Saturday, 20 February 2010

How-to: Preserve Your Anonymity using TOR

Recently Google CEO Eric Schmidt declared the death of privacy on the internet and dismissed concerns saying “...if you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.” [CNBC: “Inside the Mind of Google” special http://insidegoogle.cnbc.com/ ]. So now we know. Private equals secret equals bad. Like the pro-surveillance advocates say, privacy's only function is to obscure lawbreaking: “if you've done nothing wrong, you've got nothing to worry about.” Right?
Wrong...

Do I Need Anonymity?
What do I need to keep private? It's not just overbearing oligarchs assuming they have a divine right to your data. Between hacking, cracking, phishing, traffic analysis, traffic trolling, 'cookie leakage' and a host of other threats, it's getting difficult to keep anything private on the internet lately. Google stores all your searches and can associate them with your IP address, as can your ISP. Worried about back-traces from your electronic banking site, subscription sites, shopping sites? What about personal topics such as your medical matters or therapy?

Part of the solution may be the use of anonymized routing through The Onion Router: TOR is a network of volunteer servers through which encrypted traffic is randomly routed so as to be (mostly) untraceable back to the originator.

A quick reality check: there is a difference between privacy and secrecy. TOR is not a licence to piracy, dishing out personal or libellous abuse, bullying, stalking, grooming or illegal hacking. TOR, like alcohol, should be used responsibly.

Sermon over.

How it Works
Every time you issue an http request over TCP, your own IP address is embedded in the packets sent and received. These days any half-wit with a packet sniffer can do a reasonable job of intercepting and inspecting your traffic over the public internet. TOR is a toolset used to help anonymize your internet traffic; web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. TOR is based on a distributed network, in which AES encrypted traffic takes a random, multi-layered pathway through several servers (proxies), hence the onion-layering analogy. Once inside a TOR network, the traffic is sent from router to router negotiating a virtual circuit through the network. It is a method that covers your tracks so no observer at any single point can identify the origin or destination.

A user of the TOR network runs a proxy server on their computer. Internet-facing software can then access TOR through a SOCKS interface, ultimately reaching an exit node at which point the unencrypted packet is forwarded on to its intended destination. Viewed from the destination, the traffic appears to originate at the TOR exit node.

How anonymous am I?
As per the Electronic Frontiers Foundation definition - the original sponsors of TOR - “...using TOR can help you remain anonymous while Web browsing, instant messaging, using IRC, SSH, or other applications which use the TCP protocol.” It doesn't guarantee complete privacy.

Bear in mind the national and international security services can break TOR privacy if they need to  so be good, don't get on their hit-list!

What's the catch?
Performance. Masking traffic through TOR adds layers of encryption and proxy servers through which your http requests and data packets are redirected. Browsing through an anonymizing proxy will always slow down your connection. Pay the price with patience. Secondly you may not get sole access to a given virtual TOR circuit, so your destination site may see you as just one of several links originating from the same exit node IP address. This can mess up session identification and verification.

Now we know what it is, how do we get it?

The TOR How-to
1. Update your repositories source list to include the TOR project, either through Synaptic (System > Administration > Synaptic Package Manager, then Settings > Repositories > Other Software > Add

or in a terminal session:
sudo gedit etc/apt/sources.list

adding:
deb http://deb.torproject.org/torproject.org karmic main
deb-src http://deb.torproject.org/torproject.org karmic main

2. Get the secure key for the repo deb.torproject.org Repository: ensure you dont get a hacked version of TOR!):
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get upgrade

3. Install TOR and Privoxy from the package manager or:
sudo apt-get install tor tor-geoipdb
sudo apt-get install privoxy

4. Configure Privoxy
Edit the configuration file in your favourite editor:
sudo gedit /etc/privoxy/config

Add the following line to set-up the SOCKS interface on your machine (anywhere in the file, but must include trailing space and period):
forward-socks4a / localhost:9050 .

5. Start TOR and Privoxy
Run in a terminal - or you could put these three lines in a bash script-
sudo /etc/init.d/tor start
sudo /etc/init.d/privoxy start

/* Check that the service is running on port 9050 */
netstat -a | grep 9050

/* You should see the following output: */
tcp 0 0 localhost:9050 *:* LISTEN

Supported Applications
We're not going into how to TOR-ify all your programs here. Not everything will run through TOR, but the TOR Wiki contains a list of proven prgrams at: http://wiki.noreply.org/noreply/TheOnionRouter/TorifyHOWTO#Howtotorifyseveralprograms

This includes web browsers, E-mail clients, Instant Messaging clients, Internet Relay Chat, Bittorrent and File Transfer.

Browsing under the TOR BUTTON
The short answer to anonymous browsing is to use Firefox 1.5 or above with Torbutton, Mike Perry's Firefox add-on.

  1. Go to Tools > Add-ons > Get add-ons in the top menu
  2. In the Search bar type torbutton, press enter.
  3. From the results, click the Add to Firefox button
  4. You will need to restart Firefox for the addon to take effect.

With this configuration, accessing ftp:''''''// links should be safe for you: your Firefox will safely use Tor directly as a SOCKS proxy when accessing these links.

Update TOR button security settings
You will have to override Firefox' own proxy settings within:
Edit > Preferences > Advanced (tab) > Settings (button) > Connection Settings (dialog)

When it's working, Tor should report:
'successfully opened a circuit. Looks like client functionality is working.'
You can check in the browser by opening a new tab or window to invoke TOR routing and going to: https://check.torproject.org/

Your visual clue is on the status bar displaying the message “Tor enabled,” bottom-right.


Graphical TOR control application: Vidalia
Vidalia is an additional program for configuring and managing TOR. The Vidalia package is in the repositories.

Common Faults
If Torbutton refuses to start TOR or you get no confirmation from the check page:
  1. Make sure TOR and Privoxy are both running? If you're using Vidalia, you may have to click on the onion and select "Start" to launch TOR.
  2. Disable other proxy tools such as FoxyProxy whose settings may override TOR.
  3. Did you configure your web browser to http proxy to port 8118? Torbutton usually manages this, but check settings as per the screenshots.
  4. Check your system clock. If it's more than a few hours off, TOR will refuse to build virtual circuits.
  5. Is your Internet connection firewalled, or do you normally need to use a proxy? Local firewall rules can prevent some connections to localhost and ports 8118 or 9050.
  6. Foreign language pages and/or Google search: some site such as Google use 'geolocation' to determine where in the world you are, setting the language it thinks you prefer and providing different results in your queries. While this is not necessarily a bad thing, you can reset language by specifying the domain country code suffix: google.com for default English, .fr, .de and so on.
RC

Resources
Official Ubuntu TOR guide: https://help.ubuntu.com/community/TOR
Official TOR Project site: https://www.torproject.org/
'Check TOR' test page: https://check.torproject.org/

No comments:

Post a Comment

At least try to be nice, it won't kill you...