drduh / macos-security-and-privacy-guide Goto Github PK

Regarding the firmware password.
It is possible (and rather easy) to remove it with physical access to the machine via a SPI flasher.
It is good enough against lame thieves that have no info on how to do this but there are specialised flashers for this purpose being sold on the Internet so it's a protection on a limited threat scenario. Still it is recommended to have one anyway.

Best,
fG!

Since Mavericks, every OS X installer has included a tool to make installation media automatically. It's called createinstallmedia and it can be found in /Applications/Install OS X Yosemite.app/Contents/Resources/createinstallmedia. Run it in terminal with no arguments and it should explain how it's used. Faster and more reliable than flashing InstallESD.

Hello,

I understand you probuably dont want to add to much information on this subject but maybe something nice to add:
https://github.com/TheCreeper/PrivacyFox

I followed the instructions to set up dnsmasq. As soon as I reach this step, I lose access to the internet:

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

I tried clearing my DNS cache but that did not work. I'm running OS X El Capitan.

Hi,

I'm the OS X maintainer for Privoxy. The Homebrew recipe for Privoxy installation is weak in a number of regards, chief among which is that it leaves Privoxy running as root which is of course an unnecessary security risk. The supported installer (available at http://sourceforge.net/projects/ijbswa/files/Macintosh%20%28OS%20X%29/) does not suffer the weaknesses of the Homebrew recipe (it is also as easy to uninstall and includes complete instructions for configuration and obtaining support). Please could you consider altering the HTTP section of your instructions to point readers to this installer instead of using Homebrew?

Separately, many thanks for creating this guide - I've been reading through it with great interest!

Regards,

Ian Silvester

Is there any risk by allowing these options in Syst. Prefs - Security - Confidential: ~
o send diagnostic data to Apple
o share with third party app developers

What's your opinion?
Data are sent, some might be giving a lot of details, are they even encrypted?

A problem with downloading OS disk images (as opposed to receiving them on mass-produced physical media like CDs) is the threat that you receive a "special" version that is somehow compromised.

The threat model here is both Apple trying to slip you with a special version of OS X if it wants to spy on you, or a third party messing with your copy.

While there is no way for us to know the "true copy", it might be useful to include a hash of a disk image of OS X that we believe to be un-tampered. This way, if you come across a disk image with a different hash, you know something is fishy.

What about adding a new section, testing checking tools and services.

Check Browser Vulnerabilities
https://browsercheck.qualys.com
https://www.browserleaks.com
https://www.browserleaks.com/webrtc
https://www.browserleaks.com/firefox
https://www.poodletest.com - Check if browser is vulnerable due to SSLv3 via block ciphers support.
http://browserspy.dk - Show all the information a browser releases.

Check DNS Leak
https://dnsleaktest.com - Test if your defined DNS servers are leaking information, even when using a secure anonymity or privacy services.

Check Network Vulnerabilities
http://www.speedguide.net/scan.php - Scan Ports for vulnerabilities
http://www.speedguide.net/ports.php - Ports Database of known vulnerabilities
http://www.acunetix.com/free-network-security-scan

Check SSL of a Web Server
https://www.ssllabs.com/ssltest - Deep analysis of the configuration of an SSL web server

Informations
http://whoer.net - Information about the DNS you are using, not just a simple show IP tool.
http://lg.sdv.fr - IP4/6 Looking Glass and BGP map tools.
http://www.team-cymru.org/IP-ASN-mapping.html - map IP numbers to BGP prefixes and ASN for WHOIS, DNS and HTTP(S).
http://speedtest.net - Test you internet speed, useful to know the impact of using a VPN,...

Device Finger Printing
http://noc.to - Device Finger Printing test and reports. Source Code
https://panopticlick.eff.org - Raw DFP results
https://amiunique.org - Detailed DFP results and ressources.

Anti-Virus Comparatives
http://www.av-comparatives.org
https://www.av-test.org

Miscellaneous
https://geti2p.net - I2P is anonymous overlay network for privacy protection.
https://www.wireshark.org - WireShark is a network protocol analyzer.
https://nmap.org - "Network Mapper" for network discovery and security auditing.
http://sectools.org - Extensive list of 'all' security tools.
https://nordvpn.com/chat - Online secure encrypted chat.
https://nordvpn.com/secret-notes - Create a message that will be destroyed after first reading.
http://contagiodump.blogspot.be - Collection of latest malware samples, threats, observations and analyses.

