Updated: Resources for Online Anonymity, Encryption, and Privacy
Last year, Herdict profiled some of the best ways to keep your digital self and data safe. Since then, a lot has changed both in terms of what you can do to protect your data and the ways various governments or agencies (i.e. PRISM) are trying to get to your data. No system is foolproof or totally undetectable, and maybe you think you’re already secure, but that’s no reason not to sharpen your digital security Kung Fu. Here’s an updated tutorial of resources and explanations for tools you can use to keep your data private online and safe while traveling. We have not tested all of these tools, and they may change after this article is published, so be sure to do your own research before trusting any third party with your data.
Make Better Passwords and Use Two-Factor Authentication
Studies have shown that people continue to use easy-to-guess passwords for even their most important digital services. In fact, the most popular passwords in 2012 were “password,” “123456,” and “12345678.” Try to come up with passwords that use a variety of letters, numbers, and special symbols whenever possible. Or use the Diceware approach to generating passphrases. TotalDefense also has some useful tips for creating strong passwords that are easy to remember.
Avoid using the same password for several devices or online services. Almost every week we learn about a data breach at large Internet companies. If the breach exposes your username and password, criminals may try to use those same credentials on other services that you might use. Using different passwords limits the damage a criminal can inflict if they figure one out. If you have a hard time remembering all of your passwords, consider using a password manager like LastPass or 1Password to keep track of them all and generate new passwords. If you use a password manager, be sure to create a master password for the password manager you don’t use anywhere else and that no one will ever guess. If you don’t want to use a password manager that keeps your data on remote servers, there are several alternatives which allow you keep the passwords as secure files on your own computers.
Even the best password doesn’t guarantee your accounts’ security. Two-factor authentication means that it takes more than just a password to access your account. Two-factor authentication requires both a password and a physical device like a phone to prove you are who you say you are. Many web services and devices are offering two-factor authentication and you should use it whenever possible, even if it adds an extra step. Click on the name of the service below to get instructions on enabling two-factor authentication:
- LastPass (using Google Authenticator app for Android, iOS and Blackberry)
- Microsoft Hotmail/Live/SkyDrive
- Yahoo! Mail
- Amazon Web Services
- WordPress (using Google Authenticator plugin and app)
- Many banks offer two-factor authentication for online access and they should always be used
“Private Browsing” Mode in Web Browsers
How It Works: All of the major web browsers offer a “Private Browsing” function. When this function is activated, everything that the browser usually stores on the local computer—browser history, caches, cookies, download lists, form data, passwords, and other temporary files—is deleted when the browser is closed or the function is turned off. Private browsing limits what files are saved to your system so that it is more difficult for someone with physical access to your computer to trace your steps. It also makes it harder for sites to track you because their cookies are deleted.
Limitations: People mistakenly believe that “private browsing” anonymizes them to the websites they visit and makes their communications private. Unfortunately, that’s not true. Even with private browsing mode on, anyone intercepting or handling your traffic can see what you’re doing. For instance, ISPs can still record what sites you visit. And if you log into a site like Gmail, Google will still be able to associate all your actions on the site with your username, even if private browsing is enabled. Moreover, private browsing may not even stop sites from tracking you. A 2010 Stanford study determined that some sites can both determine information about visitors as well as leave behind traces on users’ systems. For instance, plug-ins installed in the browser can still track users through an independent system of cookies and temporary files. Thus, private browsing only protects you against someone who is using your computer and snooping through your browsing history. And someone with that kind of access to your computer could install a keylogger or other hidden program that records your keystrokes. Despite these limitations, private browsing can be a helpful way of reducing the amount of information that is recorded on your computer when browsing.
Your Guide to Private Browsing | HuffPost Tech: menu commands and keyboard shortcuts to launch a private browsing session in IE, Firefox, Chrome, Safari, and Opera.
Private Browsing: Activating Private Browsing Mode in Your Favorite Browser | About.com: graphic tutorials on launching private browsing sessions in IE, Firefox, Chrome, Safari, Opera, and Flock; tips for private browsing on iPad, iPhone, and iPod touch.
Secure Browsing (through HTTPS) and Avoiding Third Party Tracking
How It Works: HTTPS is a way for users to protect the content of their communications from eavesdropping. When browsers don’t use HTTPS and transmit data openly, anyone along the path between the browser and the destination can view what is transmitted (that includes the ISPs that carry your traffic, or individuals surreptitiously intercepting the data). By encrypting the data, you make it much harder for anyone other than the intended recipient to see the content. Most major sites that require you to log-in (Google, Facebook, Twitter) and sites that transfer sensitive information (banking sites) now offer an encrypted connection. (Instead of http://www.google.com, your address bar will read https://www.google.com).
