Facebook Container Tab in Firefox

Guard Your Privacy Online

An unfortunate reality to life online today is that some popular sites do not respect your privacy at all. The issue is not the data that you knowingly and freely give them. The issue is that they collect data on you without explicit consent. Oh, sure, you do agree to their “terms of service” that are written in legalese and all the important bits are buried in the depths of it. Facebook is quite possibly one of the worst offenders to stalking you around the internet. It’s one thing to be “watched” when using the Facebook properties as it only makes sense that they are monitoring what you do, what you post and so forth, it’s another thing for them to track you when you go to other sites. That is stalking and although legal, it is not at all ethical. The solution, using Facebook Container Tab in Firefox.

The purpose of this article is to give you a layer of protection against being stalked by Facebook. If this is all the information you need to convince yourself of the benefits. Install Firefox, if you haven’t already been using it then install the Facebook Container tab.

This is the first of what will be many security and privacy tips that I hope average folks can use. Although most of what I write targets Linux and specifically openSUSE Linux; I am straying just a bit. This article also assumes that you have some idea how to install software on your particular operating system.

Installation

If you are running a modern Linux distribution, you likely have Firefox installed by default. There are some unfortunate exceptions of which I cannot recall nor do I care to recall at this time. openSUSE, Ubuntu, along with its flavors, Fedora and MX Linux have it installed by default.

Windows, and MacOS, you will have to navigate here:

https://www.mozilla.org/en-US/firefox/new/

For a Linux user, Firefox should be in the main package repository. Consult your specific distribution if, for some extremely odd reason, you do not have it already installed. You can also use the aforementioned link to get a tar.gz archive and follow those instructions there.

Firefox truly is the best browser you can have on any computer and this Facebook container tab really cements it in for me. To get the add-on, follow this link:

https://addons.mozilla.org/en-US/firefox/addon/facebook-container/

Why it’s Important

Many sites are collecting as much personal data from you as they can to make a dollar off of you. To be clear, I am not bothered by advertising on websites. What I am bothered by is advertising that stalks you. I also have to acknowledge that this site uses Word Ads so there is something I don’t like going on there (I’ll have a better solution eventually).

One of the worst offenders is Facebook. Even if you don’t have a Facebook account, you visit a site that has some sort of Facebook tie-in, they will create a kind of “shadow profile” on you and stalk you around the web. For those that have a Facebook account, which includes Instagram, and you want to use it in a safer, more privacy respecting fashion.

The Facebook Container Tab extension on Firefox the best way to use a site that is hostile to your privacy and prevent excessive tracking. It helps you take control and isolate your web activity from Facebook.

What Does it Do?

Facebook Container works by isolating your Facebook identity into a separate container that makes it difficult for Facebook to track your visits to other websites with third-party cookies. In effect, you are only allowing Facebook to track what you do on their web properties, not on the entirety of the Internet.

Facebook Container Add-on

How it works

This extension secures your Facebook tabs. When you close the tab, it deletes your Facebook cookies, and logs you out of Facebook. The next time you navigate to Facebook it will load in a new browser tab (the “Container”). It can be distinguished with another color or in my case, it underlines the tab.

Facebook and Instagram tabs are underlined to identify it being in its own container.

Once the extension is installed, you don’t have to think much of it. Log in and use Facebook normally. The browser will automatically detect if you are going to a Facebook property. Should you click on a non-Facebook link or navigate to a non-Facebook website in the URL bar, these pages will load outside of the container, in effect preventing the stalking and monitoring of Facebook.

Something that has become quite common is seeing a “Facebook Share” buttons on other sites. If you should click on that share, Firefox will load them within the Facebook Container. You should know that using these buttons passes information to Facebook about the website that you shared from.

Facebook share… beware

The Price of Security Costs in Convenience

How you engage other websites outside of Facebook may be impacted by the container tabs. Most of what I view doesn’t have this encumberment but you are not likely me. As is such, some website features will not function as you may expect.

Since you will be logged into Facebook only in the Container, embedded Facebook comments and Like buttons in tabs outside the Facebook Container will not work. This is how Facebook is prevented from associating information about your activity on websites outside of Facebook to your Facebook identity.

If you have used Facebook credentials to log into into In addition, websites. First of all, bad idea. Giving Facebook keys to other accounts is a terrible, terrible idea. That is like throwing your wallet and keys in the front yard with a sign pointing down to detailed instructions about which keys access your home, car and bank account.

If you want a password manager. You can read about Bitwarden here and decide for yourself if you want to use it. If you would like to sign up for a free account, navigate here.

