Web Browsers Leave 'Fingerprints' Behind as You Surf the Net
- Thread starter D69
- Start date
Good article!
We sometimes have to remind ourselves just how exposed we are, even as I'm writing this and you're reading it.
The only option I can think of that would solve the issues in the article is to use a reputable virtual private network (of which I only know one, but I'm sure Internet anonymity is a niche market that will become increasingly popular) that will route all your traffic through a virtual NIC and assign you a new MAC address and IP address and, to put it simply, anonymise your entire Internet usage through a decentralised and distributed network (like what Tor was trying but failed to achieve).
So if you were using such a service, those who seek to observe and monitor your Internet activity will see your fingerprints as:
- the IP address assigned to you from an exit node of your choice from the VPN
- your browser information (ie some of the basic information available in the browser like codename, version, platform and online information)
- your HTTP Header Information (ie your browser sends a list of headers that can contain information about which type of images are supported, which kind of documents are supported, the character sets that are acceptable, cookies etc.) but you can manage if you allow or deny some parameters so check your browser configuration.
Of course even with a reputable VPN service, it is possible to de-anonymise you :
- when you visit a hostile server or a website which contains malicious code
- when you authenticate to a service online
- when you surf, because your behaviour online can reveal a lot about your life, your interests, your businesses, your relations, and your problems. This is the reason why search engines and companies concerned with statistical services and advertisements record your IP address or web sites visited by you and therefore profile you.
The best protection is being careful about what we do on the Internet.
We sometimes have to remind ourselves just how exposed we are, even as I'm writing this and you're reading it.
The only option I can think of that would solve the issues in the article is to use a reputable virtual private network (of which I only know one, but I'm sure Internet anonymity is a niche market that will become increasingly popular) that will route all your traffic through a virtual NIC and assign you a new MAC address and IP address and, to put it simply, anonymise your entire Internet usage through a decentralised and distributed network (like what Tor was trying but failed to achieve).
So if you were using such a service, those who seek to observe and monitor your Internet activity will see your fingerprints as:
- the IP address assigned to you from an exit node of your choice from the VPN
- your browser information (ie some of the basic information available in the browser like codename, version, platform and online information)
- your HTTP Header Information (ie your browser sends a list of headers that can contain information about which type of images are supported, which kind of documents are supported, the character sets that are acceptable, cookies etc.) but you can manage if you allow or deny some parameters so check your browser configuration.
Of course even with a reputable VPN service, it is possible to de-anonymise you :
- when you visit a hostile server or a website which contains malicious code
- when you authenticate to a service online
- when you surf, because your behaviour online can reveal a lot about your life, your interests, your businesses, your relations, and your problems. This is the reason why search engines and companies concerned with statistical services and advertisements record your IP address or web sites visited by you and therefore profile you.
The best protection is being careful about what we do on the Internet.
I agree with you completely. I've been following this for just five years now, but most of the VPN providers are weak with what they offer.
For example, Perfect Privacy have no corporate structural integrity against spying, they provide no multiplexing, and so offers very weak anonymity.
An observer can see the data passing from your machine to the VPN provider, and the traffic leaving the VPN provider. In a single-hop system, such as Perfect Privacy, JAP, Tor, Jondonym, Proxify, Turbohop or Anonymizer, it is known which exit node your traffic is entering/leaving is equal to the one you are connected to. The outgoing traffic can then be correlated to the encrypted traffic you are sending because all it's unencrypted traffic happens at the same time you get your encrypted traffic. This is so easy for a computer to do, it can be done passively. It does not require the VPN provider to cooperate at all. So a VPN that does multiplexing is necessary so that technique and passive ones are not effective.
What you need is a true multi-hop anonymity network, meaning that your connection is automatically routed through at least two anonymous proxies in other countries before it reaches the Internet, bypassing restrictive firewalls and circumventing any Internet censorship, and it would be nice if it used crowding and traffic padding,. Most VPN services only offer weak privacy because they do not provide true anonymity, and do not address data-retention and data-logging threats. So you need a service that channels your traffic across multiple anonymous servers located in non-logging jurisdictions to defeat data-logging and data-retention directives.
You would also need your identity and payments to be kept separate from your account, possibly via dead drops of some sort. So that the VPN service, who keep no logs to begin with, could not even link you - the customer - to your usage. Anything less than this is pointless. And in addition, this will not protect you from the PTB. It will protect you from say a domestic adversary, but definitely not a global one.
So far, I've only found Xerobank to be offering this. I'm sure more will pop up in the future, but they will need to be scrutinised very closely.