Stay informed to react asap to new threads and security issues as updates and patches are always appearing several days afterwards... sometime even never.

http://www.scmagazine.com/apple-patches-zero-day-to-no-avail/article/436512/?DCMP=EMC-SCUS_Newswire&spMailingID=12305959&spUserID=MTU3ODkzNDMwODgxS0&spJobID=620208846&spReportId=NjIwMjA4ODQ2S0

http://www.securemac.com

http://arstechnica.com/security

https://www.exploit-db.com

https://securelist.com

http://www.greycoder.com

https://www.sans.org/security-resources

https://www.qualys.com/company/newsroom/media-coverage

http://mobilesecurityreport.com
http://www.hotforsecurity.com

http://www.esecurityplanet.com/news
https://www.f-secure.com/en/web/labs_global/from-the-labs

Instead of

brew install gpg

suggest using

brew install homebrew/versions/gnupg21

See this for more details

Nice write-up! I've done something similar a while ago: https://github.com/l1k/osxparanoia
Maybe you want to add some of my findings to your text or include that in your link list.

Not an anti-virus/malware, more a security monitoring and reporting tool for desktop computers, laptop, virtual machines and servers!

Really great, just installed it on our 5 devices.

What advantage I see with gears: if one of 'your' devices is 'compromised' you can warn its owner to avoid to connect to others and take action to restore it.

Free for 25 devices.
https://www.opswatgears.com/

Hello,
Sorry, don't have time to write it 'correctly' for a merge, I make a copy/paste from my ugly site ;-)

First, may I suggest to add a table of contents/index on top for main subjects.

I have no link with the following, I am using several of them.

Thanks,

Stf

For your VPN chapter and other tools/services you can find very great deal (sometimes free for life) at

Concerning VPN, I have bought 3 for-life deals (ipnator, vpnunlimited and tigervpn), I will try to make a small report about them, how they are on a mac (and android).

StackSocial.com
Giveaways and deals available for just few days of normally paying software, hardware, tutorials, bundles, gadgets... Some discount are up to 99%, some are free or you give your own price.
Pay attention, some offers can be cheaper on other shopping sites

If you want to thanks me for sparing you hundreds of dollars you can click on my affiliate link
https://stacksocial.com/?rid=1465893

StartSSL.com
Free 256-bit SSL Certificate (Class 1) including Web server certificates (SSL/TLS), Client and Email Certificates (S/MIME).
With a 128 bits and 256 bits encryption, 10000 $USD insurance guaranteed.
Valid one year and can be renewed for free.

https://www.comodo.com/home/email-security/free-email-certificate.php
Free for personal/home users and 12 USD/year for business users.
Comodo free email certificate provides digital signature for confidentiality, secure encryption, protect against identity theft, integrates with MS Office and usual applications, trusted by most email clients.
Check their free products page: antivirus, security tools, total uninstaller, firewall, rescue disk, backup...

SSLlabs.com
Free online security testing tools: SSL Server Test checks the configuration of SSL web server, SSL Client Test lists all SSL/TLS capabilities of your browser and SSL Fingerprint test.

Abine.com
Free temporary masked emails. Also encrypted passwords, protect credit card and phone numbers, block hidden trackers, auto-fill, sync...

SpamFence.net
Free spamfilter services, 99% accuracy and no false-positive!

Objective-see.com
(1. KnockKnock UI - list persistently installed programs to reveal potential malware.)
2. Dylib Hijack Scanner - list apps which can or have been hijacked by malicious dynamic libraries.
3. BlockBlock - prevent installation of any persistent programs without your authorization.

Bleep.pm
Highly secure, p2p, encrypted and native messaging application.

Fruux.com
Manage and synchronize contacts, calendars and tasks.
A very good backup.

