staying anonymous – part 2 the web

Web browsing (blogs, forums, web-based IRC) – When you browse the web, you leave a trail in your wake: your IP address and sometimes other bits of data that curious persons want to gather. If nothing else, you leave behind your IP in web server log files which any curious or enterprising admin likely picks through. Why do you want to stay anonymous? That was addressed in part 1 of this series.

There are five major realms when it comes to anonymity on the web:
1) general anonymity protections
2) browsing trackbacks such as what is captured in web server log files
3) browser hijacking, remote information leakage, and artifacts like cookies
4) communication channel eavesdropping
5) additional items on newsgroups and RSS

1) general anonymity protections
In general, if you want to stay anonymous online, don’t connect to sites or other servers from your home IP address. Hop on a wireless hotspot or “borrow” a neighbor’s wireless connection (again, I didn’t suggest that…right?). This way any tracebacks will maybe point to the state or area you live in or even your local podunk ISP, but likely won’t be tracked back directly to you without some legal overtures. If you’re doing nothing criminal, the chances are slim that anyone will ever notice. (Although that does not necessarily make it legal or digitally ethical.)

If you insist on doing personal things such as banking or updating your own personal blog that is not so anonymous, those are things you should save your home IP and connection for. Keep in mind that I do not encourage checking your ebay auctions or transferring paypal monies through web proxies or while connected to non-trusted networks. You never know who is eavesdropping on you or collecting information on what you thought was an innocent open web proxy.

2) trackbacks via what is captured in web server log files
Browsing trackbacks include leaving behind information on log files that may contain your IP address, computer name, browser version, and so on.

The biggest means to stay anonymous with general web browsing is to use one or more anonymous web proxies. A web proxy will relay your connection from it to the site you are attempting to browse, such that the target site does not know who you are and instead records information from the web proxy server. Let’s say you want to buy some condoms, but your dad works the counter at the closest drug store that sells them. Instead, you ask someone else to go inside and buy them for you. This person is acting on your behalf, i.e. your proxy. Web proxies work the same way by fetching web pages on your behalf and then delivering them to you. Honestly, once you start using proxies, they are very easy to use and you should probably use them most the time if you are concerned about your anonymity (with the exception of your bill-paying and banking…).

These can be a bit of a pain to work with. Some web proxies are located in odd places of the world and thus their latency is sometimes prohibitive. Others actually translate text for you (eternally helpful, especially if you don’t speak Lithuanian…), and others are simply not meant to be open and can disappear without notice. Some are commercial and some are not and some don’t even know they are open and used.

One long-standing list of web proxies has been samair.ru. Be aware that not all proxies are made equal and you will want to test out just how anonymous you appear. Do not settle for leaking any information, so typically, you want “highly anonymous” or something to that effect. Setting yourself up on a proxy is as easy as picking one out and going into the connection options of your browser. Supply the necessary IP and port as a proxy and surf away. You can check what your IP appears to be at www.whatismyip.com and you can check your actual proxy leakage at samair.ru. I highly suggest Googling up a few proxy checker tools just for second and third opinions. Also, try baselining the information you leak by using these checkers when you’re not using a proxy. Identify what you want hidden, and get it hidden. (Disclaimer: I don’t encourage you to use web proxies that you are not authorized to use; do as you wish.)

I also have seen a site called www.e-proxy.info (thank you Chris!) which can deliver web pages to you through a browser-based proxy. This is really pretty slick and actually works in my office, bypassing SurfControl while also not looking too obtrusive by hiding up at the top of my browser window. Sweet!

As an advanced technique, if you want to set up a series of proxy servers to route your traffic through, this is typically called chaining, in case you want some Google terms to search for.

Are these foolproof? Like almost everything in life, no they are not. But for many instances, a relatively simple step like using a web proxy gives quite a lot of gain. One potential problem comes up if you use some arcane or exotic user agent or web browser. If you leave behind an anonymous IP but a user agent like “BriansTestBrowserBar 0.4,” you may as well ditch the proxy.

3) browser hijacking, remote information leakage, and artifacts like cookies
While you can remain relatively anonymous on the web using just a proxy to relay your connections, there are still means to leak information. You might run into hostile scripts that will try to hijack your system or perhaps harvest cookies from your browser, just to name a few.

