• Welcome to New Hampshire Underground.
 

News:

Please log in on the special "login" page, not on any of these normal pages. Thank you, The Procrastinating Management

"Let them march all they want, as long as they pay their taxes."  --Alexander Haig

Main Menu

Online anonymity

Started by Crocuta, April 23, 2007, 01:20 AM NHFT

Previous topic - Next topic

Crocuta

I've been doing some reading on the topic of anonymous web browsing lately, but I need some help sorting out the details.

I know that in typical browsing, my ISP is undoubtedly keeping logs of every website I visit to comply with federal law (and non-law desires of various three letter agencies.)  Is there a way to be online and "leave no trace", or at least not a trace that could be used to identify what a person is reading online?

For example, if I want to visit NHFree.com and leave no identifiable trace of my visit in all the steps between me and it, how might I go about it?  The question obviously expands in scope if I'm living in say, Communist China, and I am viewing banned sites.

I've looked at various anonymizers, but they all state that they'll turn over their logs in response to a court order (why they keep logs at all, I'm not sure.)  I've read conflicting reports on Tor regarding security and performance.

I realize that I can use a wifi connection in a coffee shop with a laptop with no personal information stored within, but I'm wondering about browsing at home.

Can anyone sum up the weak points in maintaining anonymity and point me down the right road?

penguins4me

#1
There are several points where tracking data can be collected: on your own computer, at the ISP, and at the destination site. You can't directly counter the ISP's ability to log your activity, but you can misdirect it.

- Your computer: configure your programs to delete both the cache (for downloaded files and browsed files) and cookies to "spot clean" your PC.

- Your ISP: Use an anonymizing proxy. There are a few to choose from, but I believe that CGIProxy and derivatives are some of the best ones if an SSL/https connection is used to first connect to the proxy. Your ISP will see that you connected securely to the proxy, but cannot see where the proxy connected on your behalf (unless, of course, the proxy uses the same ISP). Whether or not the proxy keeps logs is up to the administrator - the one I use keeps up to two days of logs (one truncated, one not) to allow the admin to easily ban folks who habitually surf porn sites because he believes those users attact too much negative attention, etc. Some may keep no logs at all.
Another option is to use secure connection (VPN, etc.) to another system to make the direct requests for you as well, but those are a bit more involved.

- Destination site: *generally* only logs information coming from the last requester it can see, which if you use a proxy, is the proxy. To be safer, disable client-side script execution in your browser (e.g. the NoScript plugin for Firefox).

There's also an issue with traffic analysis, where snoops watch traffic in and out of a proxy or network (like TOR) to determine who is going where, but avoiding that's something a bit beyond my knowledge and resources.

Okay, but how do you actually accomplish the above? Well, if you can't find a proxy provider which keeps no logs, you could set one up yourself (or have someone set one up on your behalf), use a chain of proxies (log into one proxy, then into another and another, then finally to your destination, though wouldn't eliminate logs, just slow down investigators), or as you said, mooch off of someone's wireless connection if one is near your home.
To get started, you could search for "nph-proxy" using any search engine - results whose URIs end in nph-proxy.cgi often can be used by anyone who browses to the complete URI. No guarantees on logs, tho.

There are more extreme methods, such as browsing via email using strong encryption (email a link to an address and get the saved pages emailed back), but are very likely beyond the scope of browsing a site as innocuous as this. ;)

-edit
The Java Anonymous Proxy may also be something to consider in a TOR-like system, with the difference being that JAP users are supposed to be able to choose which peers their traffic is routed through.

PowerPenguin

The other penguin here has it right, and I pretty much do the same thing. I recommend Megaproxy.com for general use. It is a secure SSL based proxy, which also filters out dangerous Java/Javascript/Flash and stores cookies on their server so that they cannot be used to easily ID your own computer and browsing behaviors. It is also useful for subverting censorship. It costs 9.95/90 days, payable via paypal. Perhaps e-gold now as well, but I can't recall since I just use paypal.

Tor is recommended for viewing very sensitive material, such as the kind you might find on this site. It is also good for low bandwidth tasks like e-mail, IM, and RSS reader programs. Note that it is slow and sometimes unreliable- but it has become more efficient as more people use the network and set up tor servers.

I also suggest getting the NoScript add-on for firefox. This will filter out dangerous crap like Megaproxy does, but you can use it anytime (no logging in anywhere or anything). Also type "about:config" (no quotes) in the Firefox address bar. This will give you the user modifiable settings that you can't see normally. Set network.http.sendRefererHeader to 0 (2 is default), and network.http.sendSecureXSiteReferrer to false (true is default). This will disable HTTP_Referers, which enable sites (and your ISP sometimes) to track where you've been. Be aware that in rare cases, poorly designed forms (such as the current Porcfest reg page) will SNAFU because of this. If that happens, just revert to the old settings, do what you need to do, and set it back after.

Finally, you can get additional information from Power Privacy and http://www.ultimate-anonymity.com. The former also has some good privacy tips for on-line financial transactions that everyone should know about.

error

You can also help Tor by running a Tor server and thereby gaining some plausible deniability.

But what steps you take to protect your anonymity online depend a lot on what threats you are trying to protect yourself from.

PowerPenguin

Yes. I'm mostly worried about line interception myself. I have the end-to-end security situation under control, and I know enough to keep a handle on what information I give out, and to whom.

error

About a year ago I put together an article on exactly this topic. It could probably use expanding and clarification in a few areas.

Crocuta

Quote from: error on April 23, 2007, 05:48 PM NHFT
About a year ago I put together an article on exactly this topic. It could probably use expanding and clarification in a few areas.

Great article, error.  I had a gut feeling you would have something squirrled away somewhere.

error

I've got almost 1,500 posts written at this point on almost every imaginable topic, even things which wouldn't seem to normally be the purview of a site called Homeland Stupidity. Though there's plenty of stuff I haven't covered. If you get bored, my archives are always worth poking through. :)

BaRbArIaN

goto cotse.net, they have some reasonable account alternatives, they purge their records etc.  Combined with Tor and a few other strategies, you can keep most things relatively anonymous (except for the 3 letter players of course, they have large resources for fishing expeditions).