Low Entropy

The Hacklore Letter and Privacy

Before I start, go and read https://www.hacklore.org/letter.

When it comes to endpoint security, unless you are operating in the “Mossad” threat model[1], this is solid advice. The letter is absolutely right that the advice we used to give people about operational security practices has not aged well.

However, completely rejecting some of the defunct advice might come with privacy costs.

The letter’s authors seem to have given up on online privacy, which disappoints me greatly. Privacy nihilism isn’t really a healthy attitude and it has tainted the advice.

The Good Parts

Let’s discharge the obviously good stuff. Items 1 (Avoid public WiFi), 3 (Never charge devices from public USB ports), 4 (Turn off Bluetooth and NFC), and 6 (Regularly change passwords) are all very bad advice today.

The only reservations I have are minor. The advice on USB devices is true for phones and devices on the smarter end (watches, tablets, e-readers, etc…), where this is true. Less so for peripherals and other USB whatsits[2].

The updated advice on security practices is also pretty good. Updates, multi-factor authentication, and password managers are the best security advice you can give people today[3].

Privacy Nihilism

Unfortunately, privacy is a different story. We exist in a world where – if they could – many companies would collect and analyze everything you do.

In terms of the letter, item 5 (Regularly “clear cookies”) is basically pure nihilism. The implication is that you can be tracked no matter what you do.

I don’t subscribe to that perspective. Fingerprinting is pretty effective, but not as good as this implies. Not everyone is uniquely identifiable through their fingerprint. Also, browsers are making meaningful progress at making fingerprints less useful for many people.

You do have to stop giving websites your email and phone number though. It’s absolutely true that sites are using that. Use temporary email addresses when you can[4].

That said, I don’t clear cookies. The resulting inconvenience is just not worth it. There is absolutely no security advantage from purging cookies. Instead, I recommend targeted use of private browsing modes, profiles, or containers.

Item 2 in the letter is “Never scan QR codes”. The claim is that this is bad advice.

Security-wise, this is mostly true. Sticker attacks[5] are probably the main reason that the security situation is not perfect. But that’s because of a more general phishing problem[6].

From a pure security perspective, the letter is absolutely correct. Opening any link in a browser is so overwhelmingly likely to be fine that it’s not worth worrying about. You won’t get pwned by even the most malicious link.

Browser security has gotten pretty good lately. Browsers aren’t 100% there, but you should not worry about the gap unless you are someone who operates in that “Mossad” threat model.

It’s also a bit worse if an app – rather than your browser – handles the link[7]. Either way, the risks to security are pretty remote. I don’t worry about getting poisoned by the food I buy at the supermarket; in the same way, you should not worry about following links.

The phishing problem is that you really need to trust whatever provides you with a link if you are going to enter information at the other end[6:1]. Otherwise, they could send you to some place that will steal your information[8]. That the case though, no matter where you find the link.

Scanning QR Codes is Not Great for Privacy

Privacy-wise, QR codes are not as straightforward as this makes out. If you care about privacy, sadly the old advice holds some wisdom.

The privacy risk for QR codes is related to navigation tracking. If scanning a QR code is just following a link, following links in any context comes with a privacy cost[9].

There are small differences between links in QR codes, email[10], or on ordinary websites, but there’s one common factor: the site that you go to can learn everything about the place you found the link[11].

Every time you follow a link you are adding to the information that the destination website (or app) has about your activities.

QR codes are generally only placed in one physical location, so visiting the site almost always means that you are at that location.

That is, unlike links you find online, following a QR code can take information about where you are physically located and adds that to tracking databases.

Take the QR codes that restaurants use for menus and ordering. Many restaurants outsource all the online stuff to external services. This is fair, restaurants would probably much rather focus on making and selling food, which is more than difficult enough.

Outsourcing means that there’s a good chance that you will end up on the same site as you visit different restaurants. That website now has a log of the places you visited, including details of when you visited, what you ate, the size of the bill, and whatever else the restaurant shares with them about you. You can almost guarantee that the information they collect is for sale, unless the terms and conditions promise otherwise[13].

Avoiding QR Code Tracking

So if you would rather not help people build profiles about you every time you scan a QR code, what can you do?

