Linux Format

Going to ground

Use Tor and Tails to hide your browsing, and then upset the UK ISP Associatio­n by enabling DNS-OVER-HTTPS, villainess stuff!

-

thanks in large part to the efforts of Let’s Encrypt over the past few years, most websites are now served over HTTPS. This provides two things: authentica­tion and privacy. Authentica­tion in the sense that you can be sure that the website you’re looking at isn’t some kind of forgery, and privacy in the sense that communicat­ion between you and the webserver is encrypted.

As such, HTTPS more or less thwarts the ability of a passive middleman to see which pages are being viewed, but out of technical necessity your DNS provider – usually your ISP – needs to see the domain name, and your ISP needs to see the IP address it resolves to. You can, and in a lot of cases should, use a VPN, but that just shifts the second requiremen­t downstream. Also, there’s generally very little reason to trust a VPN any more than you do your ISP – unless your ISP is really bad, in which case you should find another one. You can use one of any number of public DNS servers like Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 which remove your ISP from the equation altogether – except that ISPS then have a nasty habit of intercepti­ng

(DOH!-ED) DNS queries.

Multiple websites are often hosted behind the same IP address, and for this to work with HTTPS a scheme called SNI (Server Name Indication) is used. This requires the client to send the desired domain name to a server unencrypte­d, which means it can be eavesdropp­ed twice: once during the DNS look-up, and once again during the TLS handshake. If you don’t like this, there’s always the Tor network, but that’s slow in comparison to regular browsing, and just downloadin­g the Tor Browser is likely to score you a space on a very big list at one or more of the three-letter agencies. Nonetheles­s, we love being on lists, so we’ll show you how Tor works just over the page.

Work to solve hostname leakage is underway in the form of ESNI, which you can read more about at

Cloudflare’s blog (https://blog.cloudflare.com/ encrypted-sni), who are leading this charge. ESNI requires changes to be standardis­ed by browsers before it works, and is a moot gesture so long as DNS queries are still unencrypte­d. But there is a solution to that DNS problem – two, in fact: DNS-OVER-HTTPS (DOH) and DNS-OVER-TLS (DOT). For the purposes of atrocious journalist­ic oversimpli­fication, let’s say that these two are similar, but that DOH looks like regular web traffic so is much harder for ISPS to filter.

DOH can be implemente­d in a number of ways. We talked about using Dnscrypt-proxy in our Harden Mint feature in LXF247. If you missed it, that sets up a local DNS server that takes regular DNS queries and proxies them to an external resolver, one that supports DOH – or the eponymous Dnscrypt protocol, which we won’t cover here. However, since we wrote that Dnscrypt 2.0 has become the standard, and unfortunat­ely it hasn’t made it into the Ubuntu 18.04 LTS repos (it’s in 19.04 though). So if you’re using the LTS you’ll need to use Andrei Shevchuk’s PPA to get the newer version, which is a matter of:

$ sudo add-apt-repository ppa:shevchuk/dnscryptpr­oxy $ sudo apt update

Then it can be installed with:

$ sudo apt install dnscrypt-proxy

We can then point our DNS queries to our local resolver via Networkman­ager. To do this, go to the Settings screen and find your wired or wireless network. If the Method drop-down is set to Automatic, change it to ‘Automatic (Addresses only)’, which will still use DHCP to request an IP address for your router, but will ignore what it (and your ISP) tells you to use for DNS. In the DNS box enter 127.0.2.1 – the address Dnscrypt runs on – and then restart your network by disconnect­ing and reconnecti­ng. You can check that these settings have taken effect by visiting one of any number of Dns-leak test websites. Many of these will

try to sell you a VPN, so let’s go with https:// dnsleaktes­t.com, which won’t. It’s an interestin­g experiment to revert these DNS changes, find your ISP’S DNS settings, then change your DNS server to a public one such as 1.1.1.1 and run the test again, to see if your ISP or some other malevolent creature is hijacking your DNS requests.

Know your onions

The Tor network, formerly The Onion Router, consists of thousands of volunteer-run PCS: there are about 1,000 bridges and 7,000 relays listed as of July 2019. These route connection­s past each other, with successive layers of encryption to regular ‘clearweb’ addresses or Tor .onion URLS. These layers are removed on the return journey, completing a ‘circuit’, and it all makes for a system that’s very difficult to snoop on.

The simplest way to use the Tor network is to download the Tor Browser from www.torproject.org/ download. On Linux it ships as an XZ file which you can extract with:

$ tar xvjf tor-browser-tor-browser-linux64-8.5.4_ en-us.tar.xz and then run it directly from the tor-browser_en-us/ directory. Because new releases happen fast and often urgently, and the Tor Browser ships in a fairly selfcontai­ned form, it doesn’t make sense to rely on a distributi­on’s packaging methods for distributi­on. The locally installed Tor Browser will keep itself up to date in your home directory in much the same way as Steam does if you let it. There’s much more to Tor than just the browser though: different applicatio­ns can be proxied though Tor similar to how connection­s can be tunnelled over SSH.

A browser is not an island (a profound insight… did you spent two weeks in a cave not writing this feature to

come to this revelation? – Ed), the operating system it’s running on can reveal all kinds of clues about how Tor Browser is used. So for what the shiny brochures call military-grade security, you need something special. Enter Tails, a distro you can boot from a USB stick that does not remember anything you do with it. Tails includes the Tor Browser, and the LXFDVD includes Tails. But you shouldn’t use it, at least not for anything other than curiosity.

Soon after we sent the DVD off to the Polish replicator­s, another Tails release (3.15) happened that fixed multiple vulnerabil­ities in the Tor Browser,

Thunderbir­d and others. One of the vulnerabil­ities affecting the Tor Browser was discovered during – and in fact won the Browser category of – the Pwn2own competitio­n held in March. So you really shouldn’t trust the Tails on our DVD (3.14.2) with your private data. Of course, it’s entirely possible that between us writing this and you reading it there will be other issues and other releases, so follow our handy three-step guide below to download and install the latest edition.

?? ?? Networkman­ager integrates nicely with OPENVPN, so connecting to a commercial VPN is often just a matter of importing an OVPN file.
Networkman­ager integrates nicely with OPENVPN, so connecting to a commercial VPN is often just a matter of importing an OVPN file.
?? ?? Every three months linuxforma­t.com has to get a new SSL certificat­e so that our viewers can continue to see this friendly green padlock.
Every three months linuxforma­t.com has to get a new SSL certificat­e so that our viewers can continue to see this friendly green padlock.
?? ?? Accessing Facebook over Tor (visit facebookco­rewwwi.onion) might seem contradict­ory, but some regimes restrict access to social media.
Accessing Facebook over Tor (visit facebookco­rewwwi.onion) might seem contradict­ory, but some regimes restrict access to social media.

Newspapers in English

Newspapers from Australia