12 June 2013

450. Tor and Chrome on Debian

Note:
* For the Tor bundle see http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html
* For securing your dropbox, see http://verahill.blogspot.com.au/2013/04/398-securing-your-dropbox.html
* For encrypting your filesystem with encfs, see http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html
* For one-time passwords (OTPW), see http://verahill.blogspot.com.au/2013/04/385-otpw-connecting-from-insecure.html
* For encryption in general using PGP/GPG, OTR, SRTP for chat, email, voice and video, see http://verahill.blogspot.com.au/2013/04/381-encrypting-chat-voice-video.html
* For truecrypt with dropbox, see http://verahill.blogspot.com.au/2012/04/using-truecrypt-with-dropbox.html

Post begins:
I think it's fair to say that online privacy is in the spotlight again, temporarily,  in particular if you are not living in the US. After all, the rest of the world is offered no protection from US agencies.

There are two levels of snooping that (can) go on:
Case 1:  outright intercept of communications
In this case your emails are read, your browsing data is intercepted and your phone conversations tapped. This is the most intrusive form, and I think even in the US a warrant is required for the intercept of this type of data (whether that's too easy of difficult to get is another question entirely).

Case 2: mining of 'meta-data'
In this case data such as recipient/sender of emails, URLs that you've been visiting, and whom you have been calling/called by are collected. In addition, e.g. cell phone tower records can be collected to track your whereabouts 24/7.

While the contents of your conversations isn't known, your entire social and professional life can be charted.
As far as I understand this is what NSA has been engaging in. Likewise, knowing exactly where you are at any given point in time, a pretty detailed picture of your life can be painted.

Begin Rant
I don't have anything to hide, but I am not too keen on the government having better records of my life than I do myself. And I should be the one deciding what to share as long as the presumption of innocence holds.

Also, we're making the presumption that the government is benign, and as has been shown repeatedly, it isn't always. That goes for the US government, the UK government and just about any bloody imaginable government, and for a simple reason: the government is made up of people. In particular people who are keen on 'leading' i.e. controlling others. Even a benign despot is a despot.

There's no use being naive -- in either direction. There are legitimate reasons for clandestine organisations wanting to mine data, and there are legitimate reasons for why we should not give them a carte blanche.

Whether you use PGP/GPG or not won't affect the mining of meta-data. Nor will OTR, although it might in theory give you a somewhat better level of deniability (but not really).

Using PGP/GPG, OTR and encryption of data in general will only protect the content of your conversations, not the fact that they occurred. Not that it's easy getting people to start using encryption of their email, especially not since hotmail and gmail provided the final push into getting people to do all their email processing in the browser rather than using a more capable email client. Obviously Google would not be pleased if all communication was PGP encrypted, since this would create issues with targeted ads.

Finally, what really irks me is the fact that because John Doe won't use encryption -- or learn how to do it -- I also cannot use it. Instead we have to play according to the rules of the least technologically informed.
End Rant

Anyway. There are a few things you can do -- at least to make you feel better. Whether they have any real impact on your privacy depends on what other sources of information leakage there are in your life.

The simplest thing you can do is to do all your browsing anonymously, including setting up and checking your email. And the easiest way to do that is by using Tor.

It's easy enough to use the Tor Bundle, e.g. http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html

However, I for some forsaken reason like using Chrome.

To set up Proxy SwitchySharp I'm following this post:
http://lifehacker.com/5614732/create-a-tor-button-in-chrome-for-on+demand-anonymous-browsing

NOTE: there are many layers to managing your privacy, and you're only as anonymous as your worst habits allow you to be. I'm a pessimist -- I think it is virtually impossible to protect yourself against a determined adversary. However, trying won't hurt.


Step 0. Block cookies by default and install an ad blocker

Cookies
Pretending to be anonymous won't help if you give the game away by exposing cookies that you acquired while surfing without Tor.

You'll be surprised how many websites require you to accept cookies -- however, it's up to you whether you want to put up with that. I only allow cookies with services that I've signed up to and that I trust. I refuse to allow in particular commercial sites to require cookies for me to simply visit.

In Chrome, go to Settings, Content Settings, and check:
* Block sites from setting any data
* Block third-party cookies and site data
* Clear cookies and other site and plug-in data when I close my browser

Disable:
* Allow local data to be set

You may want to restrict e.g. image loading, javascript, pop-ups, plugins etc. as well. It's down to you to weight inconvenience vs privacy.

Set Cookie and Site Data exceptions manually, and make sure to distinguish between Session Only and Allow.

Ads
Also, install e.g. simple adblock:
https://chrome.google.com/webstore/search/simple%20adblock



Step 1. Install the HTTPS everywhere extension
https://chrome.google.com/webstore/search/https%20everywhere?hl=en-GB



Step 2. Install Proxy SwitchySharp
https://chrome.google.com/webstore/search/proxy%20switchysharp?hl=en-GB

Set up a profile called Tor to use SOCK 5 with 127.0.0.1:9050
Go to the General Tab and enable Quick Switch.
Make sure to drag both Tor and Direct Connection into the Quick Switch field.



Step 3. Install Tor and Vidalia
Add the following to your /etc/apt/sources.list
deb http://deb.torproject.org/torproject.org wheezy main

Then do
sudo apt-get update
sudo apt-get install deb.torproject.org-keyring
sudo apt-get update
sudo apt-get install vidalia

Tor should run in the background whether you start Vidalia or not.

Step 4. Prevent DNS leaks:
[for fun, do
sudo apt-get install tcpdump
sudo tcpdump -pni eth0 'port domain'
before turning off prefetching. ]

To make sure that your DNS requests aren't being read (i.e. providing meta-data to your ISP), you will need to turn of DNS pre-fetching in Chrome.

Google is sneaky about it though -- to turn off prefetching go to Settings/Under the Bonnet and uncheck "Predict network actions to improve page load performance".

[If you set up tcpdump before you'll see how suddenly the IPs and URLs stop streaming by.]


Step 5. Start Tor/Vidalia
You don't seem to be able to launch Vidalia from the terminal, so launch Vidalia from within e.g. gnome.
In fact, you probably don't have launch vidalia as Tor should be run in the background.
Then open Chrome and navigate to e.g. whatsmyip.org or ipchicken.com:


You can turn on and off the proxy by clicking on the icon in the top right corner.

Step 6. Enable private browsing:
You don't want to risk one website being able to see what another website left behind. It shouldn't happen, but it has happened in the past.

Anyway, it's easy: open an Incognito window (ctrl + shift + N).


Done.
As far as I can tell this should give you some privacy. However, the question is how effective this is in the long run since it's difficult to maintain enough discipline to prevent any information leakage to occur.

No comments:

Post a Comment