Wednesday, October 29, 2008

TOR Approach

Although TOR and JonDo aim at the same thing, their approach is different. JonDo traffic path is static, protected by the in dependency of screened companies. TOR seems to rely on randomness and safety by numbers.

Everybody can be a TOR relay, even your PC. TOR also changes path every 10 min or so, very much unlike JonDo. So unlike JonDo, it's pretty hard to sniff the entry and exit nodes because they changes for a particular connection.

TOR has a P2P feature that should be helping it's speed. If you run a relay, it should help with the network traffic, hence helping yourself at the same time. However, individuals don't want to be exit nodes, whose IP's will be exposed to whatever TOR users are doing. There is the option to avoid this. Also, since TOR allows all sort of network traffic, not only http, I suspect that it got slowed down a lot by bit torrent users.

Because of the large numbers of nodes across many countries, TOR probably will least be affected by data retention. However, there needs to be alerts when all nodes are in Germany.

When you sniff on a single entry or single exis node, because TOR path changes very often, any user will bound to pass through these nodes at times. This can be avoided by limiting the number of entry (or exit too?) nodes to hop.

JonDo avoid crooked nodes by legal contracts and inspections. In TOR, any crooked node can join the network at any time. If your adversary install larger numbers of high capacity nodes into the network, your anonmity can seriously be affected. The entry nodes have your IP, while the exit nodes have the URL and unencrypted contents. Again, it needs only one uncompromised node to protect your identity.

TOR seems to be usable during early morning in Europe. It's fail safe to download the TOR browser bundle, which include the TOR client, a GUI controller, a browser, and a software proxy to filter out unsafe content. The bundle also comes with a "universal" IM client, with your IP protected by TOR. But a few of the popular IM services won't work.

TOR has some interesting features, such as publishing web content on your PC while hiding your IP. The same hidden service is used in the TORchat bundle, which is a secure serverless chat client, where each user is only identified by a static long code word.

Interestingly, one can chain TOR and JonDo together using the proxy option in JonDo. In theory it doesn' t make the path more secure. But practically, the more nodes are included, it is less likely for rogue nodes to break anonymity, less likely for court orders to be effective.

Tuesday, October 28, 2008

Practical JonDo

Because the speed of JonDo is pretty decent, and free, I recommend it for many causal uses. As a matter of fact, I'm now writing this blog via JonDo.

I will certainly use it in internet cafes, wired or wireless, if I want privacy. I'll also use it at work or school to keep my secret from IT people. It's the encryption, for both your urls and content.

I will use it to secure yahoo web mail. It's encrypted only when you login, meaning that your password and your username is secret, but your email content can be sniffed by neighbors and IT coworkers. JonDo encrypts the whole thing, as in the secure option in Gmail. At the email servers, still somebody may like to peep at emails, but they have no idea who the emails belong to.

There's no strong reason to hide your IP, because in theory it need court orders to reveal your IDs, but if you know the right person in Earthlink, maybe a beer will do.

Very often, you want to change your IP often. For dial-up, it should be different everytime. For most broadband ISP's, you can "reset" you IP everyday without too much trouble. (You are still traceable.) You want to have different IP's so others can't put two and two together. For example, if you have two email accounts, you don't want the recipient to know that you are the same person. It's elementary for discussion board trolls. In the blogosphere, you can spread your personal details in different blogs or comments without fear of identification in real life. Say if you have 3 dogs and 2 twins living in a small town in Washington with a name called John, our neighbor will immediately thinks that it's you. Wordpress logs IP's automatically, and you can add scripts to other blogs to log statistics and IP's.

Actually, JonDo is pretty weak in protecting your ID, because they have only a few IPs. So even your IP is well hidden, it's easy to know that it's the same person calling. For example, how many JonDo users will be visiting your blog? Yeah, about one. Even worse, the few JonDo users are seen as one, and that's a hard time to convince webmasters otherwise. Also, in TOR it can be seen that you are visiting from all over the world, but JonDo only visits from Germany.