Facebook credentials will generally not work properly with this extension because it is designed to separate Facebook use from use of other websites. This is the cost of convenience but I have provided a much better solution with Bitwarden.

What Facebook Container Does Not Do

This extension does not prevent Facebook from mishandling the data it already has or that you have given to it. Facebook will do what Facebook does. Whatever you do on Facebook, automatically assume that you have permitted all of Facebook and any of its partners to pass around your data like a dish of mashed sweat potatoes at a family dinner. Facebook has access to everything that you do while you are on Facebook.com, or Instagram.com and WhatsApp. This includes Facebook posts, comments, photo uploads, likes or other emotional responses as well as any and all data you share with Facebook connected apps.

Ideally, none of us should use Facebook but that is one of the “city centers” of the Internet. Likely, it is a service you find valuable and you should have tools to limit what data Facebook can obtain. This extension focuses on limiting Facebook tracking, but other ad networks may try to correlate your Facebook activities with your regular browsing.

Additional Notes

This extension alone is not going to prevent every bit of tracking in association with Facebook. This is but one layer or one other line of defense to protect you. In addition to this extension, you can change your Facebook settings, use Private Browsing, enable Tracking Protection, block third-party cookies, use an Ad blocker like uBlock Origin and/or use Firefox Multi-Account Containers extension to further limit tracking. Implementing all of these bits at one go may not work out for you so add them one at a time to see how many conveniences are wroth giving up for a little more security and privacy.

You may wonder if Mozilla collects data from your use of the Facebook Container extension. All they receive are the number of times the extension is installed or removed. If you would like to learn more and its specifics, feel free. It’s open source.

There are already container features that are built in to Firefox. When you enable Facebook Container, you may also see Containers named Personal, Work, Shopping, and Banking while you browse. If you wish to use multiple Containers, you’ll have the best user experience if you install the Firefox Multi-Account Containers extension. More information about containers can be obtained from the Mozilla support site.

What I like

I have, in effect, cut Facebook off from stalking me around the internet. They are not able to monitor my activities outside of Facebook and make advertising recommendations to me based on my interests.

Isolating Facebook in a tab and closing it truly cuts Facebook off from my browser and computer. Think about it. With other solutions, like using Google Chrome, when you “log out” of Facebook or close the tab that had Facebook running in it. There is still code running on your computer and reporting back Facebook on your activity. This happens regardless of whether or not you have a Facebook account. Container tabs allows the freedom of the information without the associated costs in loss of privacy.

What I Don’t Like

I don’t like that this extension isn’t activated by default. Although, I do understand why they would not as the uninformed or oblivious user would think there is something wrong with Firefox and potentially abandon it when some external sites Facebook plugins wouldn’t work properly. Rather than frustrate the user by having it active by default (which would be my choice), they deactivate it and let the informed user protect themselves.

The Android mobile Firefox client does not support this extension and that annoys me quite a bit. I am not sure why the mobile app is crippled. Perhaps it is a different web engine. I know that Firefox uses the WebKit instead of the Gecko rendering engine on iOS but I don’t know about Android for sure.

That’s all I can think of for what I don’t like about it. This is the only way I will use Facebook, on my computer using Firefox. I do not feel comfortable browsing Facebook without it having its healthy boundaries set.

Final Thoughts

Security on the World Wide Web is not as simple as it once was. Many sites, generally from “big tech” are not being very respectful of your privacy and are preying on your ignorance of their actions. They get away with it by creating these massive End User License Agreements (EULAs) that you have to agree to in order to use their site. They don’t make it clear that just by browsing to their site, they are implanting code on your computer’s browser to track and monitor you and what you do, mostly for ad revenue but maybe for other nefarious activity.

Facebook containers will prevent some of that stalking. It will contain the tracking but that is it. This is one of many steps that should be taken when making voyages across the “scary internet”. Prepare yourself and your computer. Use Firefox and enable the Facebook container tabs, even if you don’t have a Facebook account. Your identity, privacy and security are quite important in so many ways. This is a no-cost option with a minor penalty in loss of convenience. Check it out, see if it is sustainable. Once you see the benefits of container tabs, you won’t regret the decision to go Firefox.

References

Download Firefox from Mozilla.org
Facebook Container from addons.mozilla.org
Bitwarden a Secure Password Manager on openSUSE
Get Bitwarden Password Manager
Multi-account Containers from addons.mozilla.org
https://github.com/mozilla/contain-facebook
https://support.mozilla.org/en-US/kb/containers

Windscribe VPN on openSUSE

With all the talk of VPN (Virtual Private Network) services to keep you safe and my general lack of interest in the subject, I was talking to Eric Adams, my co-host on the DLN Xtend podcast about the subject. He was telling me that he was hesitant to recommend any service so he gave me some option to try out. The one I chose, after doing a little reading was Windscribe.

I am new to the VPN game so I want to be careful in saying, I am recommending this as the perfect solution but rather demonstrating how I set it up and how I am using it on my openSUSE Tumbleweed system. Much in the same way Eric informed me about it.

Installation

For starters, I navigated to the Windscribe website, https://windscribe.com/

It’s a nice looking site and I like they have, front and center a Download Windscribe button. I am always annoyed when you have to go digging around to download anything. I give a resounding, “boo” when I am forced to play a scavenger hunt game to find the download link. Thank you Windscribe for not making this part difficult.

Another well presented download for Linux button. No hunting here either. Although, I did notice that there was a lack of definition of my favorite Linux distribution. They have left out openSUSE and that makes me just a bit frowny faced. No matter, I am not a complete “noob” to the Linux-ing and since Fedora and openSUSE packages are like close cousins (in my experience, but I am often wrong), setting this up for openSUSE was pretty darn straight forward.

These instructions are easily adapted to the fantastic Zypper package manager. This is my adaptation of their instructions for openSUSE and is well tested on Tumbleweed.

1. Get a Windscribe Account

Create a free account if you don’t have one already

2. Download and Install the repo as root

zypper ar https://repo.windscribe.com/fedora/ windscribe

This is telling zypper to add the repository (ar) https://repo.windscribe.com/fedora and naming it “windscribe”.

3. Update Zypper

zypper refresh

4. Install Windscribe-CLI

zypper install windscribe-cli

5. Switch to non-root user

exit

6. Login to Windscribe

windscribe login

Follow the steps with your newly created account

7. Connect to Windscribe

windscribe connect

And that is all there is to it. You will be connected and ready to be part of the cool-kid VPN club.

Side Note

If you need further help about how to use the different functions of Windscribe.

windscribe --help

If you need further information on how to use these other features, please visit the windscribe.com site as I am just using the basic functionality of it here.

If the windscribe daemon service does not automatically start up, you may have to start it manually as root.

systemctl start windscribe

and if you want to have it enabled at startup

systemctl enable windscribe

Those may or may not be necessary for you, but just in case, there you go and your welcome!

First Run and Impressions

There currently isn’t a graphical tool for using windscribe in Linux, or at least openSUSE. Chances are, if you are using openSUSE and are hyper concerned about protecting your traffic, using the terminal is not exactly going to cause you to have heartburn. Installation to execution is truly as simple as I have outlined above.

You can take it one step further in the cool, fun, I am a hacker-poser-type if you run it in a terminal emulator called Yakuake. This is a drop-down terminal that is invoked, on my machine with Meta+F12. It looks cool and very convenient to drop it down whenever I need it.

For the free account, you are limited to 10 GiB of data. To check the status of your account usage, in the terminal type

windscribe account

That will give you an output, something like this:

——- My Account ——-  
Username: CubicleNate
Data Usage: 80.02 MB / 10 GB
Plan: 10 GB Free

There is a paid option, which, in my opinion is very reasonable, if you buy a year at a time and I think, if you travel a lot, this may be of great interest to you to protect your data.

If you buy a one year subscription for $49, you are benefited by Unlimited Data, Access to all their locations which they boast as over 60 countries and 110 cities, a Config Generator for OpenVPN IKEv2 SOCKSS which, to my understanding will allow me to use NetworkManager to access the service, and R.O.B.E.R.T. to block ads, trackers and malware. If that is all up your ally, and you like the free service, it all seems pretty well worth it to me.

What I Like

The installation was simple, using it is simple (so long as you are good with the command line) and the performance is very acceptable. Since I am using this when I am away from home, I don’t expect any break-neck speeds out of it, I just prefer that my traffic is at least somewhat protected. After listening to this episode of Destination Linux, I felt like it was a good idea to intact some sort of VPN when I’m out and about.

What I Don’t Like

There isn’t a graphical interface for the terminal-phobic folks. Not a problem for me or likely most Linux users, but there are some that just won’t use it. That’s just the way it goes.

I don’t like that I am not quite familiar with Windscribe. That is not a fault of the service, just the fact that I know so little about them. I will tell you that every email interaction with Windscribe has been amusing so that bodes well for what I think of them.

Final Thoughts

I know that my employer requires me to VPN in to do any real work so even they recognize the value of a good VPN, so maybe I should too. How often do I plan to use it? Not all that often, really. Maybe a few times a month, specifically when I am using an internet access point that I do not trust. I will especially use it if the access point is has “xfinity” in the SSID as I have little to no trust for them.

