Contact me for feedback or questions! I reply to everyone.

Mitigating malicious websites

- Introduction -
- Mitigating requests -
- Mitigating Cloudflare -

Introduction

I will write something here, I swear.

Mitigating requests

Install uMatrix (FF / Chrome) or ηMatrix (Pale Moon). An icon like this: should appear in the top right corner of the browser. Click it, and you'll be greeted with this view:

The default settings of uMatrix are not the worst, but still pretty bad - allowing the loading of trash from, for example, Google (the "2" in the above picture). To change the situation, click the asterisk:

This is what, then, happens:

You have now switched to a mode that will apply your settings to all websites (instead of just the website you are on, as is the default). Hover over the bottom half of the css column, like so:

Click once for this effect:

What happened was, you have changed the permissions for the css column from full allow (the default) to only first party allow. This means that sites will be able to load CSS files (styles) only from their own domain - instead of from Google (like the "2" in the first image) or anywhere else. Exactly what we want! Now click the domain name (not the .com!) like so:

This mode allows you to see how your global changes apply to the site you're currently on. Scroll up to the first uMatrix screenshot in this article and notice how the 2 CSS files from Google are no longer under a green background. This means they will not load - uMatrix allows loading only the green stuff. Notice, also, how a padlock icon has become available to click. Do so - this actually saves the settings. Now, whenever you go to raypeat.com (or anywhere else), third party CSS files will not load - as that is the setting you have set globally. Go back to the global mode (click asterisk). Now, do the same thing to the image column that you did to the css column (click bottom half, save). This should be the result:

This will prevent websites from loading third party images. Which Ray Peat does not have, but the vast majority of other sites do. But, this is still not enough mitigation. If you switch to the site mode (by clicking the domain name again), you will see how the whole raypeat.com row is green. This is because (in the global mode) the 1st party tile is green - ensuring all first party resources get automatically loaded. If you make it the brighter shade of red (the same way you did CSS and images), that won't be the case anymore. This is the prefered state - you can still be tracked by even first-party cookies, or shown advertisements by first-party scripts, etc. Just because a resource is first party, does not mean it is desirable or safe. Anyway, here is how the result should look like:

You might have noticed something weird. Despite the fact that we have disabled all first party resources, the frames are still green (allowed to load). This is because uMatrix by default has a rule to enable all first party resources, and then a separate one to enable all first party frames. Turn off the green frames as you did everything else. Then, make the top frame tile (that is at the moment the darker shade of red) into the brighter shade of red. With this setup, uMatrix will deny everything aside from the HTML file you requested. This is how it looks like (in the global mode):

You can theoretically stay with this setup (and fix sites one by one), but it's not something I recommend. It will make most sites look funny - and first party images plus CSS are extremely rarely harmful. My setup, then, includes allowing those. Click the top part of the 1st party CSS tile, like this:

Then, move your cursor a little to the right and do the same with the image column. The result should look like this (this is still the global mode):

Now say goodbye to the global mode, because you will never see it again (unless you want to go full hardcore and disable first party CSS or images by default). The whole point of uMatrix is to deny resources by default and allow them as needed to enable the website functionality you want. For that, you need to stay in the site mode - so click the domain name again. With the current setup, you deny almost everything that's possibly undesirable. And yet, most sites will still work perfectly fine. What if you find one that doesn't? Consider Euractiv. Though it loads 15 first party CSS files, it still looks clearly broken:

The uMatrix grid of Euractiv looks like this:

There are more requests down there, too. But we are only interested in the maxcdn.bootstrapcdn.com CSS one (actually 3). Click the top half of the tile with the 3 CSS files, like this:

This is how the Euractiv grid should look like after:

Remember - upper half is enabling, bottom half is disabling. Red is disabled, green is enabled. Only the requests with green tiles in the site mode get loaded. Oh, and you might be wondering why the bootstrap CSS you've just allowed is a darker shade of green. The darker shade appears for the tiles you have specifically allowed (such as the bootstrap CSS). The 15 first party CSS files and the 57 images are all allowed because of inherited global rules - which is why they are light. The same applies to the red shades. Dark is local, light is global. Functionally, it doesn't matter - all green is allowed, all red is banned. The only difference is in the information provided to the person sitting in front of the screen. Anyway, here is how the fixed site looks like:

Much better ^_^. And all that with only one domain enabled over the default settings! What would a "minimal" browser do (or any without uMatrix installed)? Either allow everything - including the 15 useless scripts - or deal with a broken website. Anyway, there is no magic rule that determines which requests need to be allowed to fix a site. That knowledge comes from experience. It just so happens that the bootstrap CSS is a pretty common third party resource that is also necessary. But sometimes you will need to allow scripts, and even refresh several times so that new requests get loaded, that you will then also need to allow.