Limitations: Many sites don’t offer HTTPS, and some that do default to unencrypted HTTP or go back to unencrypted pages after the log-in process. Because of that, users must keep an eye on when they are encrypted and when they are not. Using a resource like HTTPS Everywhere can at least ensure that you connect using HTTPS for those sites that have that option. It’s important to remember that even if you connect to a site like Gmail using HTTPS, you are not hiding the destination only the content; an ISP or a government can still know you’re visiting Gmail. HTTPS is also not foolproof, as it is possible for a determined party to pretend to be the destination, in what is a called a man-in-the-middle attack.
One of the easiest things you can do to surf the web privately is to make sure you log out of accounts once you’re done with them. If you stay logged in, it becomes possible to track your browsing across many sites, even if they are unrelated to the services you are logged into. Browser extensions like Disconnect or TrackMeNot can automatically sign you out of services you’re not actively using and can block third party tracking cookies.
HTTPS Everywhere is a Firefox and Chrome extension from the Electronic Frontier Foundation. It will automatically switch sites from HTTP to HTTPS whenever possible and warn users about web security holes.
Disconnect (Firefox/Chrome/IE/Safari) is a browser extension that blocks third party tracking cookies and gives you control over all site scripts and elements from a simple-to-use toolbar menu.
TrackMeNot (Firefox/Chrome) is a browser extension that helps web searchers avoid surveillance and profiling from search engines by generating a random series of search queries to confuse services interested in tracking or filtering content.
Circumvention & Anonymity
Among the greatest threats to Internet freedom are filtering and surveillance. These related issues either prevent you from accessing the content you want or allow third parties to keep track of what content you do access. Many of the tools to evade one also help with the other, so we discuss them together below. In most cases, these tools will help disguise your IP address, the sites you’ve visited, and technical information about your device, while possibly helping you access censored content.
How They Work: A proxy server is a machine that stands as an intermediary between your machine and the content you are trying to reach. Proxies can help evade censorship or filtering when connections to the proxy aren’t filtered but the desired content is. When you connect to censored content through a proxy, the censor will see only your connection to the proxy, not the verbotten content. Proxies also provide some anonymity because to the destination server, you look like you’re coming from the proxy server, not your actual origin. Web-based proxies are the easiest way to use a proxy server. Simply visit a proxy website with your prefered browser, enter your target URL, and the proxy site will then relay the request and deliver the site content back to you. There are also a number of downloadable clients for both Mac and Windows that connect your system to a proxy server.
Limitations: There are several downsides to using proxies, ranging from annoyances to serious security threats. On the annoyance side, because your data is passing through a single, fixed (and likely overloaded) point, it is not uncommon to experience slow load times and connection errors. On the security side, because all of your data is passing through a single, fixed point, it is easy for nefarious individuals to intercept any unencrypted data (using HTTPS or VPNs in addition to a proxy may address these concerns, but they have their own limitations described elsewhere in this post). In fact, sometimes hackers set up proxies with the express purpose of collecting user details, so it is important to carefully choose a trusted proxy. Using proxies can often be a game of cat and mouse; countries that filter sites often block known proxies, forcing users to move to a new, lesser known proxy. In some cases these same governments may create proxies specifically so they can monitor all the traffic and identify users.
Regularly updated lists of web-based proxies:
- Tech-FAQ’s megaproxylist.com (via CNET)
- Public Proxy Servers (via Open Security Research)
- Circumventor Central (via Open Security Research)
Web-based proxies (via Techlicious):
Downloadable proxy clients:
- Alkasir (Windows – English, Arabic) Learn more about Alkasir.
- Freegate (Windows – English, Chinese, Persian, Spanish) Learn more about Freegate.
- JonDo (Mac, Windows, Ubuntu, Linux, Android – English, German, Czech, Dutch, French, Russian) Learn more about JonDo.
- proXPN (Mac, Windows, and iPhone – English)
- Psiphon (Various configurations, including a lightweight web proxy that runs on Windows and Linux plus a cloud-based solution) Learn more about Psiphon.
- SabzProxy (Mac, Windows, Linux – Persian) Learn more about SabzProxy.
- Simurgh (Windows – English) Learn more about Simurgh.
- Ultrasurf (Windows – English) Learn more about UltraSurf. Also note Tor’s recent report detailing Ultrasurf security holes and Ultrasurf’s response.
- Your-Freedom (Mac, Windows, Linux – 20 languages) Learn more about Your-Freedom.
How They Work: Like proxy servers, Virtual Private Networks (VPNs) route users’ traffic through their own servers. What makes VPNs different from a standard open proxy is that VPNs authenticate their users and encrypt data. Additionally, because of how VPNs are configured, they are more likely to work with software on your computer that you use for email, instant messaging, and Voice over IP (VoIP).
Limitations: VPNs share some of the same risks as proxy servers. Because all of your traffic is passing through a single point, your security is only as good as that of your VPN. Some VPN services keep traffic logs, and free services in particular may be disposed to sell your information to advertisers or turn it over under pressure from authorities. Free ad-supported VPNs may limit your bandwidth; paid VPN services are generally more reliable and come with a much higher bandwidth. It is important to keep in mind that the VPN provides a secure connection between you and the VPN, but not between the VPN to your ultimate destination. The use of HTTPS and other standard measures are still necessary to secure your connection your destination.
