Hardening privacy with a custom hosts file

I don’t care for companies casually collecting data on my web browsing habits, so one of the first things I set up on a new computer is a custom hosts file. The hosts file maps human-readable domain names (whatever.com) to IP addresses (192.168.0.1) and on most operating systems is consulted before checking an upstream DNS server, which means you can block domains you would prefer your computer not contact.

(Note that on some earlier versions of OS X, it is not true that hosts is consulted first. However, in 10.9 and 10.0, it appears to be.)

The reason I do this is not to block ads — it’s primarily to block tracking. Most ads bring tracking along for the ride, so it has the side effect of blocking a lot of ads. However, I’m happy to accept ads from web pages that are in HTML and do not include tracking.

A custom hosts file can also provide a baseline level of protection against known malware and phishing sites.

The easiest way to set this up is with a hosts file updater that will track trusted host blocking lists and reload them for you when they change. On OS X, I use Gas Mask. On Windows, I use HostsMan.

There are several blocking lists to choose from. I settled on the following three:

– http://someonewhocares.org/hosts/hosts
– http://winhelp2002.mvps.org/hosts.txt
– http://www.malwaredomainlist.com/hostslist/hosts.txt

On Gas Mask, simply add these three URLs as remote sources and activate them as a combined hosts file. The process is similar in HostsMan.

That’s pretty much all there is to it. To make sure it’s working, pop open a Terminal window and try to ping one of the domains. It should be unsuccessful.

Allowing a remote entity to change your hosts file does introduce the possibility of a MITM attack (for example, if one of the above source URLs gets hijacked) so be mindful of that should you decide to go this route.

I find that on very rare occasions a website’s core functionality fails to work because it is unable to source JavaScript from a blocked domain. If this happens, simply restore the original (empty) hosts file temporarily. Don’t forget to put your shields back up when you’re done.

The second best way to protect your privacy is to uninstall (or never install) Flash or the Java runtime. Do this too, while you’re in there! At a minimum, install a browser extension that prevents Flash or Java content from running unless you explicitly allow it, such as ClickToPlugin or ClickToFlash.

No technique that I know of prevents all tracking, so this is certainly not foolproof, but I find it more comforting than having my presence effortlessly scooped up and data-mined by sites using conventional analytics tools.