For the JonDo client, there's no need to set anything, but you have to pick the cascade yourself. For any paid cascade, they have 3 mixes to be safe, but there could be only 50 users, which may not satisfy your security requirements. For the free cascades, they all have only two mixes, while there is the test service where both mixes are run by the same university, mostly likely side by side. With at most a few thousands users, the traffic can be very different in different cascades, so you have to select the faster and safer cascade from time to time, manually. This is not going to change with the ramping up of paid services.

For the browser, I can only recommend JonDoFox, basically FireFox 3 with correct settings and loads of extensions, some even cannot be modified. If you see how much extensions they put in to secure the browser, you probably won't want to set it up yourself. The setup up provide you with a portable version, which is standalone Firefox, and a profile to be used for your installed version of Firefox.

When you start FF, you will be asked if you want which profile to use, "default", your old profile you have been using, or "JonDoFox", the new profile. If you don't want that trouble, copy the FF short cut, right click on it to edit the property, add to the target path. Instead of

"..../firefox.exe"

you have ".../firefox.exe" -P JonDoFox

You can do the same for your old "default" profile.

If you want to use JonDoFox for everything other than your most secret activities, you have to use a lot of the 4 icons at bottom right. Cookies, Ads, scripts are normally disallowed, which make it totally unusually for most websites. You have to give temporary permissions, or add to the exceptions (white list). The actions are self explanatory if you click on the icons left and right.

Finally, there is the proxy switch on the bottom right most. You can turn off JonDo, switch to other proxies and even to TOR. But I don't know how secure the TOR option (if you have installed TOR or Vidalia) is. The TOR bundle seems to be less restrictive on the web contents, but the TOR button has some unexpected behavior that claims to be security fixes. Though the FF in TOR bundle wasn't that update.

JonDo Architecture

To use the JonDoNym system to protect your online anonymity, you have to have 3 things. A configured browser - I recommend JonDoFox. JonDo the client software, and Java runtime, in which the client runs on.

As just an encrypted secure tunnel with anonymous proxy, it's pretty fast and reliable. It reminded me of Safeweb at the height of the tech boom. Even if you use the more secure free two stage mixes, it's pretty fast most of the day, sufficient to do any surfing, other than youtube videos. I'm surprised it only get a few thousand users, because I would use it to secure unsecure emails such as yahoo, and to bypass school and company firewalls (if JonDo wasn't banned), and at least to hide what I'm surfing at work - that I used Safeweb for.

JonDo, same as TOR, is aimed to provide an untraceable proxy, your target website cannot trace back to you. And nobody can sniff what you are doing - the website address and contents are delivered to you encrypted.

The concept or "architecture" of JonDo is quite different from TOR. JonDo proxy is only for html traffic (though you can get over it). Because of the limited applications, the number of users and traffic are very reasonable for interactive surfing.

The server providers of JonDo are supposed to be independent companies/organizations, certified by JonDo, a company that came out of research in Germany universities. The client and server software are open source. That can exclude some bad things about using other proxies.

Ideally, you want 3 stages called mixes, in 3 independent companies, best in 3 different uncooperative countries. The first mix knows who you are (your IP), but not what you are doing (encrypted). The last stage only knows what web pages you are looking at, but have no idea who you are. So you are pretty secured if there is the middle mix, who knows nothing, to increase untraceability. It needs all mixes in your chosen cascade to cooperate together to sell you out. There's no point to setup a single company and try to collect private data and sell it. Someone may want to create three front companies, but since they have to sign a contract, it will be criminal fraud if being discovered. The people behind it are from the universities, at it for a long time now, and the software are open source, so there's some guarantee of integrity. There are also some privacy advocate groups involved, probably guaranteed by their charter and mission statements.

So at least you will not be scammed by somebody in their basements. And indeed court orders had been served on the companies to discover something, proving that it works (to some extend).

The weakness is that by German law, starting from 1/1/2009, ISP's have to log everything, and it seems that the JonDoNym companies have to store enough things such as decryption keys so users and URL's can be traced after the fact. This data retention is for 6 month or a year I think. This is only a problem because all (?) of the mix operators are now in Germany. It is not a problem if someone setup foreign companies. It is also not a problem if what you are doing won't be inviting court orders in Germany.

