Showing posts with label chrome. Show all posts
Showing posts with label chrome. Show all posts

20 June 2013

459. Briefly: Proxies, browsing and paranoia

It's easy to configure Chrome to use Tor to preserve a semblance of privacy online (http://verahill.blogspot.com.au/2013/06/450-tor-and-chrome-on-debian.html). There are a few, simple things you can do to make your life with a proxy easier to manage.

This post presumes that you've followed this post first: http://verahill.blogspot.com.au/2013/06/450-tor-and-chrome-on-debian.html. In particular, that you have turned off pre-fetching.

In addition, you may want to think about the following:

Incognito mode
On the lower end of the scale, you may or may not want to use incognito mode consistently. This has little bearing on privacy online, but it depends on whether you want to leave traces on your computer of your browsing history. Although that should only be an issue if someone gets physical access to your computer, you never know if the next browser bug will give someone complete access to your history. Most likely it'll only provide metadata (which is what the NSA brouhaha has been mostly about).

Anyway, if you feel this is an important issue then you should probably be encrypting your disks with encfs as well.

Search engine
It's probably more important to rethink how you are using search engines in Chrome. First of all, you should turn off instant search. Secondly, you will want to consider whether you want to use google as the default search engine for queries in the URL field. Two main search engines come to mind: duckduckgo.com, and startpage.com. While duckduckgo.com has a higher profile, startpage.com is a bit more full-featured, and that's because it takes your query, anonymizes it, and passes it on to google. It's also based in Europe, which I (probably naively) feel is safer.

Go to startpage.com, and click on 'add to chrome' under the search box. Then set Startpage HTTPS as the default in Chrome:


Also consider making sure that google.com isn't your home page in chrome.

Proxy
Even though Tor works fine in general, it can be a bit slow, and you don't want to use it for everything anyway. There are times when you don't want to use a proxy. In my case, that's when I visit journal websites or my university websites. Also, I have set up a reverse proxy via my home router, and it's faster than Tor, so for a lot of things I'm fine with using that.

Switch ProxySharp supports the creation of rule-based proxy switching. In my case, I've set it so that if I use google, I use Tor. If I go to RSC, ACS, Wiley or Elsevier journals, I use my university connection, and for everything else, I use my home router.



You then just need to click your way through to the proxyswitcher alternative:
The icon will change colour depending on which proxy is active. Pretty neat!

12 June 2013

450. Tor and Chrome on Debian

Note:
* For the Tor bundle see http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html
* For securing your dropbox, see http://verahill.blogspot.com.au/2013/04/398-securing-your-dropbox.html
* For encrypting your filesystem with encfs, see http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html
* For one-time passwords (OTPW), see http://verahill.blogspot.com.au/2013/04/385-otpw-connecting-from-insecure.html
* For encryption in general using PGP/GPG, OTR, SRTP for chat, email, voice and video, see http://verahill.blogspot.com.au/2013/04/381-encrypting-chat-voice-video.html
* For truecrypt with dropbox, see http://verahill.blogspot.com.au/2012/04/using-truecrypt-with-dropbox.html

Post begins:
I think it's fair to say that online privacy is in the spotlight again, temporarily,  in particular if you are not living in the US. After all, the rest of the world is offered no protection from US agencies.

There are two levels of snooping that (can) go on:
Case 1:  outright intercept of communications
In this case your emails are read, your browsing data is intercepted and your phone conversations tapped. This is the most intrusive form, and I think even in the US a warrant is required for the intercept of this type of data (whether that's too easy of difficult to get is another question entirely).

Case 2: mining of 'meta-data'
In this case data such as recipient/sender of emails, URLs that you've been visiting, and whom you have been calling/called by are collected. In addition, e.g. cell phone tower records can be collected to track your whereabouts 24/7.

While the contents of your conversations isn't known, your entire social and professional life can be charted.
As far as I understand this is what NSA has been engaging in. Likewise, knowing exactly where you are at any given point in time, a pretty detailed picture of your life can be painted.

Begin Rant
I don't have anything to hide, but I am not too keen on the government having better records of my life than I do myself. And I should be the one deciding what to share as long as the presumption of innocence holds.