Personally, I only open QR codes in a private browsing window. That way, at least the tracking sites can’t use cookies to connect your QR code into a single profile. They just get isolated visits from what might be different people.

To help with that, you can maybe set your default browser to one that doesn’t keep cookies, like Firefox Focus, DuckDuckGo’s Browser, or any browser that you set up to not keep cookies.

Products could be better in this regard. As far as I’m aware, you can’t set a different browser for QR codes on most devices[14]. For my sins, I use an iPhone[15]. Firefox iOS used to have a QR code scanning button, which made it easy to switch to private browsing and open those links in a cookie- and tracking-free tab. A recent change made scanning QR codes much more annoying[16], so I’m still looking for a better option there.

In the end, it’s easy to see why the authors of the letter have adopted a nihilistic attitude toward privacy. Personally, I don’t accept that outcome, even if it means a little more work on my part.

  1. If you are, you know already. ↩︎

  2. Those devices can be vulnerable in ways your phone isn’t. Some will allow firmware to be updated by anything they attach to. That means they will become a risk to any machine that they are subsequently plugged in to. ↩︎

  3. I will take the opportunity to quibble about the way they present their advice on passphrases. My advice is to let your password manager suggest a high entropy password and only use passwords for those things that separate you from your password manager. That’s usually just operating system login and unlocking the password manager. Given how few of these passwords are likely needed, suggesting passphrases over strong passwords seems largely academic. The usability difference between a passphrase and a strong password is tiny; the passphrase might be more memorable, but the password might be quicker to type. ↩︎

  4. Firefox Relay, iCloud Hide My Email, and Fastmail Email Aliases are examples I’m aware of, but many mail providers have similar features. ↩︎

  5. This is where an original QR code is covered with a sticker directing someone to a different site. A QR code on a parking meter for payments is a great example. An attacker can collect parking payments – at inflated prices – for a while before the attack is noticed. ↩︎ ↩︎

  6. The golden rule of the web is: If you are going to enter information into a site, especially when money is involved, type its address in to get to the site[8:1]. ↩︎ ↩︎ ↩︎

  7. Links can also target any app that registers interest in handling URIs. A little more so on phones than desktop computers. Apps generally aren’t as well hardened against attack as browsers, but they are also generally easier to defend, because they have less functionality. The best advice I can give there is to be careful about what apps you install. I liken visiting a web site as a casual encounter, installing an app is much more personal. Either way, the extent to which you are exposed to infection increases with intimacy. ↩︎

  8. Passwords especially. You should never type passwords into a website. That is what a password manager is for. You should only type passwords to get to your password manager. ↩︎ ↩︎

  9. Yes, this is a straight cost, not a risk. There’s no probability involved. ↩︎

  10. There is a very different reason not to click on links in email[12]. A scammer might attempt to convince you that they are someone you trust and get you to send them something you might regret. Like your banking password or money. This is much like the QR code sticker attack[5:1], except that the attacker only has to send you mail that passes mail filters and looks legit. ↩︎

  11. On the web, the place that shows you a link also learns that you clicked it. This is not true for email and QR codes, but that makes very little difference privacy-wise. ↩︎

  12. Clicking on a link in email isn’t always a bad idea. Clicking the link lets the site know that you received their message. That’s the whole point of emails asking you to confirm that you own an email address, so go ahead and click those. Just make sure to close the tab immediately. At least before you put any other information into the site[6:2]. ↩︎

  13. Not like you could have read terms and conditions before scanning the QR code. Or that anyone has time to read them. ↩︎

  14. I’d love to know if there are any operating systems that let you set a different app for QR code links, that seems like it would be a useful feature. ↩︎

  15. The 13 mini is still the only phone in a reasonable form factor that is still relatively current. All other phones are too big. It’s a shame that most web experiences a) run on Safari and b) awful. The latter being the fault of sites, not so much the device. ↩︎

  16. OK, here goes: Unlock your phone, go to the home screen. Open Firefox, go to the tabs view, hit the Private option, open a new tab. Switch to the camera, scan the code, tab the option to open the link. You need to open the tab, because Firefox will use the browsing mode that was last used. ↩︎