There are hundreds of VPN services online. What follows is a list of several popular services, both free and paid (via AnonymissExpress, How to Bypass Internet Censorship, and Techlicious.) View this wiki for a longer list of free and paid VPN providers, including monthly fees and technical characteristics. Note that some services are known to log IPs, but there are also many helpful ways to decide if a VPN is trustworthy. Also, if you’re worried that a VPN or proxy isn’t hiding your DNS requests (or the way your computer translates “Herdict.org” into numbers that your computer understands like “184.108.40.206”) you can also use DNSCrypt to handle that by following these detailed instructions.
Free VPN Services:
- CyberGhost (English, French, Italian, German, Spanish)
- Hotspot Shield (English) Learn more about Hotspot Shield.
- VPN Reactor (English)
Paid VPN Services:AirVPN (English)
- Anonine (English, Swedish)
- Anonymizer (English)
- Astrill VPN (12 languages)
- Banana VPN (English)
- IPREDator.se (English, Swedish)
- IVPN (English)
- LogMeIn Hamachi (12 languages)
- Perfect Privacy (English, French, German)
- Relakks (Chinese, English, Swedish)
- SecretsLine (English, French)
- SecurStar (English, German, Italian, Portuguese, Romanian)
- Steganos Internet Anonym VPN (English, French, German)
- StrongVPN (English)
- SwissVPN (English, French, German)
- Tiggerswelt (German)
- UnblockVPN (English)
- VPN Accounts (12 languages)
- VPN Gates (English)
- VPNod (English)
- Vpntunnel.se (English, French, German, Swedish)
- WiTopia personalVPN (English)
- XeroBank (English)
How It Works: Like proxies, Tor hides your IP address and location by routing your requests through another server. Tor, however, goes through multiple intermediary servers, a series of machines operated by volunteers all around the world. To the destination site, it looks like you are coming from the computer that was the last stop in the Tor journey, not from your computer. The Tor Browser Bundle works with Firefox and is available for for Mac, Windows, or Linux. It can also be stored on a memory stick for use on public computers.
Limitations: As with proxies, using Tor can be rather slow due to the number of servers between you and your destination. Furthermore, while data is encrypted between servers, it is unencrypted when the final server communicates with your destination. Those operating this “exit node” can see your log-ins, passwords, and other data (unless you have a secure “HTTPS” connection with the website you’re visiting), and it is “widely speculated that various government agencies and hacker groups operate exit servers to collect information” (Techlicious). If following Tor on Twitter won’t get you in trouble with the authorities, it’s one of the fastest ways to find out about potential vulnerabilities or reports of security breaches.
Telex is a work-in-progress that is intended “to help citizens of repressive governments freely access online services and information.” The concept is this: when you request a website blocked in your country, Telex software on your computer changes your request to an allowed, decoy site. At the same time, it adds a hidden cryptographic tag to your request that only Telex can see. Telex will deploy boxes to locations along the Internet backbone and these boxes will use deep packet inspection to locate the cryptographic tag. The box will decode the tag to get your original intended destination, and will route your request to that site. Using that approach, Telex would enable people to access blocked content by making it appear that they are trying to access allowed content instead.
Offline Data Encryption
Private data encryption encodes information on a hard drive, memory stick, cloud locker, or other storage media so that without a proper “key” all the data appears as gibberish. Encrypting your local and remote drives is a very good way to protect your data from prying eyes. Mac OS comes with built-in encryption called FileVault which is easy to use and Windows 7 and 8 Professional comes with Bitlocker which is also pretty easy to setup. Additionally, TrueCrypt is an excellent free program that hides your data on a virtual encrypted drive. TrueCrypt isn’t as easy to use as FileVault and Bitlocker, but it’s also very well documented and gets updated with the latest security fixes often. You can also use TrueCrypt to securely store data on the cloud or on mobile devices. TrueCrypt also has an advantage over other encryption programs because it can create hidden volumes, which means that people attempting to access your data won’t know that it’s there and can’t force you to give up the password.
Sources and Further Reading
- Circumventing Internet Censorship from Open Security Research
- Five smart ways to keep your browsing private from CNET
- How to Browse the Web Anonymously from Techlicioius
- How To Bypass Internet Censorship from AnonymissExpress
- How to Bypass Internet Censorship (an ebook from howtobypassinternetcensorship.org)
- How to Surf the Web Anonymously from How Stuff Works
- Operation Encrypt Everything
- Protecting Your Security Online from Access
- The Surveillance Self-Defense Project from EFF
- Which VPN Providers Really Take Anonymity Seriously? from TorrentFreak
- Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance from the Freedom of the Press Foundation
- Technology to Protect Against Mass Surveillance from EFF