Also, we're making the presumption that the government is benign, and as has been shown repeatedly, it isn't always. That goes for the US government, the UK government and just about any bloody imaginable government, and for a simple reason: the government is made up of people. In particular people who are keen on 'leading' i.e. controlling others. Even a benign despot is a despot.

There's no use being naive -- in either direction. There are legitimate reasons for clandestine organisations wanting to mine data, and there are legitimate reasons for why we should not give them a carte blanche.

Whether you use PGP/GPG or not won't affect the mining of meta-data. Nor will OTR, although it might in theory give you a somewhat better level of deniability (but not really).

Using PGP/GPG, OTR and encryption of data in general will only protect the content of your conversations, not the fact that they occurred. Not that it's easy getting people to start using encryption of their email, especially not since hotmail and gmail provided the final push into getting people to do all their email processing in the browser rather than using a more capable email client. Obviously Google would not be pleased if all communication was PGP encrypted, since this would create issues with targeted ads.

Finally, what really irks me is the fact that because John Doe won't use encryption -- or learn how to do it -- I also cannot use it. Instead we have to play according to the rules of the least technologically informed.
End Rant

Anyway. There are a few things you can do -- at least to make you feel better. Whether they have any real impact on your privacy depends on what other sources of information leakage there are in your life.

The simplest thing you can do is to do all your browsing anonymously, including setting up and checking your email. And the easiest way to do that is by using Tor.

It's easy enough to use the Tor Bundle, e.g. http://verahill.blogspot.com.au/2013/05/408-briefly-tor-on-debian-quick-option.html

However, I for some forsaken reason like using Chrome.

To set up Proxy SwitchySharp I'm following this post:
http://lifehacker.com/5614732/create-a-tor-button-in-chrome-for-on+demand-anonymous-browsing

NOTE: there are many layers to managing your privacy, and you're only as anonymous as your worst habits allow you to be. I'm a pessimist -- I think it is virtually impossible to protect yourself against a determined adversary. However, trying won't hurt.


Step 0. Block cookies by default and install an ad blocker

Cookies
Pretending to be anonymous won't help if you give the game away by exposing cookies that you acquired while surfing without Tor.

You'll be surprised how many websites require you to accept cookies -- however, it's up to you whether you want to put up with that. I only allow cookies with services that I've signed up to and that I trust. I refuse to allow in particular commercial sites to require cookies for me to simply visit.

In Chrome, go to Settings, Content Settings, and check:
* Block sites from setting any data
* Block third-party cookies and site data
* Clear cookies and other site and plug-in data when I close my browser

Disable:
* Allow local data to be set

You may want to restrict e.g. image loading, javascript, pop-ups, plugins etc. as well. It's down to you to weight inconvenience vs privacy.

Set Cookie and Site Data exceptions manually, and make sure to distinguish between Session Only and Allow.

Ads
Also, install e.g. simple adblock:
https://chrome.google.com/webstore/search/simple%20adblock



Step 1. Install the HTTPS everywhere extension
https://chrome.google.com/webstore/search/https%20everywhere?hl=en-GB



Step 2. Install Proxy SwitchySharp
https://chrome.google.com/webstore/search/proxy%20switchysharp?hl=en-GB

Set up a profile called Tor to use SOCK 5 with 127.0.0.1:9050
Go to the General Tab and enable Quick Switch.
Make sure to drag both Tor and Direct Connection into the Quick Switch field.



Step 3. Install Tor and Vidalia
Add the following to your /etc/apt/sources.list
deb http://deb.torproject.org/torproject.org wheezy main

Then do
sudo apt-get update
sudo apt-get install deb.torproject.org-keyring
sudo apt-get update
sudo apt-get install vidalia

Tor should run in the background whether you start Vidalia or not.

Step 4. Prevent DNS leaks:
[for fun, do
sudo apt-get install tcpdump
sudo tcpdump -pni eth0 'port domain'
before turning off prefetching. ]

To make sure that your DNS requests aren't being read (i.e. providing meta-data to your ISP), you will need to turn of DNS pre-fetching in Chrome.

Google is sneaky about it though -- to turn off prefetching go to Settings/Under the Bonnet and uncheck "Predict network actions to improve page load performance".

[If you set up tcpdump before you'll see how suddenly the IPs and URLs stop streaming by.]