To thwart such attacks, it is best to not pretend you are safer or anonymous using Windows or Internet Explorer, especially in combination. Use a non-Windows OS and Opera, Firefox, or even a graphical browser.

Keep your cache and stored cookies as clean as possible. Try not to store cookies and definitely do not store passwords in your browser. Just write them down or store them more securely out of band of your browser. In fact, it makes a lot of sense to do your anonymous web browsing from a virtual machine that you can revert to a known clean state every day.

Be sure you also do not leak information by reusing usernames and passwords. If you use the username TheAvengerr69 on 4 forums and you use the same password on each one, simple Google searches can draw the lines between them and start revealing a profile of who you are and what you do. This is especially useful to someone looking to manipulate you. Also assume that every site you sign up for has curious admins who now have your account information. Do not blindly reuse login names and/or passwords.

Here is an illustration. Think about how many forums you might have signed up for and posted one, maybe two questions, and then never revisited again. What if those forums, like the many thousands out there, do not get updated with new forum software versions. This might mean that one of those forums may get owned and leak out its database of users (sure, they just want the emails to spam, right?). Now your account information is in someone’s hands just because you visited there once. Now let’s say your username was DopplegangerJoe69 and your email was a hotmail address and your password “sitonyourface.” In fact, that’s the same password and username you use in a few places. Oh my, and that’s the password you use for that hotmail account. Sucks to be you, Joe. I hope you don’t store a lot of “password reminders” and “thanks for signing up here’s your password” emails on that hotmail account!

4) communication channel eavesdropping
Generally, there is not much you can do to protect the communication channel from eavesdroppers, if, for instance, you are browsing the web from a public hotspot. If the site itself does not have SSL enabled, you are typically out of luck. However, some proxies can be set up to relay secured communications. Better yet, find yourself a box or shell account or buddy who doesn’t know better and set yourself up an SSH tunnel which can act as your first hop. While your entire communication may not be hidden, at least you are hidden from where you physically sit to some arbitrary place on the net. The easiest way to do this might be to set up an SSH server and tunnel through your home connection. From there, relay through a web proxy to anonymize yourself. You can also utilize Tor onion routing, which I plan to go over in a separate post.

Of note, I do consider this step to be beyond most everyone but the paranoid, but it does make sense to technically-friendly people who browse from untrusted networks often. Personally, I love hotspots at coffeeshops so I tend to tunnel through SSH whenever I do anything beyond browsing the news.

5) additional items on newsgroups and RSS
Two minor tidbits on newsgroups and RSS feeds. Try to not use stand-alone clients on your box for RSS or newgroups browsing. They typically aren’t as universal when it comes to proxy support, so they tend to directly connect to the target and leave behind your IP address, if nothing else. Whenever possible, sign up for Google Reader or Google Groups and leverage the extra hop that Google provides in hiding origin. Let Google’s servers act as your proxy. Be aware that there is still theoretical talk about malware abusing RSS feed parsing. I don’t consider this a reality yet, but the theory is sound. Newsgroups also may have messages that contain malware or malicious links. Be cautious.

Bonus: For the truly paranoid, watch what terms you search for in search engines. Last year there were some high profile disclosures of search terms that, while “sanitized” still revealed sensitive or private information. If I searched for “Michael Dickey” in Google from my “anonymous” web proxy that I’ve used for years, I’ve just tied that web proxy IP to that search term. Do enough of those personally identifiable searches and you can leave behind a small trail. Now, the chances of all the planets aligning to reveal your searches and shatter your web of anonymity are slim, but there are some people that are this paranoid. If you want to help prevent this, just search for personal stuff on your own home connection, just like you should be doing your banking and other sensitive stuff from your trusted home connection. Likewise, don’t search for HideousPurplePeopleEater69, your super-secret online pseudonym, from your home network and tie that name to your home IP.

Do I go to these lengths myself? I definitely do not get draconian about my search terms, but I do encourage using different networks or web proxies for browsing the darker bits of the web. If I felt the need, I likely would also utilize a throw-away VM to do some browsing as well. I think myself and most tech-savvy persons can get by with following, to some degree, steps 1, 2, 3, and 5. Setting up your own remote secure access and being mindful of your searches are really for either the more technically-inclined or the ultra-paranoid.

If you would like more information about staying anonymous on the web, I suggest searching Google for “staying anonymous on the web,” “onion routing,” “SSH tunnel,” and other keywords found scattered above.