Welcome back for Part 2! I know, it’s been a long time coming. If you haven’t already, check out part 1 of this series before continuing.
All of the disclaimers given at the start of part 1 remain in full force. Without further ado…
- Use Firefox for web browsing – Mozilla has no direct connection to any company taking part of PRISM (unlike Internet Explorer and Chrome).
- Use Firefox Extensions to add security – NoScript is a great little add-on that blocks scripts from running, thus helping to prevent script based attacks. HTTPS Finder and similar add-ons detect when a webpage has HTTPS (encrypted HTTP) and uses it when available. This encrypts the connection between the site and your computer. Note that many sites have HTTPS but that the HTTPS version of the site may not be intended for public use so formatting issues, loading problems and errors are common.
- Use “private mode” in your web browser, particularly if using a public computer – it will leave no trace of your activity and will block any tracking cookies.
- Consider an alternate “private” search engine such as DuckDuckGo which claims not to keep any search records.
Now, the above tips help to secure and hide your activity to some extent, but they don’t hide your location. When you connect to the Internet you do so with an IP address that’s usually given out by your Internet Service Provider (ISP). That IP address is trackable and geographically identifying. Any website you visit can use your IP address to determine who your ISP is, as well as your approximate geographical location. So, how can you protect against this? Proxies and Virtual Private Networks (VPNs) are two worthy options.
The idea behind a proxy is pretty basic. Instead of going from point A to point B, you add a few additional points in between to cover up where your traffic actually originated. A popular example is Tor, which when used correctly sends all of your traffic into the Tor network where it bounces through different encrypted “nodes” before it is sent to the final destination. Tor is a good example of the sacrifices you must make for security as it works only when you use programs that are configured to send traffic through Tor. Tor offers their own browser for this reason. Tor will also cause some website security measures to go berserk. Facebook offers a security measure that would alert me whenever my account was accessed from an unrecognized location. Using Tor, I would get notifications that the account was accessed from Norway, Russia and other places around the world.
Tor also offers an app for Android called Orbot. My experience with Orbot has been mixed. When I used it last it was buggy and a battery hog, but I’ll have to try it again in light of recent events. Also, for the most benefit your phone needs to be rooted, as that will allow Orbot to route all traffic over the Tor network. In part 1 I recommended against this, but use judgment to weigh the risks and benefits for yourself.
Proxies are useful because they are generally cheap or free and offer a decent level of protection. However, its important to note that not all of your traffic is protected (only traffic sent through a program configured to use the proxy) and it is possible to identify that someone is using a proxy and track the activity since it is not always encrypted end-to-end.
The NSA has targeted Tor specifically in the past, but all information I’ve read indicates that their success has been extremely limited.
Virtual Private Network use is common in the business world as it’s often used by remote workers so that they can communicate with the company’s internal network from the comfort of their homes. Essentially a VPN connection is an encrypted tunnel established between two points – for example your laptop and your employer’s internal network. Once connected to the VPN, it is possible to send all traffic through it. This hides traffic from prying eyes and disguises its origin. From the outsiders view, traffic sent over the VPN looks like it originates from whatever network you’ve established a VPN connection to. In this way, I can sit at my computer in the US and connect to a VPN in India and all traffic that I send shows an origination point of India. There are a number of VPN services available. It’s important to select a reputable one that does not keep any activity records which could potentially be seized by government officials. For this reason it’s best to select a VPN provider located outside of the US and pay with BitCoin or another untraceable currency.
VPN does require some potentially complicated configuration. Using the VPN client in Windows with its default settings will not send all traffic over the VPN. It will only send traffic that is addressed to the network connected over the VPN. There is an option to use the default gateway of the remote network, which will send all traffic over the VPN. Be aware that this can cause issues. As with Tor, this will cause Facebook to report unrecognized activity. It will also cause issues with some websites that block VPNs and services that are subscription based such as Verizon FiOS TV. FiOS on demand, remote DVR and even the cable box guide will not work if the traffic outbound to these services traverses the VPN.
The most comprehensive way to enable VPN protection, and still be able to control specific traffic (such as that bound for FiOS) is to implement it on your network edge device. I’ve done this by replacing my ISP router with a spare computer running a pfSense firewall. Within pfSense I’ve configured my VPN service. In this way I can ensure that all traffic on my home network uses the VPN. All computers, tablets, smartphones and other Internet-connected devices are forced to use the VPN without having to configure each to do so on its own. Additionally, with pfSense I have the control to route specific traffic over my ISP’s gateway, rather than the VPN. This allows my FiOS box to retrieve guide information and on-demand programming – things it cannot do over the VPN.
It’s very important to note that regardless of whether you use VPN or a proxy (or both) if you are sending unencrypted data, it will be visible after it leaves the VPN tunnel or the proxy cloud. If that unencrypted data contains identifying information the proxy or VPN will have been pointless if your goal was anonymity.
Run a Firewall
As I mentioned in the VPN section above I replaced my ISP’s router with a PC that I constructed out of spare parts and a duel port NIC specifically to run pfSense. Windows firewall ain’t gonna cut it. Doing this gives me ultimate control over data entering and exiting my network. I’m not going to get into the specifics of how to install pfSense and get it up and running. That information is easily found in other parts of the ‘net. Here are some of the key points as to why you should look into this option:
- Total network control – control all traffic in and out of your network
- Easy to implement network-wide VPN access.
- Configure your own VPN – I’ve set this up so that when I’m on the go I can access my home network from my phone. It also protects my communications if I’m using a public network, such as a wi-fi hotspot.
- pfBlocker – This awesome little add-on for pfSense utilizes blocklists to proactively block listed IPs from reaching your network. Available lists include p2p services, known malware networks and even the US government.
- The ability to roll out a decent intrusion detection/prevention system on the cheap.
I realize that this second part is being published more than 6 months after the first. The delay, in part, was due to my questioning if it was even worth writing. It seems that the NSA has reached into nearly every conceivable avenue for privacy online. They’ve cracked the most common methods of encryption used online. They’ve broken in (or been let in) to the internal networks of Google and Yahoo allowing collection of data inside those private networks. They have the ability to take full control of the Apple iPhone. They’ve even developed methods to access data on systems that aren’t connected to the Internet! I mention this because these revelations have me seriously considering the possible futility of this battle for online privacy. Given that, my opinion is that we should do what we can to protect our information but we should do so with the knowledge that if we were specifically targeted it’s unlikely that these measures would be sufficient.
Unless otherwise expressly stated, this work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Based on a work at http://www.considerliberty.com.
Creative Commons Attribution-ShareAlike 4.0 International License.