Tuesday, October 6, 2009

Free Anonymous Surfing

Operator is my clear first choice, a portable version of Opera with an included and well integrated Tor engine that uses the free Tor network. OperaTor is small and relatively fast, using just 6Mb of memory for it’s Tor engine, 2Mb for the Polipo caching proxy, 3Mb for the OperaTor loader and 18Mb for Opera. In my experience, OperaTor is by far the fastest browser, even with multiple proxies on the Tor network so that the browsing trail is frequently changing for greater security. Some people don't like the fact that OperaTor is not released with source code available (at least not that we have yet located) which may influence the choice in whether to use it or not. I believe that unless a user is proficient in programming, or at least reading the development language of any particular application, this becomes rather irrelevant, unless some amount of comfort or security might be perceived in knowing that source is available and others might be checking it even if the user of the application can not read it personally. Even closed source projects that become popular generally receive enough user and peer scrutiny that most problems would be quickly exposed.

JonDo anonymous network

JonDo (previously known as JAP) is my second choice and is in some ways a more flexible option, in that it is simply a Java application that performs the role of a local (PC based) proxy server that redirects browser requests via the JonDo (formerly JAP) network. This allows the user to configure their choice of any browser rather than requiring a change to Opera. Unfortunately, being Java based means that the application becomes somewhat bloated, requiring 54Mb of memory just for the Java JonDo application, as well as another few Mb for the JAP engine, and then whatever additional is required for the web browser of choice. JonDo does have quite a nice GUI display which shows the strength of the anonymity based on the number of anonymizing proxy servers, and takes care of managing the random proxy changes for greater anonymity. A commercial service known as JonDonym has been introduced which uses dedicated servers to provide higher speeds, higher levels of availability and more security along with support for chat, ftp and ssh in addition to web browsing. Another offering from the commercial JonDonym group is JonDoFox, a customized version of Firefox with JonDo code embedded along with other anonymizing optimizations. Unfortunately, JonDo not being a network like Tor is prone to some limitations in terms of the numbers of free servers, and some subsequent downtimes may be more likely with the smaller server base.

Vidalia using Tor anonymizing network

Vidalia is my third choice, a close match to JonDo in that it is quite a bit lighter in memory use and generally feels faster, but may not have the same level of anonymizing as JonDo. Vidalia is another integrated package using a combination of Privoxy and a Tor engine to connect to the Tor network, but it offers many new features. As with JonDo, Vidalia behaves as a local proxy for use by any browser, but it also provides configurations allowing it to run either as a simple standalone process or as a Windows service (for security and performance reasons, among others). Vidalia allows the user to participate in the anonymizing process by becoming a Tor Relay to help censored users in a similar way to becoming a BitTorrent relay, and a live realtime facility is available showing a map of the earth with lines representing connections to the Tor server participants. Vidalia uses 24 - 32Mb of memory, with an additional 4Mb used for Privoxy and another 16.5Mb for the Tor engine. One initially confusing aspect of Vidalia is that it provides a configuration access through port 9051, but it is not immediately obvious that Privoxy is listening on port 8118. Browsers using the Vidalia bundle must be configured to use the Privoxy port 8118 as the proxy server, not port 9051. Like JonDo, the Vidalia/Privoxy combination constantly changes proxy servers to mask the trail to provide greater anonymity.

Whatever your preference, both JAP and Tor networks offer a level of secrecy that is better than many commercial systems, though they are not watertight. Expect your surfing to slow down, in some case substantially, because you'll be relayed through a chain of servers, all heavily impacted by BitTorrent users seeking to hide from the RIAA. Note: the latest V5 release of JAP now allows Tor users to use JAP as a software access point to the Tor network.

XeroBank Firefox based browser

The XeroBank Browser (previously known as TorPark) provides a new customized version of the Firefox browser configured to work with the free Tor anonymizing service, or with a subscription service for higher speeds using dedicated servers, and other features. Firefox users may feel more comfortable with XeroBank, as it is based on Firefox, but also need not make any changes at all if they make use of either the JonDo or Vidalia bundles to access the Tor engine other than to set the proxy server, and of course, manual cleanup of the cache, cookies and browsing history after use. XeroBank claims to have many advanced features, but for the average user most of these may not be apparent, unless the subscription service is used. While the XeroBank browser is free to use on the Tor network, the XeroBank web site promotes the use of their subscription-based account. During installation, the XeroBank Browser offers the choice of using either the commercial XeroBank Client or the free Tor service. Caution! Some antivirus scanners report trojan infected code in the XeroBank download. Use http://jotti.org to verify all downloads, and use XeroBank and all other applications with caution, but be aware that some of the virus scanners used by jotti.org may also be overly zealous in their reporting of infections. Some claimed virus or trojan infections in various applications are no more than firewall detection, or software product key reporting capabilities mis-diagnosed by the scanner as a potential threat.