Is it worth elaborating slightly on secure backup strategies and recommend some ways of performing zero-knowledge off-site backups where only you have access to the encryption key used?

https://www.arqbackup.com/
https://spideroak.com/

2FA - Two-Factor Authentication for Websites and Mobile Apps

google authenticator and authy
authy is easier and more features, also more simpler when start using a new device!

https://support.google.com/accounts/topic/28786?hl=en
https://en.wikipedia.org/wiki/Google_Authenticator
https://www.authy.com/

Hi,

Thanks for the guide. Do you think setting up a non-admin and running under that along with an admin account for other things should be added, after the installation section? Running anything with elevated permissions is asking for trouble, especially a user account.

It might be worth noting that there are ~/Applications and ~/Library/LaunchAgents and ~/Library/Frameworks folders that can all be used instead of installing things system wide.

I'm happy to put these in pull requests if you agree they're worth it.

Regards,
iain

Hi,

Can someone verify these hashes for the InstallESD.dmg file are what I have here for the 10.11.1 installer I downloaded from the Mac App Store yesterday? The guide needs to be updated with the new ones.

InstallESD.dmg

SHA-256: 6275929722c35674fce90d2272d383d49696096e8626ee7f7900dd0334167a9a
SHA-1: 306a080c07e293b6765ba950bab213572704acec

Also, what's the new build number? That info needs changing too I guess.

Cheers.

Hello,

Thank you for this guide! I totally understand what I'm doing with this. However i got 2 things. The first is that you actually don't have to download the updates 10.10.4 and 10.10.5 anymore. Apple updated Yosemite to 10.10.5 for download in the app store.

Now the second one. On the subject Services you wrote a script:
function disable_agent {
echo "Disabling ${1}"
launchctl unload -w /System/Library/LaunchAgents/${1}.plist
}

What language is that? is that applescript? because I'm not really much into programming yet and don't know how to run it.

prov3it

Open this thread to add resources and info about El Capitan.
Some might be obsolete.

https://en.wikipedia.org/wiki/Sparse_image

http://osxdaily.com/2015/09/29/prepare-mac-os-x-el-capitan/
http://osxdaily.com/2015/09/30/create-os-x-el-capitan-boot-install-drive/
http://osxdaily.com/2015/10/01/clean-install-os-x-el-capitan-mac/
http://osxdaily.com/2015/10/09/howto-downgrade-os-x-el-capitan-mac/

http://osxdaily.com/2015/10/05/disable-rootless-system-integrity-protection-mac-os-x/
http://osxdaily.com/2015/05/04/disable-gatekeeper-command-line-mac-osx/
http://osxdaily.com/2015/10/12/secure-empty-trash-equivalent-mac-os-x/

I have a machine w/ a few different users. In order to make privoxy work for all users, I need to put the privoxy *plist in LaunchDaemons, not LaunchAgents. Is there a reason I should not do this? Both dnsmasq and dnscrypt are setup through LaunchDaemons.

Hi!

this line:

Don't use any of those Chromium-derived browsers. They are usually closed source, poorly maintained and make dubious claims to protect your privacy.

seems to contradict your earlier recommendation of Chrome (which is Chromium-derived). Perhaps clarify what you mean by "those Chromium-derived browsers"?

thanks.

So I know this isn't fully just for OS-X but knowing some linux commands I think would be really helpful. What do you think of adding a small section labeled linux commands and we can add some common ones which would be helpful. An example is: netstat, or ifconfig/ipconfig

Let me know and I can start working on this and submit a pull request

Hi DrDuh,

Up to you to evaluate and see what to do with these sites, remarks, questions or explanations collected from....., some are above my ItQ 👀

Sorry for my usual mess.

Thank you,

• Perhaps add for some chapters, also how to uninstall software (e.g. dnsmasq, dnscrypt...)
• OS X VPN settings - Option tab ~"send all trafic on the VPN"
  what's not going on the VPN if this option is disabled?
• OS X Network - Proxy ~"ignore proxy for hosts and domains"?
  I think this "*.local, 169.254/16" is by "default".
  What to do?
• OS X Firewall - Advanced tab: set a small delay and require pw.
• OS X - Users & Groups - ~Open/launch !
  You can remove an application that launch at startup, even without unlocking the dialog (orange locker bottom left)!!
  Is it possible to avoid that stupid possibility... Already report that several times to Apple years ago...
• Should we disable IP6, as it seems that in some cases using both IP4 and IP6, this might leaks information?

https://letsencrypt.org
https://github.com/okTurtles/dnschain

http://thehackernews.com/2015/10/nsa-crack-encryption.html

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

FOR FASTER VPN

• router with UPnP ON (security risk, probably not needed if NAT maps automatically
  FOR BETTER PRIVACY
• random port and NAT auto-open/map
• block bad/dangerous/snooping peers
• add a proxy
• use non-proprietary DNS servers

VPN for privacy... but VPN are always starting after other programs which might already have accessed internet...

