Visiting malicious websites can lead to a full-system compromise including persistence. The browser’s security mechanisms just set the bar higher. You can only increase cost and effort for attackers. Security is nothing absolute and there will always be some way around the protections, especially in such huge complicated software written in memory-unsafe languages like browsers.
Viruses are an outdated concept from the 90s and early 2000s. General malware these days are an entirely different breed: The low effort ones are botnets seeking to "infect"and passively spread throughout the internet in the classical and enable DDoS-as-service. Then there is the more sophisticated SolarWinds-like attack where the bad actors implants themselves into a software supply chain and spread themselves into important places - its as if hackers implanted itself to WinRar and sends malevolent updates to your local WinRar. In the eyes of the OS and antivirus it is technically a correct version of WinRar because it came from the officially signed WinRar update server but its in fact a modified WinRar that can open a backdoor into tour network.
Oh. Thought that was kinda what the definition of ‘virus’ was.
Anyway, I don’t want to get caught up on semantics. There are still cryptominers and ransomware to worry about, right?
So what in the world can we as individuals do to mitigate stuff like this, if 1. The OS won’t catch it, 2. An AV won’t catch it, and 3. Even savvy internet-safe user behavior won’t prevent it since it appears for all intents and purposes like a normal software update? Even if I used sandboxie to isolate the majority of apps (which I plan to), I would never think go sandbox something like winrar, per your example…
I haven’t been following this thread, but I think it should encompass my question, so I thought I’d ask here instead of creating an unnecessary new topic.
Is there a general resource an average user can follow to configure and actively maintain a relatively private windows desktop?
As of right now, outside of general good practice and only using software that doesn’t violate my threat model, I plan on using Portmaster as a firewall and telemetry blocker, and have considered running https://privacy.sexy/. Is there anymore I should be doing?
Privacy and security on Windows are so bad that there seems to be very little that people agree on.
On the top of this discussion you can find a link to ikel’s guide, so there’s that.
Also, in the guide there’s a way to disable telemetry via group policies. This is only available in Enterprise and Education versions. You can download Windows Enterprise in Microsoft’s site (Evaluation something is what the page is called - it asks an email but accepts anything), and you’ll have to use Microsoft Activation Script from massgravel’s github. It’s up to you if the risks are worth it.
On there you’ll also see a recommendation to only install software from the Store, since that’s the only way to run software in a sandbox. MS now requires a MS account to use the Store, so to get more security you need to get a MS account, link it to your OS and create some holes in your firewall/DNS block to allow it to talk back to the mothership. So, to get more security, you need to get less security. And a lot less privacy. It’s up to you. (if you have a lot of wrong opinions, trusting Microsoft/Apple/Google/etc is increasingly a security issue on top of a privacy one, but a lot of people - PG included - don’t seem to consider this in any threat model)
You can also set up NextDNS on your router and enable their Windows telemetry list, just in case.
Also, search digitalblossom in github. They have some scripts that add a bunch of urls and ips to the firewall and to the hosts file. Yes, it’s badness enumeration, but what do you have to lose? I tested then in a VM and they didn’t seem to break anything. For Win10, but MS telemetry urls probably didn’t change much in 11.
Edit : download anything you need to a USB drive, software, scripts, Mullvad Browser, VPN software, etc, format your hd and reinstall windows without internet and without creating a MS account. Install everything before turning internet on.
Ok, that was not it, sorry. Try supmaxi.
There’s block-telemetry.ps1 and Make_windows10_great_again.bat (which has a lot of other stuff that I wouldn’t run).
Those lists are over 5 years old and probably out of date. Would need to run some Wireshark to find missing domains/IPs. They probably also break a lot of stuff like Windows Update, so you’d have to find what to allow. So, all in all, there’s probably a LOT of work involved.
Then, even if you succeed, you’ll still be praying your OS don’t send Microsoft/NSA information using Windows Update’s IPs.
Using Noscript you can have actually working websites, but block every unnecessary JS thats simply useless and just tracking.
Only problem is, there is no “safe browsint JS list” I would use.
It’s illogical/incorrect. There’s absolutely no need to make a whitelist of “good” .js scripts. It should be the other way around: to maintain a blocklist of “bad” .js scripts. As I said, Brave’s adblocker and uBlock Origin already maintain such a list and block “bad” .js stuff. Use Brave browser or uBlock Origin and don’t waste your precious time with NoScript.
I agree with PrivacyGuides’ recommendation of extensions — uBlock Origin is the only extension the majority might need. My another personal recommendation is Dark Reader, if one prefers dark mode for everything. Nowadays, a lack of dark mode on websites must be illegal x). It causes eyestrain and dry eyes.
