work on when I feel up to it. I still have a long way to go with it. Because of the choices I've made regarding what it includes and uses, there wouldn't be much point in releasing it to others.
Regarding

What would be the point? That would be like supplying a screwdriver to someone who needs to drive nails. Don't think that problem doesn't exist in western countries. It's not as black and white as nation X has that problem and nation Y doesn't. It's all shades of grey. You just have to objectively look and see if that grey is getting lighter or darker, then make your decisions accordingly.

 

One setup which might aleviate though not completely eliminate all these concerns is using the Tor Browser from within a virtual environment wwhich can only connect to a local socks proxy through a host only network.

The virtual machine has no internet access and may only access the internet through a local socks proxy.

if any application leaks the computer's IP address, timezone, computer/user name or anything from the Windows registry, it's only hopefully randomized information from the virtual machine which is exposed by the application.

Of course, the virtual machine must be properly locked down, and any access from within the virtual machine to the host system should be as limited as possible.

What the application doesn't know can't be leaked.