The downside of XeroBank as contrasted with using JonDo or Vidalia, is that you would need to use XeroBank for anonymous browsing and your regular browser for other surfing. Using JonDo or Vidalia, you can use the browser of your choice, and just reconfigure to use the proxy when you want to anonymous surfing. This won't automatically clean out all other personal data (cache, history, cookies etc.) when the application is shut down, which OperaTor and XeroBank do.

For all anonymizing services, check that you are running in anonymous mode by first browsing to one of many servers which reports your IP address, for example http://www.whatismyip.com/ and take note of your IP address. Reconfigure your browser to make use of the anonymizing service, and reload / refresh the browser and verify that the reported IP address has changed. Some IP reporting servers will also tell you which country, and even which city you now appear to be connecting from.

Most of the services reviewed are able to run directly from a USB flash drive if the executables are simply copied as is from their installation directories. This works really well, just plug your flash drive into any PC with a USB port, launch both the anonymizing proxy software and a browser, set the browser to redirect via the anonymizer and you will be in business. In the case of both OperaTor and XeroBank, all you need to is launch the browser from your flash drive and you will be ready to start browsing.

XeroBank XBMachine Live CD running under QEMU virtual machineWhile some 'LiveCD' applications such as XeroBank Machine and Incognito Live CD have been created and may provide similar functions, they mostly seem to be currently released in various stages of alpha or beta test versions and have bugs or limitations. For example, the XeroBank Machine provides two options. You can either run the xBMachine.exe from a Windows prompt which starts a QEMU virtual machine and then runs a GenToo Linux kernel, or by booting from a "Live CD". This Live CD boots the same customized GenToo Linux environment from CD without any Windows involvement. In simple terms, both xBMachine options simply provide a different "hardened" OS platform to run the Firefox based XeroBank Browser. Is LiveCD really useful? To some people, yes, not to me. It does mean that like SandBoxie, your guest operating system is protected from malicious web sites via your browsing, and when you stop the QEMU virtual machine or reboot the PC from hard disk rather than CD all traces are removed. I am a Unix / Linux geek so I am totally at home with them, but for the average person, I suspect the LiveCD and QEMU based options will provide a confusing level of complexity that will just interfere with their browsing and desire to be safe. Not much can beat truly safe browsing habits, whatever browser or add-on tools you use. xBMachine is a 380Mb zip file download, which unpacked yields a 391Mb ISO image to create a CD as well as another 10Mb or so of the QEMU environment. The QEMU hosted browser uses 292+Mb of XeroBank XBMachine Live CD running under QEMU virtual machinememory, requires the ISO image present, and took more than 5 minutes to load and be ready for use on a 1.8Ghz dual core Intel PC with 1Gb or memory. It provides a Linux X-Windows GUI with a profile configuration, a network configuration, xBBrowser, e-mail, Pidgin instant messenger, terminal and an option to configure for the paid subscription network. I don't know about you, but I am not willing to wait 5 or more minutes and have close to 300Mb of disk space tied up in a browser that took another minute or two to load, and then in my case never managed to connect out anyway. For those who feel that having source available makes a better product, go ahead and try to download the XeroBank source. All of the links gave me a 7Mb source zip file which was corrupted and would not open. Would this give you "open source available" feelings of security? I don't think so.

I'm a freeware and open source fan, I can read and write programs, but not when the source file is corrupted, and I am not likely to start poring through tens of thousands of lines of code even if I could unpack the source. Even if it does unpack, how do we know that exact source was used to build the tool, and not another set of customized source with a built in Trojan or spyware? The reality is that we really don't know unless we both inspect the source code and then compile it and compare the distributed executable.

One final comment on anonymizing, your browsing activities will never be 100% secure and guaranteed to be anonymous. It will be very difficult for anyone to trace you while browsing through the Tor network, except as reported in the Tor wiki, "when you access pages that use Java, Javascript, Macromedia Flash and Shockwave, QuickTime, RealAudio, ActiveX controls, and VBScript are all known to be able to access local information about your operating system and local network. These technologies will work over proxies and can tunnel the information back to their source."

http://www.techsupportalert.com