Step 5. Start Tor/Vidalia
You don't seem to be able to launch Vidalia from the terminal, so launch Vidalia from within e.g. gnome.
In fact, you probably don't have launch vidalia as Tor should be run in the background.
Then open Chrome and navigate to e.g. whatsmyip.org or ipchicken.com:


You can turn on and off the proxy by clicking on the icon in the top right corner.

Step 6. Enable private browsing:
You don't want to risk one website being able to see what another website left behind. It shouldn't happen, but it has happened in the past.

Anyway, it's easy: open an Incognito window (ctrl + shift + N).


Done.
As far as I can tell this should give you some privacy. However, the question is how effective this is in the long run since it's difficult to maintain enough discipline to prevent any information leakage to occur.

04 May 2012

134. Introducing a CA certificate in debian

So, for some reason you've been issued a CA certificate. Now what?

I've presumed that you've somehow downloaded both the root certificate (cacert.crt) and your personal certificate (usercert.pem). You'll need both.


Openssl

Convert to .p12
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12

Verify
You can verify your issued certificate, e.g.
openssl verify  -CAfile ~/Downloads/cacert.crt ~/.globus/usercert.pem


Browsers:

Iceweasel/Firefox 
Go to Edit, Preferences, Advanced, Encryption: View certificates. Click import under Your Certificates and select your usercert.p12 (see above for conversion).  Got to servers, import cacert.crt.

Make sure that your cert authority shows up under the authority tab (otherwise try importing cacert.crt). Highlight the relevant authority, and click on edit trust: select the relevant fields of identification (e.g. website and/or email).


Chrome/Chromium
Click on the spanner icon, go to Settings, Under the bonnet, Manage Certificates and select Import under Your Certificates. Click on server, import the cacert.crt. Approve the certificate authority for the intended uses of the certificate. If you did it already in firefox it may have carried over.


Email:

Evolution
First go to Edit, Preferences, scroll down to Certificates and import your certificate and, under authorities, import the root certificate (cacert.crt).

Under the Authorities tab, select the issuing authority, click on edit and set the trust level (probably all)


Next, go to Edit, Preferences, Mail Accounts, Select an account and click on Edit. Select the Security tab


Repeat this for all accounts you want to use this certificate with.

Test it:


Send it. Receive it.

If all is correct, this is what greets you

If you don't add the certificate authority as being trusted -- and this will be the case for some of your recipients, this is what you see. Signature no good.


Thunderbird
Go to Edit, Account Settings... and under each account click on Security, then on View Certificates -- import your certificate and the issuing authority's certificate here, or you won't be able to Select the certificates under Digital Signing and Encryption.

Also, under View Certificates, highlight the certificate authority and select Edit Trust -- click on Edit CA trust, select website, mail etc., then select I do trust...
I presume that you do trust the authority or this is an exercise in futility.
You need to do this for ALL accounts that you intend to use, or you'll run into trust issues.

You can select/de-select signing when composing using the S/MIME menu.

If all goes well, users which also have the same certificate authority listed as trusted (probably not the case, but whatever) will see a sealed envelope (this message has been signed by pgp as well as S/MIME:

19 April 2012

119. Installing sun java/Oracle java in debian

Update 23 March 2013:  the java.com file isn't distributed as a .bin file anymore. Just replace all instances of .bin with .tar.gz and it works just as well.

This basically follows http://sylvestre.ledru.info/blog/sylvestre/2012/02/29/java_package_replacement_of_sun_java6

While a few applications (Grix and Grisu) I was playing with which require java 1.5 or better should work fine with openjdk-7 (1.6.0_24), they didnt. I had to run it using binary packages which I downloaded from java.com and then installed locally.

