Modernizing Authentication — What It Takes to Transform Secure Access
When we think of someone hiding their online activity, the image that first comes to mind is a malicious hacker sneaking their bad deeds past the innocent. But anonymity cuts both ways the same tools that can be used as weapons by some can be used for self-defense by the innocent, protecting their online activity from malice.
Whether you need to protect business activity from competitive threats, political activity from state eyes, or personal activity from other persons, there are several good strategies for going incognito online without needing to be an expert hacker.
Today, the latest versions of all major browsers including Internet Explorer 8, Firefox, Safari, Chrome, and Opera, support so-called "private browsing". When you enable private browsing mode, the browser will stop recording items like site history, cookies, file download history, web cache, and form data like usernames and passwords. This prevents information that is otherwise normally stored for browser sessions from being easily tapped by hackers such as through malicious websites.
While private browsing mode is relatively effective for casual browser security, it is not foolproof. Knowledgeable users with administrative access to your machine may still be able to sniff out elements of your online activity even if you used private browsing mode. Plus, plugin technologies like Flash can create their own cookies which fall outside the browser's private mode, meaning that they are not eliminated when a private browsing session ends.\
Private By Proxy
Whether or not you use private browsing, your online activity can give away certain potentially sensitive details. For example, servers that you connect to will know your IP address. Depending on your Internet connection, this address could be mapped to a specific company (if you're browsing from work) or an ISP and geographic area.
Plus, when you communicate with web sites which are not using a secure (HTTPS) connection, information that you enter in forms could be sniffed from the network. This can especially be an issue when browsing on an unsecured wireless connection, because someone else within wireless range can monitor your traffic.
Using an anonymizing proxy can be an effective way of masking details of your identity. A proxy server is basically a middle-mana server that accepts requests from you and passes them to the destination server (and in the reverse). In doing so, the server sees only the IP address of the proxy server, effectively hiding information about your origin.
Additionally, if the proxy server provides a secure connection, it can encrypt the data you send to web sites which themselves may not be using encryption. A proxy server configured specifically to enable anonymizing may offer additional benefits as well, such as modifying header information of your web traffic, changing meta-data like the type of browser you are using.
All major browsers allow you to configure a proxy server, which they will use instead of contacting web sites directly.
But where do you find a proxy server to use?
There are many third-party anonymizing proxy servers online, such as Anonymizer and The Cloak. But these services incur bandwidth costs to proxy your data, and so typically free accounts limit you to a small quota. You need to pay a subscription fee to proxy larger amounts of traffic, especially if you use a proxy server to route multimedia like audio or video.
Be cautious about using a free or unlimited proxy service. Remember that when you proxy, you are sending your Web traffic to a server that is potentially run by unknown people. A malicious proxy server can easily harvest sensitive information itself, and many so-called "free" proxy services (which are often fly-by-night operations that come and go) are in fact these kinds of traps.
Tor: The Peer-to-Peer Proxy
The Tor project is an even more robust version of an anonymizing proxy. Whereas a conventional proxy is usually a single, traceable server, Tor relies on the distributed power of peer-to-peer networking.
When you install Tor and configure your browser (or other applications) to use the Tor proxy, your data packets are sent through an ever-changing series of intermediate Tor peers. Eventually your data reaches an "exit node" where it then leaves the Tor network and heads to the intended destination server.
Using Tor allows your activity to be heavily obfuscated because it is impossible to back trace traffic to its true origin. However, it may be slow for large amounts of data because your traffic is going through other Tor users' machines, which may be on slow connections. Also, remember that Tor cannot protect the final step where data exits the proxy network and is passed to the end server. It is also possible for a peer to setup a malicious Tor node, which may be sniffing the data that passes through it. All this means that Tor is not so much a means of protecting sensitive information as much as it is for eliminating the data trail.
Digging a tunnel
Any kind of third-party proxy service effectively obscures your origin IP address and can encrypt your data, but requires you to be comfortable putting your data in someone else's hands.
If you own or rent a hosting account anywhere, you may be able to dig your own secure tunnel. To do this, you need access to a server that is running SSH, or secure shell. Many web hosting accounts include SSH access, or else you can setup an SSH server on any machine you own that is online somewhere.
SSH is a secure protocol that encrypts all data from end-to-end. Creating an SSH tunnel involves two computersthe machine you are browsing on and want to hide and the server running SSH. When you create an SSH tunnel, you are basically self-proxying. Using a proxy running on the same machine as your browser, data is routed via SSH (and therefore encrypted) to your SSH host, which then relays your data to the destination servers.
Using an SSH tunnel both encrypts your data and obscures the true IP address of your browsing machine, without handing your data to a third-party middle-man.
To setup an SSH tunnel, you need two ends:
- An Internet-connected machine running an SSH server. You may be able to use a hosting account you already lease, or else install OpenSSH on a server of your own.
- Your browsing computer with an SSH client. Mac and Linux users already have an SSH client built-in; Windows users can download and install CopSSH.
To connect to the SSH server, you need to know the username and password. You may also need to know the SSH server port if it is not running on the default port (22).
Using this information, open a command-line window on your browsing computer. Launch your SSH client like this:
ssh ND 8888 username@servername [-p portnumber]
You can leave out the "-p" parameter unless your SSH server is using a non-standard port. SSH will connect to the server and ask you for the password. It will then create a local proxy server running on the port specified after "-ND" you don't have to use 8888, use whatever open port you like.
Simply configure your browser to use a proxy server, pointed to localhost at the port you specified (8888 in this example). Now, every browser request will be tunneled through your SSH server.
Keep in mind that your browsing activity will be counted against any bandwidth quota that your SSH server may have, such as on a shared hosting account.
Incognito for your own good
Remember that you don't need to be a bad guy to use any of these methods for going incognito online. Even if you don't use these strategies all the time, consider the most vulnerable situations. When using your laptop on wireless connections in public and semi-public places like libraries, cafes, hotels, and airportsprotecting your identity online is a smart thing to do especially when you're doing business where everyone can see you.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.