The state of personal liberty & anonymity on the Internet
A friend of mine recently asked me about using online proxy services to help his company gain a little bit of anonymity with some research they were doing on the net. I almost dismissed his question in my mind as silly, mainly because I could not imagine at the time why he would want to use an anonymous proxy. After he explained what he wanted to accomplish (questionable but legal) I had to reconcile in myself the implications of what he wanted.
For many years I have been aware of, researched and even used some of the proxy services that have popped up. Years and years ago I, myself, setup several multi-hop proxies through fake shell accounts at universities, phished shells from IRC and a couple of ones I setup myself. The whole thing back then was how far you could go to run a teardrop, Pepsi or smurf on a friend of yours. I guess I could have used it for warez transport, but it was so damned slow there was no point at all – the BSA was going after disk copiers and not file tx’rs. But I digress.
The fact of the matter is: Anonymity is still very important on the web and with IPv6 we are about to lose a whole lot more of it if the powers that be have their way. This begs the question – Are proxies today any good? The best answer that I have come up with so far is : It depends. What are you trying to hide? If you are trying to hide your browser’s user-agent string and your IP address, perhaps it may work if the site you are hitting and the proxy are using follow certain rules.
The age of analytics
The Interwebs love for data these days is unmatched compared to previous years. The implementation of analytical software/scripts like Google Analytics and WebTrends is very high -and- they are client based now. This means that -if- you are using an HTTP/HTTPS based per-request proxy service it must filter out all scripts for analytics. If it does not filter these out, the script will be delivered to the client and the client will make a new, potentially non-proxied, connection to the analytics service.
Flash is another way that people are using the client to do much of the heavy lifting these days. Many people today still do not realize that the flash application is not running on the server, but is delivered to the client to run on the client machine. By running the flash you explicitly give it permissions to interact it your computer, your IP session and your browser. Now depending on what browser you are running the range of data that can exposed is very wide but virtually all of it can be used to identify you individually as a user and then submit that data to another service. These HTTP/HTTPS proxies do not mask the payload of the POST/GET, but only of your browser requests and the IP address of origin.
Either way, HTTP/HTTPS proxies need to be very current on their methods of scraping out analytical scripts and tools or much of the point is moot. Basic point: Server logs are virtually dead now for mining user access.
The single point of subpoena
Now lets exclude HTTP/HTTPS based proxies and look at VPN based solutions. Whether using a formal VPN product or OpenVPN your client must be configured to use a centrally located service. Virtually every VPN based proxy that I have seen uses a single set of IP addresses that are co-located with other identifiable services. That means that either the provider becomes a target for subpoena and discovery, or the first time that it happens the ISP drops them because the other customers on that IP block complain about lost business.
That aside, VPN based proxies as well as client side application proxies function in very much the same way. With a VPN proxy the traffic to *.*.*.* excluding your local LAN (hopefully) is routed through the secure VPN tunnel and then sent out of a centralized proxy server. In the client side application model there is a driver that functions as a TCP wrapper which packages up your TCP traffic and forwards it to a third-party for routing. Either way, you must be connected to the proxy. Being connected to a centralized server is problematic because during the exercise of subpoena you can be identified explicitly AND your stateful traffic can be watched. Forget about all of the advertisements that say that your traffic is “mixed with other users” – that is false. Yes, your traffic is going out an aggregated egress circuit from the company, but they keep the state of your proxy request in server. This is a technical limitation they must have because of how proxy requests work. If you are under investigation then the centralized proxy server that you have a VPN or Client connection to is your weak link. Tapping at the other end of the VPN (after decryption) tunnel results in all of the information an interested, motivated and snoopy entity needs to nail to you the wall.
The decentralized model
Decentralization is the only way that anonymous proxying can work properly. The primary downside is, interestingly, it is as slow as a snail asleep in winter. A decentralized anonymous proxy creates a peer-to-peer system of computers, running “Exit Node” software, which publish themselves at random egress points in the Internet. Your client then uses this diverse and semi-random network to drop various requests out to the internet. Take this model and then ensure that no series of requests exit the same portal and you can begin to imagine how a truly anonymous proxy network can be built. If none of the “Exit Nodes” are configured for logging, then there are very few trails back to your computer for any specific series of requests.
Tor, for example, is a great model for the application of a decentralized anonymous proxy model. In a Tor use case a request by a client application for a specific web page is made and exits out of a randomly selected tor exit point. The exit point then proxies the request and delivers the initial stream of data back to the requesting client. In the HTML there are instructions for downloading additional bits of content (graphics, RSS feeds…etc). Each request for each bit of content exits out of a separate and usually random Tor exit node. Since your request for content was decentralized among many peers the chance that any single transaction will be tracked back to your computer is highly unlikely.
The catch with Tor, as with any client model, is when a client side application gathers data about you and then proactively sends that data out in a separate submission. Since Tor controls the exit point but not the content, you can still unwittingly submit data about yourself to an interested party. Thus the real model of true anonymity becomes one of strict client control in addition to the use of a decentralized proxy model.
A good example of this would be using Firefox with a Tor plugin running NoScript and AdBlock. NoScript, on its highest setting, will prevent even a flash application from loading. While this severely limits the browsing experience, it also significantly obfuscates your path.
Live operating systems
With the creation of net oriented operating systems we are moving closer and closer into a “BYOOS” model where you can bring your whole operating system/desktop with you to a dumb terminal. The best option for doing this anonymously now is to build a LiveCD with Ubuntu or another similar distribution (include Damn Small Linux, or DSL). You can make a CD-ROM if you want and keep your personal files on a USB stick – but even better is to build a LiveCD on one thumb drive partition and then keep data on another. I carry a stick configured just this way in my backpack for occasions where I have hardware but want to use my own custom system without infringing on the host hard drive. Using the USB method you can literally use any USB bootable computer to run a Tor entry point in Firefox with no logging or tracking. Remove the thumb drive and crush/melt/throw it away and the possibility that your session can be tracked to you becomes virtually nil- except through physical surveillance.
Conclusion
Building, using and then torching your thumb drives is obviously a little bit alarmist (at least under normal circumstances) but the combination of options to keep prying eyes away from your projects or ideas is a good tool to have in your toolbox. Having one tucked away will at the very least give you some level of freedom to explore interesting information on the Intertubes. While not described above there are many other additions you can use to increase the level of anonymity that you enjoy by employing ideas in this article such as GIF encoded torrents and ICMP tunneling – some of which I may post about later.
The final straw is: True anonymity still comes with a hefty price tag but it is not a monthly fee from a service, it is one of performance and availability. The LiveCD systems and distributed proxies are still slow, and the Tor Exit Nodes that exist today are burdened with too many users and not enough end points. While Tor is a manifestation of distributed anonymous proxies, there are still many hurdles to overcome including Exit Node harassment and raids, like this one , which scare users out of running an open node.