Anonymity is a very rare property in this universe, especially when you move so close to a mathematical and abstract system as network traffic.
For example, Perfect Privacy have no corporate structural integrity against spying, they provide no multiplexing, and so offers very weak anonymity.
An observer can see the data passing from your machine to the VPN provider, and the traffic leaving the VPN provider. In a single-hop system, such as Perfect Privacy, JAP, Tor, Jondonym, Proxify, Turbohop or Anonymizer, it is known which exit node your traffic is entering/leaving is equal to the one you are connected to. The outgoing traffic can then be correlated to the encrypted traffic you are sending because all it's unencrypted traffic happens at the same time you get your encrypted traffic. This is so easy for a computer to do, it can be done passively. It does not require the VPN provider to cooperate at all. So a VPN that does multiplexing is necessary so that technique and passive ones are not effective.
What you need is a true multi-hop anonymity network, meaning that your connection is automatically routed through at least two anonymous proxies in other countries before it reaches the Internet, bypassing restrictive firewalls and circumventing any Internet censorship, and it would be nice if it used crowding and traffic padding,. Most VPN services only offer weak privacy because they do not provide true anonymity, and do not address data-retention and data-logging threats. So you need a service that channels your traffic across multiple anonymous servers located in non-logging jurisdictions to defeat data-logging and data-retention directives.
You would also need your identity and payments to be kept separate from your account, possibly via dead drops of some sort. So that the VPN service, who keep no logs to begin with, could not even link you - the customer - to your usage. Anything less than this is pointless. And in addition, this will not protect you from the PTB. It will protect you from say a domestic adversary, but definitely not a global one.
So far, I've only found Xerobank to be offering this. I'm sure more will pop up in the future, but they will need to be scrutinised very closely.
Anonymity is a very rare property in this universe, especially when you move so close to a mathematical and abstract system as network traffic.
You might find this interesting, a forum post from a Xerobank employee:
I've gathered some Q&As on the Xerobank forum and posted them here, which sort of gives you a run-down of how they think.
1) Why is XB considered to be so secure?
2)How many hops in the XB network?
3) Using OpenVPN is one's traffic encrypted from the client machine all the way until it leaves the exit node?
4) How secure is this encryption?
5) Is this traffic at all "sniffable" at any point in the chain by an entity other than a global passive adversary?
6) Is XB at all subject to MITM attacks?
7) Does XB use US/domestic exit nodes? Do domestic exit nodes pose any more or a risk if they are US based? With legacy accounts, where are the nodes likely to be?
8) During the course of an XB Open VPN session does one's IP address change periodically or does it remain the same? Does it matter?
9) Do the same answers hold true for XB Mail when used with a Pro account? Is XB Mail encrypted all the way through?
10) What would you say are the major advantages of Xerobank over some of the stronger, more reputable privacy services?
11) I have a feeling that the NSA/FBI/Feds in general have infiltrated all anonymity service providers. Why? Well, do you seriously think that terrorists are dumb enough to communicate through unsecure avenues? No. I guarantee that most of the USA intelligence and that of other countries come from so-called secure avenues of communication.
12) I believe that many of the OpenVPN providers are fronts of the gov't. It is ingenius to setup shop under the disguise as being an anonymity provider but really being the Feds. The global gov'ts have had almost 9 years now (since 9/11) to lockdown and infiltrate all means of global communication.[/quote]
13) If they really want to, all it needs is one little piece of paper signed by a judge and Xerobank as well as the others will be forced to cave.
14) I am curious though; how and why would you receive a court order?
15) Are you referring that a court order would make you monitor any one server that the court order is deemed for, or are you referring to a court order in trying to figure out who client John Doe is who accessed the website of Jane Doe and tried to hack it on some prior date?
16) If the feds want you to tell them who hacked site A on date B, could you be able to determine who it was?
17) Another scenario would allow your monitoring software to determine that client John Doe was hacking site A on date B, and the feds had nothing to do with it. Are you going to report that person to the feds even if the feds don't request it?
18) If client John Doe performs a malicious act on date A of any sort, and your software discovers it AND the feds come to you asking to find out who did it, are you then going to notify them of who it was?
19) Also, if the feds asked you to keep the account active and monitor every activity of client John Doe for a 2 month period of time, are you going to do it?
20) Your servers in the United States don't need a court order to be monitored. Due to the infamous and garbage Patriot Act, the NSA/CIA/FBI can just bully whoever they want whenever they please to do whatever they want them to do. Are you really going to risk your whole business by not complying with their threats? No.
21) Don't give me any of the "no logs" bologna either. It just doesn't pan out that way.
I've gathered some Q&As on the Xerobank forum and posted them here, which sort of gives you a run-down of how they think.
1) Why is XB considered to be so secure?
2)How many hops in the XB network?
3) Using OpenVPN is one's traffic encrypted from the client machine all the way until it leaves the exit node?
4) How secure is this encryption?
5) Is this traffic at all "sniffable" at any point in the chain by an entity other than a global passive adversary?
6) Is XB at all subject to MITM attacks?
7) Does XB use US/domestic exit nodes? Do domestic exit nodes pose any more or a risk if they are US based? With legacy accounts, where are the nodes likely to be?
8) During the course of an XB Open VPN session does one's IP address change periodically or does it remain the same? Does it matter?
9) Do the same answers hold true for XB Mail when used with a Pro account? Is XB Mail encrypted all the way through?
10) What would you say are the major advantages of Xerobank over some of the stronger, more reputable privacy services?
11) I have a feeling that the NSA/FBI/Feds in general have infiltrated all anonymity service providers. Why? Well, do you seriously think that terrorists are dumb enough to communicate through unsecure avenues? No. I guarantee that most of the USA intelligence and that of other countries come from so-called secure avenues of communication.
12) I believe that many of the OpenVPN providers are fronts of the gov't. It is ingenius to setup shop under the disguise as being an anonymity provider but really being the Feds. The global gov'ts have had almost 9 years now (since 9/11) to lockdown and infiltrate all means of global communication.[/quote]
13) If they really want to, all it needs is one little piece of paper signed by a judge and Xerobank as well as the others will be forced to cave.
14) I am curious though; how and why would you receive a court order?
15) Are you referring that a court order would make you monitor any one server that the court order is deemed for, or are you referring to a court order in trying to figure out who client John Doe is who accessed the website of Jane Doe and tried to hack it on some prior date?
16) If the feds want you to tell them who hacked site A on date B, could you be able to determine who it was?
17) Another scenario would allow your monitoring software to determine that client John Doe was hacking site A on date B, and the feds had nothing to do with it. Are you going to report that person to the feds even if the feds don't request it?
18) If client John Doe performs a malicious act on date A of any sort, and your software discovers it AND the feds come to you asking to find out who did it, are you then going to notify them of who it was?
19) Also, if the feds asked you to keep the account active and monitor every activity of client John Doe for a 2 month period of time, are you going to do it?
20) Your servers in the United States don't need a court order to be monitored. Due to the infamous and garbage Patriot Act, the NSA/CIA/FBI can just bully whoever they want whenever they please to do whatever they want them to do. Are you really going to risk your whole business by not complying with their threats? No.
21) Don't give me any of the "no logs" bologna either. It just doesn't pan out that way.
D69
Dagobah Resident
well it loks like a good service ..but :D
While that is true for them , its not for you , they are not telling the whole story here. XB is not owner of your private network , and does not know how you connect to them , so smart attacker could perform a mitm attack if combined with other vectors and for example human laziness (through which i mean actions like - First I click OK and if nothing happens then its ok ;) )
also when they say there are 2 nodes , then it means that traffic is decrypted on the middle node - so they have some sort insight , i mean they dont have to keep logs , but still , they could see decrypted traffic flowing on that host - but thats just my quick assumption , i do not know their infrastructure , but i use OpenVpn myself and I know it quite well - both server and client , since i often set it up myself.
Anyway , its good to see services like this . Hopefully this is not some sort of FED`s honeynet ;)
Somewhere on EFF site there is a how-to where you can read how to blend in daily users.
There is an old saying , when you are between crows , behave like a crow.
So unique and custom browser actually makes it worse unless you are uber-leet hero of the net.
Just my 5 cents
While that is true for them , its not for you , they are not telling the whole story here. XB is not owner of your private network , and does not know how you connect to them , so smart attacker could perform a mitm attack if combined with other vectors and for example human laziness (through which i mean actions like - First I click OK and if nothing happens then its ok ;) )
also when they say there are 2 nodes , then it means that traffic is decrypted on the middle node - so they have some sort insight , i mean they dont have to keep logs , but still , they could see decrypted traffic flowing on that host - but thats just my quick assumption , i do not know their infrastructure , but i use OpenVpn myself and I know it quite well - both server and client , since i often set it up myself.
Anyway , its good to see services like this . Hopefully this is not some sort of FED`s honeynet ;)
Somewhere on EFF site there is a how-to where you can read how to blend in daily users.
There is an old saying , when you are between crows , behave like a crow.
So unique and custom browser actually makes it worse unless you are uber-leet hero of the net.
Just my 5 cents