Paranoia
Who is behind these testing websites.
Nice places to collect data, browser fingerprints... especially when you are testing your 'uncompleted/unsafe' configuration.

whoer, browserleaks, ipleak and similar, why so many 'secret/domain-by-proxy...' whois?

We use Google Public DNS server, which we consider unproblematic. It is not only the biggest public server with over 130 billion requests per day and works fast, but also does not store personally identifiable information nor IP-addresses permanently and all temporary logs are deleted after 48 hours at the latest. (from a VPN provider... don't remember)

Though Google DNS Resolvers are censuring several kinds of sites and are among companies providing data to bigbro...

2FA
Don't forget to have a 'backup', e.g. like printed code for Google Authenticator, in case your phone is down.

I know that you already have a comment warning people that "VPN software [typically] overrides DNS settings on connect". However, I wonder if we can do better than that? By adding a pf rule to redirect all udp 53 traffic to the local dnsmasq (to prevent the network config nameserver setting having any effect) and only permit dnscrypt to perform the outgoing lookups (either trivially, using a non-53 port for the public server, or with a more advanced pf rule). Then we can add a small entry under the DNS section to explain how people may add additional server entries to their dnsmasq config to direct DNS queries for certain domains to specific upstream nameservers and hence only use the companies nameserver for looking up private domains within the company, and not sending all their DNS traffic that way.

e.g., server=/internal.example.com/192.168.100.1 will direct all queries in the internal domain to the correct nameserver. You can specify more than one domain in each server option. If there is more than one internal domain, you just include as many server options as is needed to specify them all.

I've noticed if you use OS X's VPN client (I have not tried openvpn) that if for some reason the VPN disconnects OS X will then start sending traffic over the next interface available. I'm not sure if there are any easy workarounds (I've seen posts where people setup the firewall to drop most traffic on the non-VPN interfaces) or if using openvpn can solve this problem (in which case, perhaps that should be made note of).

I noticed the SIP section included in the guide but it doesn't have much on disabling it and since SIP is enabled by default. Obviously, it is super trivial to just type:

# csrutil disable

At the bash prompt, however if you do not do it you can't follow the guide. None of the changes will hold, if they are even possible.

• All of the luanchctl commands fail and can not find any services running
• All of the roots can not be removed without disabling
• No applications that are "essential" can be removed without disabling it.
• Root directory access is limited and read only for many directories including /etc

After removing it the following programs can be deleted:

1. messages.app

• may need to rm -rf chatdb by force as it runs recursively and prevented trash to delete it.
  1. game center.app
  2. chess.app
  3. photo booth.app

If you dump too many programs or services the OS WILL destabilize. I unloaded many services as well. I unloaded all of the ones in the guide without too many issues.

Stability Other services and daemons (and possibly some of the below) can cripple and destabilize the OS. It seems to rely a lot more heavily on the core services and CPU spikes seem to occur due to persistant connection attempts or program requirements.

FirmwareYou can not dump ram with this PW enabled, which is a bitch. This has always been the case, but it isn't mentioned. If there is a way to do it, would love to know.

Dump unused Languages You CAN NOT dump unused languages with monolingual unless you are running rootless.

tl;dr please include csrutil disable in the guide as running does not seem possible without doing that first.

I could submit a PR for this but I'm not sure where to put them in the guide or how useful they will be over the tools and guides mentioned already so it's up to you to add them.

CIRCL automatic launch object detection for Mac OS X
Python script for updating the hosts file
CIS's Security Benchmark for OS X

May I suggest a section, of few additions to mention useless/weak and/or holes in protections/tools/settings and if the available alternatives.
Sorry no time to do it.
Thanks for your great work.

