A Better Online Experience

In this Apple-user-oriented and safari-and-mail-centric guide to improve privacy, security, and speed for the Average Joe online experience, I suggest some extensions, applications, and components for both macOS an iOS. I don’t pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else.

Premise

Internet privacy and online anonymity are extremely hard to achieve, if not impossible, because of increasingly pervasive and aggressive data mining practices and global mass surveillance programs. Truth be told, in most cases, we willingly give-up a lot of our data, personal life, and details in order to use convenient free services. Like social networks, email, DNS, blog engines, cool sites, communities, communication apps and so forth. Moreover, the use of services and software that one thought to be safe, private, and secure that ain’t really so, give a false sense of security/privacy, and this is possibly even more dangerous. Because we all change our behavior if we are not being watched or, at least, we won’t do socially unacceptable things if we know we are being watched. It’s just our natural behavior.

Big data serving immoral marketing strategies isn’t the only issue here. There are intrinsic serious privacy concerns and quite worrisome related potential dangers that people often don’t take account of (or care about) whenever they share very personal data on these platforms. Most of us aren’t even aware we leave a significant trail in everything we do, both online and offline, and that all of this contributes to very accurate profiling. In fact, even if you don’t have any social network account or don’t explicitly agree to be tracked and profiled, they (social networks or otherwise) do have a profile of you.

The broad invasion of privacy we’re all subject to can have dire consequences. Take identity theft and all it can lead to as an example. What’s worse, most of the time it’s not entirely one’s fault if some fall victim of identity theft because of data breaches caused by some companies negligence or mistakes in an ever more digital life.

So, should you be willing to learn how to protect yourself against unfair practices or at least mitigate them, Kevin Mitnick’s “The Art of Invisibility” it’s a good start. Mind, it is not the panacea. Most of the outlined technologies and techniques in the book are common knowledge and are easily feasible. On the other hand, the required care to fully achieve what’s taught in the book demands a pretty serious commitment that most of us could not just be arsed to even think about it. In all fairness, it’s close to impossible to keep up with those goals and be stealthy for the average Joe (including me). But that’s ok, we are not Edward Snowden or Julian Assange after all. You might even argue that “I’ve nothing to hide…” Well… It. Ain’t. Quite. So. I strongly advise that you read the book nonetheless. If anything, for general knowledge.

Having said that, while I personally couldn’t take on Mitnick’s precautions fully, the book got me thinking about how to mitigate, at the very least, some of the data mining and improve both my security and privacy in my day to day online presence whilst keep using the software I usually use (as opposed to switching to something else) and not compromising my online experience, in terms of usability, too much.

Disclaimer

The web is plastered with advertisements masked as unbiased articles and guides. Most of the times these rank high in search engines too, making it hard to discern what’s legit from the crap. But there are plenty of good resources out there to help you understand them better. Some of these give you the tools to make an educated choice, some others give you precious advice on how to improve your situation.

However, as valid as these resources may be, most of them are centered around technologies I don’t want to switch to. This post is a small and humble contribution to those and it aims to make it a little better/safer for Apple users who are using and love Safari and Mail. Be it on macOS or iOS.

Based on this preamble, I don’t pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else. If you have better options and they are compatible with my premise I’d like to hear about them, if you please sharing them.

Again, I don’t claim to have the definitive solution. There’s is neither a single book nor a single product that can make you absolutely secure and, to that extent, grant you absolute privacy. Remember: security is not a product. It’s a process.

Also, the reasons behind why using a VPN, end-to-end encryption communication tools, and what-have-you is a good idea, will not be discussed here and their benefits are taken for granted. I assume that you, the reader, know about them or are, at least, interested enough in finding out for yourself. There are already copious resources that take care of explaining why these tools are beneficial. Thus, I’ll just point out the ones I use and unbiased websites to help you choose your very own favorite or get suggestions to improve your online privacy and security.

Lastly, should you be surprised by the fact that some of the services mentioned here require a payment, I’d like you to know that I’m in no way affiliated with any of them. Part of the reason you should pay for them is that of “if something is free, then you are the product”. No matter how many arguments are brought against this mantra, it’s still very valid and, besides the usual suspects, there have been cases of free plugins exploiting and selling your data to companies that their product should protect you from in the first place. This is why I’ll try to suggest alternatives following a more ethical approach, a transparent philosophy and are open source, whenever possible.