Some security-hypersaturated people here go as far as advising regular people to disable JIT in their browser, being completely oblivious as to what category of people might ever need to disable JIT (spoiler: it’s not for regular people at all), and in what circumstances that category of people might need to do so. Those who give such advice — really go to hilarious extremes with such myopic vision. Like, let’s advise casual folks to use Qubes OS on an air-gapped PC, wrapped in a faraday bag.
Everyone should use NoScript.
I would re-phrase it in this way: “Most people would benefit from using uBlock Origin”.
I advise people to listen to people who are knowledgeable in the privacy/security sphere and to stick to their recommendations, these people are, for example: PrivacyGuides’s team lead Jonah Aragorn; GrapheneOS team; TOR team, arkenfox user.js developer, and some others. Smart people have already done a lot of the work and research, and figured out lots of things. Most people just need to stick to their recommendations. For people with an elevated threat model, or for people with some specific needs or use-case, recommendations to them can be adjusted and their case should be treated individually. PrivacyGuides already has a very user-friendly, visually appealing website with sane, unbiased, not opinionated, with no ideological fanaticism, privacy/security-radicalism or extremism, alarmism, fearmongering, baseless FUD, or else, which is unfortunately very common among privacy/security enthusiasts, and can often be seen on various forums and websites. People should do their own research and make informed decisions, I mean very well-informed, with information taken from sane, knowledgeable and trustworthy people. Unfortunately, some impressible people instantly give in to/fall for FUD (or whatever information they consume) with no second thought. For example: they just watch The Hated One’s bullsh** video about Signal, take it for granted, and go on crusades all over the internet, spreading FUD about Signal and advising people against using it. I noticed that many people don’t think at all, don’t self-research – they just wait for someone else to put information into their brain, no matter whether the info is correct and no matter anything about that info in general, and then they automatically agree with that information. There are a lot of YouTube channels and websites spreading similar FUD, maybe for clout, maybe to seem smart, and there is a lot of severe tribalism, circlejerking and echo-chambering in privacy/security communities. It can be really difficult for most people to filter out bad stuff, especially those who began their privacy/security journey only recently. I think it is one of the reasons why PrivacyGuides exist – to fix all the bullsh** out there, and I hope it won’t change for the worse over time, and stays like that forever. I have always really liked Jonah’s neutral, unbiased, impartial, “clean” approach/take on everything. He set the right approach and foundation for the PrivacyGuides project. This is what this website needs to be, even a little “detached”: looking at everything from aside, no prejudice and bias towards anything, the “compass” stays still.
I advise you to be very careful with it. It is extremely simple to break something with such tools — been there, done that. I and some other people I spoke to, who have been testing/trying all sorts of such third-party tools/tweakers, eventually came to a conclusion that such third-party tools are simply redundant, unreliable, “dirty” and only cause troubles and breakages in the long run. My personal advice to configure privacy/security of Windows is via Group Policy Editor (gpedit.msc). That’s all. It’s a native and “clean” way of configuring Windows. However, be careful when configuring it: if you are unsure what this or that policy does — don’t touch it! GPO is for technically-inclined users. It can take some time to familiarize yourself with GPO when you configure it for the first time, but when you are done configuring, you can just export your GPO configuration and save it for the next install or for another PC. Also, you will find a lot of crucial security-related features in GPO, which no third-party tweaker is able to configure. For example: Allow administrator account lockout Account lockout threshold Account lockout duration Reset account lockout counter after
People who don’t want or can’t configure GPO for whatever reason (laziness; don’t want to waste time; not techy and don’t understand GPO; afraid to break the system by configuring something incorrectly) — should simply configure their Windows via Settings and Control Panel. Thinking that using third-party “privacy-tweakers” is going to significantly increase your privacy in your Windows install is false, and it is wishful thinking. No third-party tool is going to give you a significant level of privacy on Windows, unless you just block the internet access altogether. If you want true and real privacy, and having real privacy is your purpose/use-case — don’t use Windows, use Linux (and even then you have to pick a distro which most likely won’t shove telemetry into your install, or which most likely won’t succumb to enshittification at some point of time in the future — not Ubuntu, that is). Using third-party “privacy-tweakers” does more harm than good in the long term of using your Windows install. If one is using Windows, they should come to terms with and peacefully, buddhistically accept the fact that they will never be significantly private when using it, and they should stop bothering with third-party “privacy-tweakers”.
Also, regarding security, you can find a lot of useful information here:
And don’t hesitate to search up the internet for info on something from the official documentation, if something from the documentation is too technical or is written in a manner too difficult to get a grasp of. Oftentimes, random websites on the internet have a much user-friendlier/simplified explanation of some aspect of Windows, in comparison to the official Microsoft’s documentation, which appeals more to enterprise system administrators, as it seems to me.
