Anonymization on the Internet and the use of self-hosted services

    In this article I will describe my actions to increase anonymity on the Internet, as well as give instructions on the transition from google dependent services to my own.


    Table of contents.



    Why is it necessary




    The provider is watching us

    All that is transmitted in unencrypted form can be intercepted and modified (classic MitM ). And our provider can easily identify the request with the accuracy of the mac address and client agreement.

    Even if your provider does not deal with such things, then in its data center there is certainly an inconspicuous server where a certain traffic is mirrored. This is a SORM server . And what happens there is unknown to anyone except the suppliers of SORM


    Service owners are following us.


    If you use gmail to read work / personal mail or use the chrome browser, then it will be very convenient for Google Corporation to collect information about where you go and what they write to you.

    Russian services do the same, remember YandexKript , VK is generally a hotbed of user information.
    And remember hundreds of sites where comments can be left by logging in to social networks.
    Of course, while this is being done only in order to show us more “correct advertising,” but who knows what will happen in the future.
    What got on the Internet will stay there forever



    Internet anonymity



    Now that we understand why we need to maintain anonymity on the Internet, let's see how this can be achieved.



    Terms of Use of Internet Services

    Information compiled as paranoidness increases
    • Do not use real names / last names / dates of birth
    • Do not use the same password everywhere (break one - break everything)
    • If possible, use multiple accounts with different nicknames, different types of activity
    • If a site sends you an open password in your mail, this is a bad site. They keep your password unencrypted, which means they know it themselves and can sell / give the opportunity to steal.
    • If possible, we use incognito mode during registration, login to important sites (for example, the site of the bank client or super-duper important bug tracker)
    • If we want to upload photos, then first we need to check if there is no deanon of metadata
    • If you need to transfer secret data over an open channel, then you can perform pre-encryption using pgp or transmit information in parts on different channels. You can transfer the login via Skype, tell the password in person, and send the address via whatsapp.
    • We login and register only where there are HTTPS!
    • We login and register using vpn, so as not to shine your ip-shnik



    Browser settings

    • The browser should not remember your passwords
    • The browser should not synchronize your history / cookie / passwords and other information with an unknown server on the Internet
    • The browser should not store cookies between its restarts
    • Much more



    Setting example for firefox


    Go to about: config in the address bar to tighten up the list of options affecting privacy

    • media.peerconnection.enabled = false - prohibits support for the WebRTC protocol, the current implementation of which allows you to discreetly receive a list of IP addresses on your local network (using JavaScript), which increases the user's uniqueness.
    • browser.safebrowsing.enabled = false and browser.safebrowsing.malware.enabled = false - disables the transmission of information about visited websites to Google, the database of which is used for warnings about fraudulent websites.
    • browser.search.suggest.enabled = false - disables the transmission of text typed in the search window to the search engine without explicit confirmation from the user. We lose suggestions from the search engine as you type a request, but if you suddenly started typing a query and changed your mind, it won’t go until you press Enter.
    • dom.enable_performance = false - disables the browser from transmitting information about the start and end time of the page loading. Analysis of this data allows you to determine the fact of using a proxy server.
    • network.dns.disablePrefetch = true - prohibits preliminary resolution of DNS names for all links on a web page (until the user clicks on the link). This can lead to leakage of DNS traffic when working through an anonymous proxy server.
    • network.proxy.socks_remote_dns = true - send DNS queries through a proxy when using a proxy. Otherwise, they will go directly and may lead to the disclosure of the real IP address.
    • dom.battery.enabled = false - prohibits monitoring the state of the battery.
    • dom.network.enabled = false - prohibits determining the parameters of connection to the network (in this case, the type of connection is transmitted: LAN, Wifi, 3G, and so on).
    • network.proxy.no_proxies_on = (empty value) - prevents sites from accessing the local machine, which would allow them to analyze the list of open ports.



    Using pgp encryption



    If we want to transfer the file safely, it is highly advisable to use encryption. For example gpg / pgp
    A person who has received an encrypted letter or file from you and signed with our pgp key can be 100% sure that it is not fake and only the recipient specified by the sender can read it. Thus, our mail can be significantly more secure and it will be more difficult for attackers to obtain data even in case of full access to the mailbox during hacking.

