There are many, many aspects of security, and the only way to be highly secure is to always be learning, tweaking, watching, taking precautions, applying updates, thinking out side of the box, etc. etc. etc. Security holes can be hidden anywhere, from the deeply complex software exploit in some application you use, to the seemingly junk mail you threw in the wastebin.
This article is focused on one particular, narrow, but highly-important aspect of security: anonymizing your Internet traffic. Really, that’s a broad topic in and of itself, thus the narrow indicates that we probably aren’t covering everything. Don’t go acting stupid and thinking these steps make you invincible!
Among others, Arch is a Linux distro I love. There are many distros, with their pros and cons, their ups and downs, their quirks, their special purposes, and so forth. I’m definitely not saying Arch is the end-all of distros, but I find it to be quite excellent as a general-purpose, day-to-day desktop dsitro. So this tutorial uses commands based on the Arch package manager, pacman. If you don’t use Arch, compile from source or rtfm on your distro and use whatever package manager and configurations it has.
# useradd -m -g users -G audio,lp,optical,storage,video,wheel,games,power,scanner -s /bin/bash someuser
Now we want to add the wheel group to the sudoers file so that our new user can perform root tasks using sudo when needed. Type in:
# EDITOR="nano" visudo
and add the following line:
Great. Now our new user, “someuser” in this case, can perform commands as root using sudo. Lets get started.
First, we want to install tor. Tor is an onion-routing based proxy used to anonymize your browsing. Basically, each person running tor is also a node on the tor network. Your tor client connects to a central server, gets a list of a couple of random nodes, and routes your traffic through those nodes. Each node has a public key, so your client encrypts your data multiple times, using each node’s key, in reverse order. So your data is encrypted for the last node first, then the second node, and finally encrypted for the first node. Then, each node decrypts its layer (thus onion routing) before passing your data to the next node. Once the data reaches the last node, called the “exit node”, it is back in its original, unencrypted form.
At this point, it’s quite difficult for anyone to determine where the data originated, unless of course the data itself contains information about the originator. End-to-end encryption is used between each hop for added protection, but again the data is back in its original form when leaving the last hop of the tor network and going back out to the public web. Use https and other end-to-end encryption between you and your recipient to protect sensitive data.
So, tor will help protect your incoming and outgiong data (routed through tor) from someone watching your outgoing infromation, like your ISP or a man in the middle. Data is encrypted at the application layer multiple times, so it’s pretty damn safe through the tor network until it hits the exit node. Keep in mind, you don’t know who the exit node is or who is watching it, and data is back in its original form at the exit node. If the data itself contains information that could link back to you, like name, address, location, email, accounts, and other personal identifiers, someone could read through the data and know it’s yours and what you’re sending/receiving. From a purely technical standpoint, though, there isn’t a very feasible way to trace the data to its origin in the transport or internet layers.
First, install tor:
$sudo pacman -S tor
Now enable Tor DNS forwarder , this will allow tor to resolve your DNS hostnames through the tor network, helping to keep your browsing habits secret. (This resolves only A records):
#nano /etc/tor/torrc | DNSPort 9053 | AutomapHostsOnResolve 1 | AutomapHostsSuffixes .exit,.onion
Now that tor is configured and running, we can configure applications to pump their data through it. In our browser, for instance, we can go to the network settings and run traffic through tor’s locally-running socks 5 proxy server:
Some applications do not have options exposed to manually set a proxy to go through, so we can use tor-resolve and torrify on those. tor-resolve will resolve DNS records for domains (currently only A records), as DNS resolving itself happens independent of applications and can be telling of the sites we are visiting. torrify acts as a sort of wrapper around an application so that its network activity runs through tor. Here is an example using BitchX:
#tor-resolve <irc.server.domain> #torify BitchX
Tor provides a pre-packaged Tor Browser which runs inside of a tor sandbox and comes bundled with Vidalia, a GUI tool for managing tor. Currently, a modified firefox setup is used, with NoScript and other plugins installed to prevent JavaSript, cookies, and so forth from leaking identifying information. Furthermore, it can be set (and is by default) to force sites to use https for end-to-end application-layer
$tar -xf tor-broswer.tar.bz $cd ./tor-browser $sudo ./start-tor-browser
NOW YOU CAN START READING ONLINE SAFELY
Using tor, we get a nice layer of obfuscation that makes it very difficult (though theoretically possible) for anyone in the network to monitor our data and see what we are doing by sniffing network packets, and at the same time anonymizes us on the outside so that potentially malicious or invasive intruders on the other end cannot gather personalized information on us, such as our IP addressand hostname, which could be used to identify or locate us, among other things.
Here’s a few things to remember about tor:
- tor’s efficacy largely depends on the number of nodes in the network. More nodes mean more random paths between nodes are possible, increasing the complexity of tracing the origin and reducing the feasability of theoretically possible attacks based on having a holistic view of the tor network. Also, because all traffic is encrypted in multiple layers and sent through multiple nodes, using tor can be slow at times. That said, be nice and give back by allowing tor to run even at times you aren’t using it, acting as a node for other people’s encrypted traffic to pass through. Additionally, don’t use tor for heavy data transfer – bit torrent and the like is typically frowned upon.
- Tor is only one layer of obfuscation- data goes back to the public net in the same form that it came into tor. If you send out data which includes information that is not encrypted at the application layer, someone outside of the tor network can read it. Use end-to-end encryption in addition to tor, such as gpg, to protect transmissions between yourself and a known recipient, or use https to get end-to-end encryption over http.