Sometimes court order is not as powerful as bribing insiders or implants. Without the data retention law, it's pretty safe because thetr are no logs. With data retention, you have to obtain logs in several independent companies, which makes it more difficult. These companies should be careful about the logs because they are in it for the money, fame, or their charter. If security breaches went public, their money making ability will be compromised, their advertising less desirable, and their ability doubted. Also when you add some encrypted proxy somewhere they can't even find the targets to bribe.

There are other form of attacks for other purposes. Assume there is no data retention or your adversary cannot get a court order. Your adversary can observe some traffic points in the internet - generally called sniffing. Sniffing can be easy - your adversary just need to get to the local network to sniff the traffic. In monitoring you they just need to be your neighbor on the same cable network, or sort of "wire-tap" your DSL phoneline or digital cable.

If you are monitored, the simplest mix of JonDo allow you to hide your URL's and content because of encryption. They can also compromise or sniff the final mix, where the target URL's have to be in the clear. When there are only 500 odd users, it's not difficult to guess who you are, what your secret email address and your handle in some special forums. Sniffing usually comes with statistical timing analysis. Your outgoing page loading activities corresponds with that on the final mix, so your destination can be identified and more. Adding your own encrypted proxies will move the target so it's rather difficult to hit.

The number of targets in Jondo is pretty small. Apart from the users can be as low as a few hundred, there are only a few cascades with same or perhaps different IP's. The target website can sniff the inputs to collect a few hundred suspects, or do timing analysis to pinpoint. At the cascade input, your IP is clear.

The future of JonDo is less bright after the data retention act. Without data retention, it's bullet proof, and sniffing and timing analysis fails when user numbers get large. If I were a criminal I will finance some front companies to setup free or cheap mixes, so I can use it safely. TOR maybe better but you have little control over the servers and relays. Without data retention, I don't think there will be big spenders like major crooks. And since JonDo charges by total traffic, it's doesn't sound competition for causal users, who may just want to bypass their myspace block at work. I can see that paid users are about 100 total at times. I don't know how they pay for those servers, which have to be pretty big, not your PC as in TOR. For a few dollars a month, you can get enrypted proxies (or VPN). But I will be careful before handing over my credit card number over to crooks in their basement. And I'm sure the data collected will worth something and they will sell it. Also, their fast free service may be their undoing.

Sunday, October 26, 2008

Usable CGI proxies

The only usable proxies are TOR, JonDo and some CGI proxies. Still, they all have weakness, but much less than a single proxy that you don't know anything about the server.

I have a browser extension that can download large free proxy lists automatically in any reasonable format, test which one works, check if there's any IP list, test the level of anonymity, rank the fastest ones, connect, use, and keep checking the rest for fastest ones in case the current proxy stalls. It's pretty good, but the more you test, the less likely the proxy will work when you switch to it. The other proxy approach provide more features than this. So I gave it up until I resurrected it when dealing with Wikipedia - they ban any proxies, including TOR, as soon as someone deface their pages. So I have the only effective weapon against Wikipedia. I have fresh proxies faster than they can ban.

So called CGI proxies are web based, like using gmail instead of outlook. Basically most of the free CGI proxies are copies of the software by one guy. There's no point to use other software because it's well tested, unless for commercial use that have to pay. You can google CGIproxy for examples, but there should be a more specific keyword to search for these proxies easily.

The main difference between CGI proxies and port based proxies is that CGI proxies want to be found, while port proxies are usually exposed by ignorant or accident. Or, since CGI proxies are web based, it's not difficult to find the web page. Why? Because anybody can download the software into some cheap hosting company. You can use it yourself, sell subscription to others, or sell advertising. Even if it's for personal use and you don't sell anything, you want others to use it to increase security.

The main advantage of CGI proxy is that they are reliably chainable. Instead of entering the URL of your desired website, you enter the URL of another CGI proxy. You get yourself a two proxy chain, and you can do more times.

The main disadvantage, or main advantage at the same time, is that the website content can't get to your browser directly, as in port proxies. So exotic contents don't always work, but most do. But since the content cannot get through otherwise, you can easily determine visually that the proxy or proxy chain is working.

With TOR and JonDo, CGI proxies are not really very useful, except for the encrypted ones. The free CGIProxy includes SSL encryption, but most servers don't allow it because of load. Though I have found a few commercial operators that allow free trials. If you chain a SSL CGI proxy at the end of TOR or JonDo, certainly it will increase your security unless the proxy is compromised.