VPN - PPTP, useless unsecure, better than nothing
VPN but still use ISP DNS, not all exchange through VPN and VPN with DNSLeak-browser involved
VPN disconnect without killswitch (block all communication if vpn stops)
VPN and accessing your usual accounts, eg gmail, webmail, contacts...
WIFI - WEP
Mobile phone/Computer with Location activated
Browser Finger Print, uses one only for secure works, another for whatever
HTTP with MiTM, move to HTTPS

You get the idea...
Forgot this one, still used by so many, not by the audience here of coz :-) Zip passwords !

not related to security as such, but if people are running the dnsmasq.conf from this guide as-is, it might make sense to include cache-size for tuning local caching of replies

# Set the size of the dnsmasq cache. The default is to keep 150 hostnames
cache-size=8192

similarly, as we only want to perform lookups via the config's server= directives we should explicitly disable use of the resolv.conf for determining available nameservers

# forces dnsmasq to queries strictly  in  the  order  they   appear
strict-order

# prevent dnsmasq from reading /etc/resolv.conf or any other file
no-resolv

I've been a long time user of the streisand project.
I'm also an user of dnsmasq for development purposes (to redirect all *.dev domains to localhost)
So, reading about dnscrypt on your guide, it seemed like an easy addiction to get some extra level of privacy.

Your instructions were crystal clear, and after the setup, everything worked fine... Until the moment that I connected to my VPN using tunnelblick.

Most VPNs override the DNS settings, and therefore they break with dnscrypt.
Has something like this happened to you before? If so, how did you fix it?

Using Chome as a recommended browser is a bit confusing.

Why would anyone go through all of the trouble to secure an OS X system, but then use a closed-source browser that has a history of consumer privacy issues?

In El Capitan OpenSSL's libraries are still provided but headers have been removed from the OS X SDKs. As a result, you should no longer encourage the use of brew link openssl --force as clang's default link and library paths mean that you may end up using newer Homebrew OpenSSL headers but link against the older, system version.

For a reproduction example see https://gist.github.com/tdsmith/4b502c5cc6e7d358acdf

Hi I use this once in awhile but its a great framework developed by the security folks at Facebook and Etsy. If possible we could do a small write up regarding MIDAS. Let me know what you think

Hi,

In the advanced settings of the firewall in OS X, there's a checkbox named "Automatically allow signed software to receive incoming connections". This checkbox is enabled by default on a new install of 10.11.1.

While one should be in control of what software is running and listens on ports, perhaps we should encourage setting this to off? Just because a software is signed doesn't mean we want incoming connections to it to be allowed by default.

Hello,

littlesnitch just block a netbios outgoing link while I was modifying the firewall.

action: deny
direction: outgoing
process: /usr/sbin/netbiosd
owner: system
destination: 185.94.111.1
port: 56198
protocol: 17

IP from qRator, Russia which collects lot of network data and provides interesting results.

Are the weaknesses of your ISP or Web Hosting Services could have a direct impact?

Thanks,

185.94.108.0 - 185.94.111.255
netname: RU-QRATOR-20150331
% Information related to '185.94.111.0/24AS197068'

route: 185.94.111.0/24
descr: radar.qrator.net scan network

Protip: Use your Mac a little before turning on the fileVault encription. Install Programms, Setup First and click around to make your system Generated Random key stronger.

Can I ask if it i possible for someone to provide friendly instructions on how to disable the bonjour multicast in OSX El Capitan 10.11 ? (btw discoveryd is out and mDNSrespoder... is back)

I really appreciate the work you've done in the Security and Privacy Guide.

I'm interested in how you implement the "Services" section.

Do you incorporate the functions there via a login script (.profile, .bashrc, etc.)

Or do you run them manually?

When I run them manually, I'm required to authenticate some of the services, which would make login script implementation cumbersome.

Just wondering how you do it, and perhaps adding those instructions to the README.MD.

Thanks again for a great guide!

The last dnscrypt upgrade through homebrew changed the path to the dnscrypt-resolvers.csv file from /usr/local/Cellar/dnscrypt-proxy/1.6.0/share/dnscrypt-proxy/dnscrypt-resolvers.csv to /usr/local/Cellar/dnscrypt-proxy/1.6.0_1/share/dnscrypt-proxy/dnscrypt-resolvers.csv
Is there any way to automatically correct those changes, so it doesn't break the homebrew.mxcl.dnscrypt-proxy.plist on each upgrade?