I appreciate how simple this is to use and should I get to the point where I am pushing my 10 GiB per month limit, I will go all in on an annual subscription. It’s not that expensive to put up one extra line of defense, especially one as convenient as this.

References

Windscribe.com Home
openSUSE Home
Destination Linux Episode 146 on VPNs
DLN Xtend Podcast
Eric Adams at Destination Linux Network

CPU Security Mitigation on openSUSE | Tuning it for Your Case

This is a little outside of my normal blatherings format but after stumbling upon a video from Red Robbo’s YouTube channel. I wanted to investigate his claims that maybe, just maybe the security mitigations that I have chosen they are a bit excessive for my use case. Recently, openSUSE has added a feature to make this easily user adjustable. Since they made it easy, obviously, someone far smarter than I am has decided that some of the mitigations may be excessive and not worth the performance loss for all use cases. I written about the mitigations some time ago and how it is fun to see all that is being implemented. Maybe it’s time to dial it back.

This is the video that made me pause and think about the choices I’ve made.

Red Robbo made the statement, “how many people are actually impacted by this, not potentially impacted but actually…”

Fair statement, what is my actual risk. not imaginary but actual risk. So that got me thinking. My setup has been to keep the mitigations on “Auto”. That seems fair to me. Let the system decide how many mitigations I need to have in place. Then this video came out and It got me thinking…

“How many mitigations do I really need to have to protect my system?”
“What are the threats against my main machine, a laptop, that does not run any services?”
“How much of a performance improvement would I have if I switched the mitigations off?”

According to SUSE, by leaving the mitigations to Auto, “All CPU side channel mitigations are enabled as they are detected based on the CPU type. The auto-detection handles both unaffected older CPUs and unaffected newly released CPUs and transparently disables mitigations. This options leave SMT enabled.”

It was time to explore this further. Do some, self-discovery, as it were.

In reading all the CVEs on the subject, they are worded as either, “Local attacker”, “In theory”, “…a possible approach”, “could be made to leak”.

I couldn’t help but think, golly, this is all… speculative… isn’t it. I now wonder what the actual threat is. I appreciate how the fixes were very much preemptive before any attacks were made but it almost seems like building my house so that it is meteor proof, just in case of meteor strike.

What I’ve done

So I did as Red Robbo suggested, not on all my machines, just the machines that that, I shut them off. I am not on anyone’s target list. I don’t run any kind of service that has tons of people in this system and it doesn’t often face the scary internet directly as it is going through a firewall that filters most of the scary traffic away. Making the change was really quite easy and underscores the beauty of YaST. To get to the right module, I go into YaST and select the Boot Loader module under System.

Within the bootloader module, select the Kernel Parameters tab and under the CPU Mitigations, I selected the drop down and the Off option.

After selecting okay and rebooting the system I can’t say I noticed any major improvement to performance. I tested Auto vs Off and I couldn’t actually tell the difference in performance. There may be some improvement but either I am personally too slow or nothing I do on a regular basis is affected by the mitigations.

Final Thoughts

For “desktop” machines, I am pretty confident that the other security features of Linux is quite adequate to keeping you safe on the Scary Internet. This desktop machine doesn’t provide any services to anyone outside of me as I am using it. I don’t have an Internet facing web service or database that has a risk in being compromised by bad actors.

For my personal server, that really doesn’t do a lot, I am keeping the mitigations to Auto. Although it does not face the internet, it is on all the time, I am not asking too much of it and it has a great chance at getting poked by something. Though, since I am not a target, the chances of that machine being compromised is also rather slim.

Your situation is dependent on your level of paranoia. Crank up your mitigations to 11 if you think it is best. As for this particular machine and the other little laptops and netbooks I use, I don’t see it as necessary.

References

SUSE.com Centralized CPU issue Mitigation document
Red Robbo’s Workshop YouTube Video: Improve Intel CPU performance on openSUSE
CubicleNate.com Spectre and Meltdown Vulnerability Status
TID 7022512 – Security Vulnerability: “Meltdown” and “Spectre” side channel attacks against CPUs with speculative execution.
TID 7022937 – Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass) aka CVE-2018-3639.
TID 7023075 – Security Vulnerability: Spectre side channel attack “Bounds Check Bypass Store” aka CVE-2018-3693.
TID 7023076 – Security Vulnerability: Spectre side channel attack “Lazy FPU Save/Restore” aka CVE-2018-3665.
TID 7023077 – Security Vulnerability: “L1 Terminal Fault” (L1TF) aka CVE-2018-3615, CVE-2018-3620 & CVE-2018-3646.