However, it is mythology that uMatrix is a chore to use. Again, most sites are readable out of the box, so you don't need to do anything at all - but you still enjoy the protection from all the undesirable stuff. If a site displays badly, you most often only need to allow one or two domains with CSS, images, or a cookie to keep logins. This will become second nature while you become experienced with uMatrix. Sometimes more tinkering is necessary (especially to make interactive stuff like searches work), but this is rare - and you can permanently save rules, anyway. So, the next time you come back to a site, it will work the way it was when you left it. Using uMatrix gets more effortless the longer you do it - so much that, after you "cover" your most common sites, you almost don't notice it. All in all, uMatrix is the way to gain almost full control of what requests your browser is sending to the websites you visit - with only a little effort (and much less than writing your own adblocker lists would take).

If you click the addon title (eMatrix 5.0.0 in my case) you will enter the additional options panel. The defaults are pretty good. You can Collapse placeholder of blocked elements - this will prevent showing a big ugly square for e.g a youtube video that didn't load. By default, uMatrix lets websites store cookies on your disk - even if they're blocked. This still prevents the cookie-based tracking, because they're not sent to the website (if blocked); but - if you don't want them sticking around - you can enable this option. The other defaults are as they should be, except you can go to the Hosts files tab and disable them all. With the grid set up according to this guide, they are unnecessary and just bring additional load. In the My rules tab, you can export your uMatrix settings in order to import them to another device later. This prevents having to redo your website fixes.

You might be wondering why I even wrote this guide. The addon is old and surely it's been covered over and over, right? Well, as usual, the other guides do not satisfy my standards. This one, for example, focuses on some other stuff instead of the beautiful grid. It takes them until the end of the page to mention the stuff that actually matters. And this is a very old version of the addon, which does not even allow entering the crucial global mode. Another guide just talks and talks, and also tries to pull people away from the essential global mode. By doing so, they glorify allowing all the trash to load by default - they pretty much admit it later The good news is that, as a beginner, you can ignore all the settings positioned to the right of "all.” They also require JS and XHR just to see images, ironically making their site a good boot camp for uMatrix usage. It is also Cloudflared.

Mitigating Cloudflare

Use kill-9's guide to distrust Cloudflare certs (note: there might be some more CF certs now - burn them all). This will prevent you from visiting any website that uses Cloudflare's SSL certificate, but not the ones that have their own. See, Cloudflare has several options for SSL handling - and only the Off and Flexible reveal their cert - which allows the sites to be blocked by the distrust method. The site can choose to pay 200$ per month for Cloudflare's Business plan, which allows them to upload their own SSL certificate. EDIT: turns out getting a Let's Encrypt cert for 10$ / month is possible with Cloudflare's Advanced Certificate Manager. Sites using either of these will not be blocked by the distrust method.

To get those sites that use the Full SSL (an example would be Bitpay, if you want to test), or the Advanced Certificate Manager ones, you need to block the Cloudflare IP addresses on the firewall, router, etc. But, there is no certainty that Cloudflare reveals all of their IPs - and they might add new ones at any moment, requiring the blocklist to be updated. This method will also not provide feedback in the browser like the distrust method would.

There is only one perfect way (AFAIK) to check whether a site is behind Cloudflare. First, type the command dig [website_address.com] into the terminal. As in dig naturalnews.com. A part of the reply will look like this:

;; ANSWER SECTION: naturalnews.com. 300 IN A 104.16.135.70

Now type the command whois 104.16.135.70. If the result contains things such as Cloudflare, Inc. anywhere - then the site is behind it. If it doesn't, it's not.

The only way to actually visit websites behind Cloudflare safely is by using the Wayback Machine. However, not everything is archived (you can archive the page on your own though, if the site allows it anyway) and the interactive features on the sites won't work. And you have to archive all pages separately if the archive bot didn't already do it on its own. Edit: morty proxy also works, if you can find a few instances. You can then spread your profiling onto a few random people, instead of Wayback Machine only. Edit 2: someone notified me that Ghostarchive is no longer Cloudflared, so you can use that instead or in addition to the Wayback Machine. Using a separate browser for Cloudflared sites could also be considered a mitigation, but it is like visiting your abusive husband in a mask, and hoping he doesn't detect you. You're still in his house, under his watchful eye, still affected by the things he does (e.g the captchas you're shown on Cloudflared pages), and hoping he doesn't eventually expose you.

Back to the front page