I'd like a better solution, and here it is:

1. sudo apt-get install java-package

2. Download the java files from java.com, e.g. jre-6u31-linux-x64.bin or jre-7u17-linux-x64.tar.gz
http://java.com/en/download/manual.jsp?locale=en

3. Make-jpkg
Run make-jpkg on the downloaded file, whether it's ending in .bin or .tar.gz:

make-jpkg jre-6u31-linux-x64.bin
Create debian package:
    dh_testdir
    dh_testroot
    dh_installchangelogs
    dh_installdocs
    dh_compress
    dh_fixperms
    dh_installdeb
    dh_shlibdeps
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjvm.so'
[..]
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjvm.so'
[..]
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjli.so'
dpkg-shlibdeps: warning: package could avoid a useless dependency if /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/native_threads/libhpi.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libjava.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libdt_socket.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnet.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/bin/javaws /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libhprof.so were not linked against libnsl.so.1 (they use none of the library's symbols).
dpkg-shlibdeps: warning: package could avoid a useless dependency if /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libjawt.so was not linked against libmawt.so (it uses none of the library's symbols).
    dh_gencontrol
    dh_md5sums
    dh_builddeb
dpkg-deb: building package `oracle-j2re1.6' in `/tmp/make-jpkg.9XTCruNvKM/oracle-j2re1.6_1.6.0+update31_amd64.deb'.
    copy oracle-j2re1.6_1.6.0+update31_amd64.deb into directory /home/me/Downloads/
The Debian package has been created in the current directory. You can
install the package as root (e.g. dpkg -i oracle-j2re1.6_1.6.0+update31_amd64.deb). 
4. sudo dpkg -i oracle-j2re1.6_1.6.0+update31_amd64.deb 
Selecting previously unselected package oracle-j2re1.6.
(Reading database ... 561777 files and directories currently installed.)
Unpacking oracle-j2re1.6 (from oracle-j2re1.6_1.6.0+update31_amd64.deb) ...
Setting up oracle-j2re1.6 (1.6.0+update31) ...
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/ControlPanel to provide /usr/bin/ControlPanel (ControlPanel) in auto mode.
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so to provide /usr/lib/iceweasel/plugins/libjavaplugin.so (iceweasel-javaplugin.so) in auto mode.
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so to provide /usr/lib/chromium/plugins/libjavaplugin.so (chromium-javaplugin.so) in auto mode.

5a. sudo update-alternatives --config java
There are 5 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status------------------------------------------------------------* 0            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java   1061      auto mode  1            /usr/bin/gij-4.4                                 1044      manual mode  2            /usr/bin/gij-4.6                                 1046      manual mode  3            /usr/lib/jvm/j2re1.6-oracle/bin/java             314       manual mode  4            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java   1061      manual mode  5            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java   1051      manual modePress enter to keep the current choice[*], or type selection number: 3update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/java to provide /usr/bin/java (java) in manual mode.
5b. 
 sudo update-alternatives --config javaws


There are 2 choices for the alternative javaws (providing /usr/bin/javaws).
  Selection    Path                                              Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/javaws   1061      auto mode
  1            /usr/lib/jvm/j2re1.6-oracle/bin/javaws             314       manual mode
  2            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/javaws   1061      manual mode
Press enter to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/javaws to provide /usr/bin/javaws (javaws) in manual mode.
update-alternatives: warning: skip creation of /usr/share/man/man1/javaws.1.gz because associated file /usr/lib/jvm/j2re1.6-oracle/man/man1/javaws.1.gz (of link group javaws) doesn't exist.



6.  Verification
java -version
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
Go to http://java.com/en/download/installed.jsp


Iceweasel worked fine at this stage.

7. To get Chrome to work I did the following:
sudo updatedb
locate libjavaplugin.so
/usr/lib/chromium/plugins/libjavaplugin.so
/usr/lib/iceweasel/plugins/libjavaplugin.so
/usr/lib/mozilla/plugins/libjavaplugin.so
 ls -lah /usr/lib/chromium/plugins/libjavaplugin.so etc.
/usr/lib/chromium/plugins/libjavaplugin.so -> /etc/alternatives/chromium-javaplugin.so
/usr/lib/iceweasel/plugins/libjavaplugin.so -> /etc/alternatives/iceweasel-javaplugin.so
/usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/mozilla-javaplugin.so
ls -lah /etc/alternatives/chromium-javaplugin.so etc.
/etc/alternatives/chromium-javaplugin.so -> /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so
/etc/alternatives/iceweasel-javaplugin.so -> /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so
/etc/alternatives/mozilla-javaplugin.so -> /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
sudo rm /etc/alternatives/mozilla-javaplugin.so
sudo ln -s /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so /etc/alternatives/mozilla-javaplugin.so


And you're done.



Links to this post:
https://www.linuxquestions.org/questions/debian-26/which-java-for-wheezy-4175469043/