Email Tracking

To both make a point of how simple it can be to mitigate risks, and to encourage you to continue reading this post, I’ll start with the one regarding Mail and requiring the least effort: email tracking. It is a sneaky and deceitful practice that went from sacrilegious to an unnoticed, widespread, and abused practice, easily accessible to everyone. It’s also very hard to effectively defeat. The only effective method to mitigate it today, according to the conclusion of Englehart in this article, is to disable remote content from automatically loading in your emails. The only downside is that you get uglier emails but they would be safer. It’s a good compromise and you still retain the choice to view the email in your web browser, should you want to. So, go to Mail preferences and disable remote content, on both macOS and iOS.

To prevent macOS Mail from downloading remote content:

  1. Select Mail > Preferences
  2. Select the Viewing tab.
  3. Make sure “Load remote content in messages” is not selected.
  4. Close the Preferences window.

To prevent iOS Mail from downloading remote content:

  1. Open the Settings app.
  2. Tap the Mail section.
  3. Scroll down to the “Messages” area.
  4. Disable the “Load Remote Images” option.
  5. Close the Settings app.

It’s that easy…”

Search Engine

Another easy expedient is to switch to a more privacy oriented search engine than Google. Safari offers DuckDuckGo by default and this is good for most people. However, I find StartPage to be closer to my needs. I like the search results better and, most importantly, it offers to click on anonymized proxy links right beside the search results.

  1. To use DuckDuckGo, you only need to follow this easy guide: https://duck.co/help/desktop/safari

  2. If you would like to try out StartPage, you just need to install the official Safari extension by clicking the “Add to Safari” on the homepage.

My personal preference setup for StartPage has the address bar search set to active and empty tabs and windows on load. This way it’s faster to use and it won’t require loading https://www.startpage.com/ every time you open a new tab or a new window (which is a bit annoying and very slow). YMMV.

Of course, there are more privacy-oriented search engines you could use, but I prefer to only list the most famous DuckDuckGo and my favorite alternative.

The only thing I dislike about StartPage is that it won’t integrate into Safari as a selectable search engine in the “Search” preferences tab, but probably this is not entirely StartPage’s fault. Perhaps if we ask Apple nicely for it to be integrated as a selectable search engine from the “Search Engine” menu, it will happen as it did with DuckDuckGo in OS X Yosemite and iOS 8.

Safari Extensions

There are a plethora of extensions available for Firefox and Chrome, perhaps far too many. In comparison, Safari extensions are little. Worry not, most of the needs discussed in this post are very well covered by them. The missing EFF extensions are certainly a minus, but we can live without them until the technical reasons why these are missing will be addressed. You should note that EFF applauds new Apple privacy technologies implemented in Safari, so we are a little safer than before.

Nevertheless, I do encourage lobbying for changes in Safari to enable things like HTTPS Everywhere and hardware and biometric authentication standards like Fido U2F and UAF. Especially because Apple does already care about their users’ privacy and integrates biometrics in their products. Perhaps if we ask Apple nicely, again, we might see those implemented soon enough.

Now, although Apple continuous efforts and EFF praises are encouraging, this is the list of extensions I suggest you’d use (yes, all of them):

External Apps

So far we’ve improved our browsing and email privacy a little (more on emails later), but you should also take care to improve your security as well. If the many and ever-growing data breaches taught us anything, is that people are very careless when it comes to Internet security. These dumps demonstrate that this is especially true with password security: most of the times using very simple to crack passwords and, what’s worse, using the same passwords all over the place. Besides passwords, there are many other computer security aspects that you should be aware of and should be taking care of, but this is beyond the scope of this section. So, without further ado, these are the external apps I use and recommend you’d use too:

Safer DNS

If you don’t know what a DNS is and why it’s crucial to the Internet, just think about it as a taxi you jump on every time you want to be taken to a website. Every single time you digit an address into your browser, there’s a DNS doing the hard work for you (taking you to that address with its taxi). Because of this, a DNS knows a lot about your online activity. There are many free DNS services out there and most of them promise to be anonymous or not to spy you. I don’t really trust them. There are some exceptions though. Like hackers’ collective run DNS and privacy advocates run DNS. However, as you’ll see later, a good enough DNS to use is the one provided by your VPN service. But what if you do not have a VPN? Which one to use, among the many freely available? Well, it’s a compromise. My favorite one, besides the one provided by my VPN when I’m not connected to it, is Quad9. For a few simple and solid reasons you can read about on their site: security, performance, and privacy.