    Encryption

    You can simply encrypt any file. To do this, just give the command:

    gpg -c file
    


    The system will ask for the password twice. As a result, we will get a new one with the extension .gpg near the source file. For example, file.gpg. Decryption is also very simple:

    gpg file
    


    And after entering the password, we will get our source file.

    Asymmetric Encryption and Signature


    A little more complicated procedure, as 2 keys are involved here. One of our personal, secret, known only to us and to no one else. Another public, distributed by our acquaintances in any convenient way. Just this option and the most often used, because in the first version, in addition to the encrypted file, you need to transfer a password to it and there is no guarantee that it will not be intercepted.

    The topic was covered in Runet - one , two.

    Now we turn to the second part of the article, where I will try to tell how and how you can replace the popular Google mail and rss readers, etc.


    Using self-hosted services


    The whole attempt to remain anonymous and invisible to the Internet is nothing, if you use the calendar and contacts from Google, store correspondence in Yandex-mail, write notes in evernote and put files in dropbox
    In order for Internet services to not spy on us, we need to stop them enjoy!

    So let's go


    In order to host our applications, we need vps with anonymous payment (bitcoins or something similar) and an encrypted drive (KVM, XEN and other virtualization that will allow this)
    External ip address that can be bought along with vps and dns name .
    What do we use most often?

    post office


    You can configure the entire mail bundle yourself (for example: postfix + dovecot + antispam), or you can use the iredmail assembly.

    About her on the habr wrote here and fresher .

    Dropbox


    Quite a lot of opensource applications can be considered a replacement for dropboxes. I will give a small list of them with links to installation examples:



    Replacing evernote / google keep


    Unfortunately, I did not find a full-fledged web-based replacement for the evernote service.
    There is only laverna , but this is still too fresh software. Full of children's bugs and errors

    Replacing Asechke / Skype / Messenger


    This is of course everyone’s favorite jabber, configured and running on its own vps.
    Instructions for installing prosody , a lightweight and small server for communication through jabber.

    Using rss


    To read the news, I use the Tiny Tiny rss rss reader, it has a vibrant community and a pretty nice interface.
    Installation Instructions

    Using vpn


    About how to configure vpn on a habr wrote more than once and not two
    Link1
    Link2

    Using firefox sync server


    To make password and bookmark synchronization work in my browser, I use firefox sync server.
    Setup Instructions

    Create rootCA


    In order for all our services to work on a secure connection, you must either buy an ssl certificate (wildcard certificate or a few ordinary ones), or create your own certification authority, integrate it into your browsers and sign them with ssl certificates of your services.

    Setup Instructions


    Bonus


    Additional elements that enhance the calm of the paranoid

    Using lxc sandboxes for untrustworthy programs


    Why is this necessary? For example, we want to launch skype or a couple of skype or launch another firefox to watch a super secret Japanese movie via Japanese vpn.
    There can be many reasons.
    So, the implementation is described in the articles of one of the creators of lxc
    Unprivileged containers
    and
    GUI in containers

    Построение защищенной ОС на вашем компьютере/ноутбуке

    • Это значит, использовать Linux или другую ОС с открытым исходным кодом
    • Это значит, использовать криптостойкий пароль (а лучше аутонтификацю с помощью отпечатка пальца )
    • Это значит, использовать шифрование своих дисковых разделов


    Настройка телефона на базе Android


    • Замена стандартной прошивки на Cyanogenmod/Replicant/Paranoid Android
    • Использование шифрование файловой системы
    • Выход в интернет только через VPN
    • Отказ от использования google play, замена на F-Droid
    • Использовать длинный, стойкий пароль
    • Следить за своим телефоном ( gps tracker android self hosted в поиск)



    Ссылки


    How exactly the browser merges information about you is pretty well described on Lurka:
    Identifying users on the Internet
    There is a wonderful article on wikibooks on using the Internet anonymously:
    Protecting_confidential_data_and_anonymity_on_Internet

    Unfortunately, the article does not contain many more information security solutions.
    I will try to fill in the gaps with links to interesting solutions.
    habrahabr.ru/post/120620 - DNSSEC, what is it and why
    prism-break.org/ru - Project for finding alternatives to proprietary solutions for protection against SORM
    www.opennet.ru/base/sec/ubuntu_disk_crypt.txt.html - disk encryption for linux

    Also popular now: