Tor, Proxies, VPNs
Make the spies cry into their vodka martinis by encrypting and rerouting our data before it passes through untrusted machines.
So, you’re worried about your ISP snooping on you or blocking content. Then one solution is to stop using the Internet. Another is to use a proxy or virtual private network (VPN). The principle is the same for both here: from your home connection you connect to your destination via an intermediary server.
If an admin at your ISP were only looking at your network connections, then they would only see you connecting to this intermediary. However, sniffing traffic off the wire is cheap (in the UK ISPs can recover costs from the ( taxpayer–Ed) government) and easy, so one must assume a stronger adversary. A simple HTTP proxy won’t encrypt any data, and will even forward your IP address to the destination via the X-Forwarded-For header. That’s not so private, but there are lower level proxies, such as SOCKS proxies that act more transparently. The SOCKS protocol itself contains no encryption though, so if you want privacy the encryption has to be applied by the application, for example using protocols such as SSH or HTTPS. SOCKS proxies originated as a routing tool, not a privacy one, so this shouldn’t really be looked upon as a limitation. See the box ( below) for guidance on setting up a perfectly servicable SOCKS proxy using SSH. VPNs, though, add the encryption for free, so all your ISP sees is that you’re connecting to a server and receiving a lot of TLS-encrypted packets from there. Great, problem solved.
Well, not really. VPNs have become popular in the five years since the Snowden revelations. VPN providers, though, can see exactly what’s going through their servers. They’re also subject to whatever laws apply in their jurisdictions, so a VPN provider in the UK would be classed as a communications provider, and as such could be required to start logging individual (or all) user’s connections. Providers may not, as policy, keep any logs, but the threat of legal action could persuade them to silently make exceptions to this policy.
There are also a number of unscrupulous VPN providers out there, and given the terrible link-spamming you’ll bear witness to if you do any research, it’s hard to know who can be trusted. They say if you’re not paying for a service, then you’re the product, and ne’er did a truer word apply than in the case of Hola, which provided a free “VPN” via a browser plugin. Users could select which country they wanted to appear be browsing from, so the service became particularly popular with users wanting to bypass geoblocks on streaming sites. Many users were unaware of one small detail, which is that Hola operated a peer-to-peer architecture, so the VPNs users were connecting to were in fact just other Hola customers.
Furthermore, in 2014 users became co-opted into a side project of Hola’s parent company, spookily named Luminati. This paid service used the freeloaders as exit nodes, effectively reselling their bandwidth and exposing them to the legal consequences of anything that said bandwidth was used for. Hola still operates to this day, but is more open about how its peer-to-peer infrastructure operates, and take steps to protect users’ connections from abuse.
Most commercial VPNs use the OpenVPN protocol, which is portable, can traverse NAT gateways and doesn’t require awful (or Windows-only) client programs. The encrypting work is offloaded to the ubiquitous OpenSSL library. Configuration can be done from the NetworkManager GUI, and varies from provider to provider. Some even provide Linux-specific instructions, but in general won’t involve much more than downloading a certificate, pointing NetworkManager at a server and supplying a username and password.
All your Internet traffic is then routed, typically via a TUN device, to the VPN server. DNS requests (those which resolve
linuxformat.com to 80.244.178.150 for example) should be forwarded too, so your ISP can’t see which sites you’re visiting. Typically VPNs provide their own DNS services, and will push those to your OpenVPN client. But thanks to many levels of DNS-caching, this may not work. Since DNS requests aren’t encrypted, and so websites can see where who resolved their hostname for you, this is a problem. Websites such as dnsleak.
com and ipleak.net can diagnose these issues. Avoiding your ISPs DNS server is easy and since much ISP-level blocking is done at the DNS level this trick has proven popular in the UK. There are plenty of public DNS providers (Google’s 8.8.8.8 and 8.8.4.4 are popular) which you can get NetworkManager or your router to use. But really, you want to ensure DNS requests are tunnelled over the VPN and you should be wary of where they’re going after that. If you’re accessing Google services over the same connection that accesses their DNS, even if both are done over a VPN, then you’re pretty much telling them all the websites you’re visiting. In general, it’s a bad idea to access any service connected with your identity over a VPN, at least if you’re also using that VPN to conceal your identity.
Go undercover with Tor
The Tor network is your best hope of being anonymous on the Internet. It’s built on the principle of onion routing, in which traffic is wrapped in a new layer of encryption with each network hop. Tor was developed first at the US Naval Research Laboratory and later by DARPA (the Defense Advanced Research Projects Agency, the very same that founded ARPANET, the basis for today’s Internet). Since DARPA is part of the US Department of Defense, there are a fair number of conspiracy theories circulating about its trustworthiness. However, the Tor Project has a variety of funding sources, and it’s trying to move away from government ones. You can contribute too, either financially or by running your own Tor node. Running an exit node does expose you to some risk, but you can happily run a non-exit relay or bridge node.
There are two ways you can use the Tor network, either to access Tor (.onion) sites directly, or as an intermediary to access conventional ("clearnet") sites (or other hosts – any kind of traffic (for example, SSH, VPN, FTP) can be tunnelled over Tor). In the second case the exit node, the final Tor node that routes your traffic to the clearnet, knows what you’re accessing. None of the preceding nodes do because all that routing information is wrapped in a layer of encryption. The exit relay doesn’t know your IP address though – it only knows the address of the preceding Tor node, again, because the circuit routing details are encrypted.
Still, a malicious exit node is a concern. Traffic sent over HTTPS remains encrypted when it leaves the exit relay, but other traffic is not. By inspecting this traffic, and cross referencing with metadata from the encrypted connection, it’s possible that deductions can be made about the user. For example if a user visits http://linuxformat.com using a browser which contains locale info, say en_GB , and that user also visits a clearnet site offering replacement parts for netbooks circa 2008, then the exit node could reasonably infer that user is Jonni because no one else in the UK cares about broken, old netbooks and putting Linux on them. That’s a tenuous example, but you get the idea. More concerning is a traffic correlation attack, sometimes called a traffic confirmation attack, in which traffic is tagged by a malicious entry note and caught on its egress by a malicious exit node.
There are malicious sites both on and off the Tor network, and those wanting to stay under the radar should take no chances. In the film TheLivesofOthers, the protagonist uses a small typewriter smuggled into the country, since those sold within the country all have to be registered and can be traced by the Stasi. Web browsers can be traced too, and browser fingerprinting doesn’t need secret police to maintain a central registry. Plenty of browsers, thanks to the OS they’re installed on, the way they render fonts and many other variables, uniquely identify the user. Any third-party ad provider has access to this information, so in this case it seems sensible to have as homogenous browser settings as possible, by using the Tor BrowserBundle for example. See https://panopticlick.eff.org for more information.
“VPNs have become popular in the five years since the Snowden revelations…”