Quad9 has a very simple to follow DNS configuration guide, so I won’t repeat it here.

Encrypted DNS

One more piece of advice on DNS, for completeness sake, is DNS Crypt. More info on Wikipedia. Though it doesn’t provide end-to-end security, it protects the local network against man-in-the-middle attacks and helps to prevent DNS spoofing. This falls more into DNS security than privacy, and I’m not entirely sure how good DNS Crypt usage is, in this context, after all. Feel free to explore and use it though, but keep in mind that Quad9 is enough to the main point discussed here.

Good VPN

As anticipated in the disclaimer, I won’t go over the reasons why using a VPN is a good thing. However, I don’t want you to fall for advertisements articles and videos in your web search, so I’ve picked these three random videos among the most neutral I could find: 1, 2 and 3, and this very good article to make you understand some of the benefits and the reasons why using a VPN is a must nowadays. I strongly recommend reading the article, since it also discusses proxies, TOR, and the combined use of VPN and TOR together.

Now, a VPN is only as good as its privacy and logging policies and the legislation it falls into. You should be checking with the resources at the bottom of this page and choose for yourself. Again, there’s no perfect product, and this is true for VPNs too. I personally use Mullvad VPN and this is what I’d advise you’d use too. Even if Sweden is probably going to implement harsher laws against this kind of services very soon. Yes, Mullvad is Swedish for mole.

There are a few good reasons and features why I like Mullvad, among them: they don’t ask for your identity when you create an account, they have a zero logging policy, they accept Bitcoin payments, their guides are very good, and they already support and implement Wireguard servers (as an experimental Linux feature only).

Encrypted Emails

You’d be flabbergasted if you’d know that email was never meant to be secure and private, how easy is to read your emails for somebody eavesdropping or how high are the risks involved in sending personal details over email. These are the reasons why you should use encryption at all times in all of your communications, not just emails, and take some precautions when sending emails. Better still, use a privacy-oriented email service. Like for VPNs, I encourage you to check with the resources at the bottom of this page and choose for yourself. I do use a specific one but I might change it soon, therefore I won’t spend much time talking about it here1.

Having said that, I’d like to give you some hints:

Choosing the email provider is important, of course. Once you have one, you should also know how to use encrypted emails though. You should know that using GPGMail with Mail is a breeze, once you have created your GPG key-pair and have taught yourself how to do this whole encryption business. Luckily for us, GPG Suite offers a very well detailed and easy to understand how-to. Easy peasy.

As a last note, I’d like you to know about DarkMail. It is very promising, but far from to be deployed anytime soon (if it’s still alive at all). Keep an eye on it nonetheless.

Secure Communication

One thing should be clear by now: you should not be using Skype, WhatsApp, Messenger or any not so safe and pretty much entangled with data mining and in the mass surveillance circle instant messaging app. Perhaps you think you are safe because you are using Telegram, Signal2, WhatsApp3 or even ChatSecure and XMPP4. While the latter is better than the former, they are not quite it. I personally use and strongly advise you to switch to Wire5. It’s open source, it’s reliable, it has a strong security argument, great features and its security it’s regularly and independently audited. It also compares favorably with all of them (scroll down to the bottom of the home page for a comparison table). Besides, it’s also cross-platform: it is available for iOS, Android, Linux, Windows, macOS and Web browser clients. You can use it to make voice and video calls; send text messages, files, images, videos, audio files and user drawings depending on the clients used. It is hosted within the European Union and protected by European Union laws.