It's very worthwhile to setup your own CGI proxy as part of your total chain. You can setup a few around the world with different juridision, paying for it with anonymous money if possible, and allow other people to use for deniablity.

If you connect to your own CGIproxy directly, nobody can sniff your traffic, as in wiretapping. Not even your ISP.

If your CGI proxy is at the end of the chain, nobody else know what is the target website. But the target website can trace back to your proxy server, and hence you, if the account need your ID to register.

Saturday, October 25, 2008

Proxies don't work

After so many years, there are still many merchants on the net trying to make money from proxies. Before wasting your time, proxies mostly don't work, even though the impression when you google proxy is opposite.

If you pay for proxy service, you have be very careful, and see if there's any guarantee that the company doesn't sell you out. The sites you visit doesn't know your IP, but the proxy service know everything about you better than your ISP does. Your enemy just need to gain access to the proxy company, via bribing, infiltration, or social engineering. There are saying that most proxy companies are collecting data for profit.

A good example is multiproxy.org, which website still exists. It was about the only practical free software that make use of free proxies around the world. It seems OK at first but one day the software stopped working. It appeared that the free software is spyware, sending all your URL data back to base. When the operation went burst, the servers stopped working and hence the software stopped too, failing to communicate with base.

It's the same if you pay for some VPN service. You can have a private, secure connection between your home and company. You can have a private tunnel to bypass your company/school network, hence no censoring. But if you surf via the VPN, they have your ID and your data. For big companies, at least they have screened people and you can sue them if they do anything wrong. But for some companies with only a name, what can you do about it?

Software merchants may want to give you the impression that there are infinite numbers of proxies in the world for you to use. But actually most can be thought of as PC's or small systems whose owners don't know basic protection about their computers. Once they notice something going through, they will close the port. If not, then the computer will be overloaded and unusable most of the time.

There are indeed some proxies for public use, such as CODEEN. But usually they are overloaded, and usually you can only read, not posting anything, nor even login. Otherwise, it's criminal's heaven.

There are some web based CGI proxies that are easy to use. But these guys can be anybody. The reason that more CGI proxies are available because they can place advertisements. Also, some guys just want to attract lots of traffic to his machine so he can deny that he didn't do it himself. To void trouble, most CGI proxies avoid secure connection (https) and disable the ability to post, which otherwise would become heaven for spammers (and many other types).

You can chain proxies together so it's almost impossible for the target site to trace even in real time. However, it's almost impossible for normal people to do this just to protest their privacy. It's already difficult to find a public proxy that works for a while.

And since most free proxies don't support https, it's very easy to mislead users that they are secure. Say if you login to Google mail, it use secure https for login and then switch back to unsecure http. If you are not careful, you will login successfully, but not using any proxy, and you don't even know about it. Your IP may not appear on the email headers, but Google have info about your real IP, which can be obtained by court order (how about bribe, social engineering?).

In conclusion, nothing really works, and trust no one.

Practical Anonymity on the Internet

Whatever you type into the address/search bar of Chrome, the Google browser, it goes to Google. Of course Google has been doing it for a long time, every search is archived. If you volunteered by logging in, all the info goes to your hidden profile, such as web history. If you don't login, they have your IP anyway, which can easily be used to link to you one day. For example, with the website you visited, they know where you live, what are your kid's schools, which company you work for, your bank, and where you shop most, etc. With these info, it's easy to know which IP belongs to the same person, and one day link to your real ID. It's a big brother's world.

Imagine if Google brought up an ISP tomorrow! Whatever you do on the web, someone in Google can be able to know about it, and they know your real name and address too. Maybe every politician will be up in arms about it. Also Google's moto is do no evil. So that's not that alarming.

However, how about 10 or 20 years from now, Google and and a few ISP will be brought up by a Chinese company, still controlled by the communists? Immediately they can find out who were, say, human right activists causing trouble many years ago.

With all the talk about online privacy, my guest estimate is that at most only several thousand people in the whole world is taking it seriously daily. That's the number of people using JonDo, and perhaps more using TOR, the only two practical and reasonably safe systems.