Don't know where to add this two free applications...

UTM Home Edition
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses.

Requires a dedicated newly formatted PC, not a Mac.
I like this feature: can use multiple Internet connections at the same time, giving you more bandwidth.

UTM Essential Firewall
https://www.sophos.com/en-us/products/free-tools/sophos-utm-essential-firewall.aspx
Free version of the Sophos UTM software and offers fundamental security functions to help protect any business network. Start today and implement a firewall into your company’s IT environment—without charge and no strings attached.

instead of

brew install openssl && brew link openssl

it should be

brew install openssl && brew link --force openssl

For those who think an AV is a good thing... private joke

It is here, menu FREE - freebies.

https://stacksocial.com

If you want to be nice, you can click my affiliate link below, even if I get nothing on this one... it is free :-)

https://stacksocial.com/?rid=1465893

Thanks

Obviously no-SSHd running is the most secure option, but as it is a typical service that people might run for secure access, particularly in the non-laptop case, then recommending some hardening options might be sensible:

sudo tee /etc/sshd_config <<EOF
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
EOF

The options are taken from travis-ci's osx slave config. Essentially these would only permit ssh login using public key authentication against an entry in the given $USER's authorized_keys file, all other forms of password-based auth are disabled. If the suggestion in #9 gets added, then you probably also want to add the 'Administrator' username to DenyUsers in sshd_config as well. Running brew install fail2ban could be a recommended hardening step as well.

There are probably further restrictions that could be added, such as choosing a random unassigned port to open for SSHd access via the Port xxxx directive in sshd_config. Similarly, enforcing only the most secure ciphers are used via the Ciphers and MACs options.

Hi,
I just started reading the guide and since imaging is my day job I was happy to see that you started with a solid introduction to deploying OS X. However I'd like to propose some changes to the first section:

• It's best to build the image using a full installer of the latest version of OS X downloaded from the App Store (currently 10.10.5 14F27). Do not build a 10.10 14A389 image and apply the combo update to it as updates are meant to be installed on live systems and occasionally causes headaches.
• Avoid including extra packages on the image, it'll only make it a pain to maintain and update. Also many packages are badly written and don't install correctly (see https://github.com/MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment).
• Rather than installing packages into the image you can include them but install them on first boot, e.g. with Outset: https://github.com/chilcote/outset
• Even better, it's easy to set up Munki for software management, this way you can keep your machines updated too: https://github.com/munki/munki
• If you build your image with AutoDMG a recovery partition should be included in the image and created automatically when you restore with asr. If for some reason it's missing you can create a package that will create it for you (again using the latest OS X installer): https://github.com/MagerValp/Create-Recovery-Partition-Installer

Now on to reading the rest of the guide... :)

I found another interesting computer forensic tool that could he useful to people. Its called OSXAuditor and its a great tool to extract information from a mac. And best of all, its open source!! =)

Here is the github link: https://github.com/jipegit/OSXAuditor

I can do a small write and submit a pull request on it as well

Hi drduh, hi rishadafc,

I do have the same problem like rishadafc, but I have not found an solution yet.

If I run "defaults read /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist" the following appears
{
KeepAlive = 1;
Label = "homebrew.mxcl.dnsmasq";
ProgramArguments = (
"/usr/local/opt/dnsmasq/sbin/dnsmasq",
"--keep-in-foreground",
"-C",
"/usr/local/etc/dnsmasq.conf"
);
RunAtLoad = 1;
}

If I run "sudo /usr/local/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /usr/local/etc/dnsmasq.conf" the following appears
dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use

Do you know a solution for my problem? Thanks a lot and best regards, Jonas

Don't know if you like this kind of explanations, some are already the main document.
Perhaps a small brief summary, something like

Firefox
OFF - Download abcde
ON - Stop this

Here is one I was not aware of:
http://www.makeuseof.com/tag/google-is-secretly-recording-you-heres-how-to-make-them-stop/

Unfortunately its currently Firefox-only as Chrome hasn't supplied the necessary hooks yet, but it is still probably worth linking to Certificate Patrol.