Avoid These

If you have read the disclaimer, you can recall that the web is plastered with advertisements masked as unbiased articles and guides. Besides paid articles written only to promote certain services, one particular category of shitty malware disguised as useful software you must avoid at all costs is the “scammy cleaning family”. Yes, I’m referring to all of the infamous Mac cleaning utilities, whatever their names are and whatever they claim to be doing for your own good: do not trust them and do not ever install them. They will either install malware or be malware themselves, infesting your Mac and making your life worse. Furthermore, they are a pain to eradicate.

There is a lot more software that will install or integrate malware, adware, and tracking within its app, like uTorrent for example, but I cannot list them all. Not to mention all of the tricky malware you might incautiously install if you visit porn sites or free streaming sites. Just beware of what gets in your Mac. By the way, should you be doing torrents, use qBittorrent.

Another important piece of advice is that you should also avoid software cracking. As you may have guessed, it’s not free. The cracked software it’s very likely to be infected with any kind of malware. That’s often the payoff for their efforts. If you really want free, then use Free, Libre and Open Source Software available for the Mac platform. Most of it is available via Homebrew and very easily installable.

The above is only a brief representative example of dangerous sites, mischievous articles, not-so-great services, and dangerous software habits. I can’t know about all of them but I brought up these examples also to take us a step back: malware does exist on Mac and you do need to protect against it.

About iOS

So far we’ve mainly discussed macOS. This is partly because iOS doesn’t really allow the same level of sophistication, so the iOS part is going to be shorter. However, since Apple introduced content blocking on iOS, it is a good idea to take full advantage of this as much as we possibly can. The other reason is that some of the software and extensions I introduced earlier will be used for iOS as well. We can take advantage of VPN and encryption, as well as using our favorite DNS and most of the things we’ve discussed so far. Now, I won’t go over the topics again and I’ll just list components and apps you should be using on iOS, with some additions:

Resources

These are some must watch videos about the topics we’ve discussed in this post.

One More Thing

One last piece of advice is about common computer security knowledge. Albeit being common knowledge, it’s neglected by most people more often than you think. It’s for this reason that most universities have dedicated pages. You’d think that higher education students would be educated enough and blah… nope! I find the Berkeley resources to be very valid, informative and easy for anyone to understand. You should browse around. Also, I’m going to reiterate some of these common best practices concepts here, again:

I think that’s enough for a sample of the common best practices. Should you be thinking I’m being paranoid, this is a good time to suggest to browse around the valid Berkeley resources once more, to remind that marketers steal your credentials when you are visiting websites, and to suggest a couple of more books read:

I can guarantee you’ll be both surprised, astounded and gobsmacked to learn what is even remotely possible for crackers to do with the right motivation.

Until Next Time

In my next post, I’ll be sharing my LEDE configuration and considerations. It will not be too technical but it’s going to definitely aim at a slightly geekier Joe. In that post, I’ll point out what extra components I’ve installed and what kind of configuration made my home wi-fi a little safer for all the family members to use, just by connecting to it and with zero-knowledge of anything discussed in this very post or in the next one. I’ll also share my scripts to automate custom builds. Stay tuned.


  1. Mailfence footnote: this is the one I use. After I published this post, they have published an interesting article on privacy and security and how they go about them. Worth a read: https://blog.mailfence.com/security-privacy-anonymity/
  2. Signal footnote: as far as security and features go, Signal and Wire are pretty much equivalent but Signal wants to know more about you than Wire (e.g: phone number). Let’s say that Signal is still secure to some extent but is more intrusive than Wire. Also, continuing the parallel with Wire, Signal hasn’t been independently audited in a long while and it doesn’t offer 2FA either.
  3. Signal and WhatsApp are vulnerable to the same attacks because they use the same underline technology: https://www.schneier.com/blog/archives/2018/01/dark_caracal_gl.html
  4. XMPP, OTR, ChatSecure footnote: XMPP+OTR (which is used by ChatSecure as well) is no longer a safe option.
  5. Wire footnote: the Wire site has changed a lot since I originally wrote about it. It seems that they are solely focusing on the ‘Team’ features all around the site nowadays. Not that this makes it any less valid as a software but it’s very confusing for new people. It is hard for newcomers to understand that is also available for personal use (and free as in freedom and beer). Besides removing any info for “personal use” (WTF!?!?), they’ve also removed the comparison chart I mention in the post. I just hope that they won’t shoot themselves in the foot with this change of direction.