Window’s security is decent, and has improved dramatically in recent years. What is “so bad” — it is Linux’s security. Proprietary operating systems will always be more secure than open-source ones, but will never be as private as open-source ones. I also fully agree with Joanna Rutkowska on that:
So, I’m reinforced in my belief that security of mainstream platforms (from Apple, Google, MS) will continue to improve, likely exceeding the “open source” offerings. But, the open source will still have an edge in:
This is factually false. You can use a local account (on both Windows 10 and 11) and use Microsoft Store freely. However, you will be unable to install paid apps or apps that have an age rating that requires verification, such as Spotify or Netflix.
I’ve used both Windows 10 and 11 with a local account and I was (and am) using Microsoft Store freely. I don’t use paid apps or apps with an age rating, so I have zero issues in my use-case. It’s completely feasible to use Windows 11 and take a full (for the most part. Like, 90%) advantage of it without making a Microsoft account.
You lose stability and reliability of your system, especially in the long run. Testing something in a VM doesn’t count. What counts is using your bare-metal Windows install for a long time.
I don’t know why you recommend using unmaintained, outdated Windows telemetry blocklist dug out from the deep depths of GitHub, from some random no-name author (no offense to them, they just don’t have any credibility) which hasn’t even visited GitHub in a long time, all the while when there are several popular and maintained options from credible, reputable authors. I won’t list them because I don’t recommend anyone using this approach of blocking telemetry: via third-party tools/tweakers/blocklists.
JS exploits are quite common and JIT is responsible for about half of them. It’s a common misconception to think that you need to be a high value target, to get hit by it. Disabling JIT has only little impact on the usability of everyday browsing. Only very few websites heavily rely on it and if you know that, you can selectively enable it for these. It’s very reasonable to disable it and you get a massive security boost with little downsides.
Since JIT-less mode disables the optimizing compiler, it comes with a performance penalty. We looked at a variety of benchmarks to better understand how V8’s performance characteristics change. Speedometer 2.0 is intended to represent a typical web application; the Web Tooling Benchmark includes a set of common JS developer tools; and we also include a benchmark that simulates a browsing workflow on the Living Room YouTube app. All measurements were made locally on an x64 Linux desktop over 5 runs.
Speedometer 2.0 is around 40% slower in JIT-less mode. Roughly half of the regression can be attributed to the disabled optimizing compiler. The other half is caused by the regular expression interpreter, which was originally intended as a debugging aid, and will see performance improvements in the future.
The Web Tooling Benchmark tends to spend more time in TurboFan-optimized code and thus shows a larger regression of 80% when JIT-less mode is enabled.
Finally, we measured a simulated browsing session on the Living Room YouTube app which includes both video playback and menu navigation. Here, JIT-less mode is roughly on-par and only shows a 6% slowdown in JS execution compared to a standard V8 configuration. This benchmark demonstrates how peak optimized code performance is not always correlated to real-world performance, and in many situations embedders can maintain reasonable performance even in JIT-less mode.
Memory consumption only changed slightly, with a median of 1.7% decrease of V8’s heap size for loading a representative set of websites.
Whether you need to disable JIT completely depends on your use-case/threat model. There are downsides. Browsing with JIT disabled is really not ready for general usage by everyone, yet, and it shouldn’t be recommended to everyone.
I didn’t imply that. I implied that regular people getting pwned by JIT exploits is a rare case.
You obviously have never used a JIT-less browser for everyday use. The performance impact is negligible for the vast majority of websites, even on low-powered devices. I have used JIT-less for years on multiple devices, including some low-powered ones without negatively noticing it.
Desktop or Android? Care to share your specs? I can literally record a video specifically for you from my low-end Android, where I can demonstrate the difference in page loading delay with JIT enabled and disabled. The difference is very noticeable visually.
I’m daily driving Vanadium with JIT disabled for almost a year, and I have zeeeerooooo complaints.
But that’s probably because all the sites that I visit aren’t pieces of crap. Most of them work without JS, and the ones that need JS work well without JIT. Never have I ever encountered a site that would depend on JIT so much that it would impact my experience.
Would you call google.com a piece of crap, for example? I give the most banal example: on my device, google.com loads longer with JIT disabled, than when it’s enabled. If someone has doubts, I can prove it by recording a video. If you have a mid-tier device, the difference in performance might not be noticeable. Google Pixels are all good, even the first one. Most likely you don’t see the difference due to having good specs. Nice job flagging my comment by the way.