Tuesday, October 28, 2008

JonDo Architecture

To use the JonDoNym system to protect your online anonymity, you have to have 3 things. A configured browser - I recommend JonDoFox. JonDo the client software, and Java runtime, in which the client runs on.

As just an encrypted secure tunnel with anonymous proxy, it's pretty fast and reliable. It reminded me of Safeweb at the height of the tech boom. Even if you use the more secure free two stage mixes, it's pretty fast most of the day, sufficient to do any surfing, other than youtube videos. I'm surprised it only get a few thousand users, because I would use it to secure unsecure emails such as yahoo, and to bypass school and company firewalls (if JonDo wasn't banned), and at least to hide what I'm surfing at work - that I used Safeweb for.

JonDo, same as TOR, is aimed to provide an untraceable proxy, your target website cannot trace back to you. And nobody can sniff what you are doing - the website address and contents are delivered to you encrypted.

The concept or "architecture" of JonDo is quite different from TOR. JonDo proxy is only for html traffic (though you can get over it). Because of the limited applications, the number of users and traffic are very reasonable for interactive surfing.

The server providers of JonDo are supposed to be independent companies/organizations, certified by JonDo, a company that came out of research in Germany universities. The client and server software are open source. That can exclude some bad things about using other proxies.

Ideally, you want 3 stages called mixes, in 3 independent companies, best in 3 different uncooperative countries. The first mix knows who you are (your IP), but not what you are doing (encrypted). The last stage only knows what web pages you are looking at, but have no idea who you are. So you are pretty secured if there is the middle mix, who knows nothing, to increase untraceability. It needs all mixes in your chosen cascade to cooperate together to sell you out. There's no point to setup a single company and try to collect private data and sell it. Someone may want to create three front companies, but since they have to sign a contract, it will be criminal fraud if being discovered. The people behind it are from the universities, at it for a long time now, and the software are open source, so there's some guarantee of integrity. There are also some privacy advocate groups involved, probably guaranteed by their charter and mission statements.

So at least you will not be scammed by somebody in their basements. And indeed court orders had been served on the companies to discover something, proving that it works (to some extend).

The weakness is that by German law, starting from 1/1/2009, ISP's have to log everything, and it seems that the JonDoNym companies have to store enough things such as decryption keys so users and URL's can be traced after the fact. This data retention is for 6 month or a year I think. This is only a problem because all (?) of the mix operators are now in Germany. It is not a problem if someone setup foreign companies. It is also not a problem if what you are doing won't be inviting court orders in Germany.

Sometimes court order is not as powerful as bribing insiders or implants. Without the data retention law, it's pretty safe because thetr are no logs. With data retention, you have to obtain logs in several independent companies, which makes it more difficult. These companies should be careful about the logs because they are in it for the money, fame, or their charter. If security breaches went public, their money making ability will be compromised, their advertising less desirable, and their ability doubted. Also when you add some encrypted proxy somewhere they can't even find the targets to bribe.

There are other form of attacks for other purposes. Assume there is no data retention or your adversary cannot get a court order. Your adversary can observe some traffic points in the internet - generally called sniffing. Sniffing can be easy - your adversary just need to get to the local network to sniff the traffic. In monitoring you they just need to be your neighbor on the same cable network, or sort of "wire-tap" your DSL phoneline or digital cable.

If you are monitored, the simplest mix of JonDo allow you to hide your URL's and content because of encryption. They can also compromise or sniff the final mix, where the target URL's have to be in the clear. When there are only 500 odd users, it's not difficult to guess who you are, what your secret email address and your handle in some special forums. Sniffing usually comes with statistical timing analysis. Your outgoing page loading activities corresponds with that on the final mix, so your destination can be identified and more. Adding your own encrypted proxies will move the target so it's rather difficult to hit.

The number of targets in Jondo is pretty small. Apart from the users can be as low as a few hundred, there are only a few cascades with same or perhaps different IP's. The target website can sniff the inputs to collect a few hundred suspects, or do timing analysis to pinpoint. At the cascade input, your IP is clear.

The future of JonDo is less bright after the data retention act. Without data retention, it's bullet proof, and sniffing and timing analysis fails when user numbers get large. If I were a criminal I will finance some front companies to setup free or cheap mixes, so I can use it safely. TOR maybe better but you have little control over the servers and relays. Without data retention, I don't think there will be big spenders like major crooks. And since JonDo charges by total traffic, it's doesn't sound competition for causal users, who may just want to bypass their myspace block at work. I can see that paid users are about 100 total at times. I don't know how they pay for those servers, which have to be pretty big, not your PC as in TOR. For a few dollars a month, you can get enrypted proxies (or VPN). But I will be careful before handing over my credit card number over to crooks in their basement. And I'm sure the data collected will worth something and they will sell it. Also, their fast free service may be their undoing.

No comments: