Best Free Anonymous Surfing Service
There are many reasons people have for wanting to surf anonymously, ranging from simple paranoia in terms of protecting personal data, to hiding browsing activities from other users of a computer including parents, spouses, or even other organizations. Whatever your reasons for wanting to use anonymous browsing services, or criticizing others for wanting to use them, I will not debate the political, legal, moral, ethical and other reasons, but simply review the available technology. Be aware that most corporate networks will block the use of anonymous surfing activities at the corporate firewall. Corporate networks and internet links are after all the property of your employer and should never be misused in violation of corporate acceptable use policies, so don’t expect any help here in finding ways to circumvent firewall blocking.
The most obvious anonymous browsing application for most people is in internet cafes, on public terminals, using wireless or even wired access points away from home, or in fact, on any PC including your own, where you don't want to leave traces of your private surfing activities. Some other browsing activity cleaners exist that clear the cache, cookies, history and other traces, some are even available as a standard in most browsers, but anonymous browsing goes a step further. What attracts me is not so much the privacy aspect, but rather the security potential, because all of the anonymizing browser proxy based services create a secure encrypted connection between the PC you are using and the first anonymizing proxy server. This allows you to safely transmit information with little risk of local interception, making it ideal for surfing on open Wi-Fi networks, or in hotels while travelling.
Previously, secure surfing on such networks required the use of private VPN networks, generally an option only available to corporate employees, those with the available money to pay for it and the technically savvy. Now, using any of the Tor or JAP based browsers, any surfer can reap the same sort of security benefits for their browsing. Whatever the reasons anyone may have for using anonymizing browsing, commercial services that offer anonymity are doing well, and a number of both free and subscription based browsing applications and services have become available.
Two dominant services exist which provide the foundation for free, secure anonymous browsing. The JAP network was good enough that the German Police insisted in 2004, that a backdoor be put into the product to allow interception of child pornographers. This was done, but subsequently removed as a result of court action by the JAP development team. The alternative is Tour (The Onion Ring), which is a system that not only allows anonymous browsing but also anonymous P2P, email, IM, and IRC chat. Given the US Navy origin of Tor, the suspicion inevitably arises that this system may have a permanent backdoor, however, the source code is now publicly available so that suspicion can perhaps be set aside. More worrying was a raid by German police in September 2006 involving the seizure of some Tor servers in that country. Again, pedophiles were the supposed target, but who really knows.
OperaTor is my clear first choice, a portable version of Opera with an included and well integrated Tor engine that uses the free Tor network. OperaTor is small and relatively fast, using just 6Mb of memory for it’s Tor engine, 2Mb for the Polipo caching proxy, 3Mb for the OperaTor loader and 18Mb for Opera. In my experience, OperaTor is by far the fastest browser, even with multiple proxies on the Tor network so that the browsing trail is frequently changing for greater security. Some people don't like the fact that OperaTor is not released with source code available (at least not that we have yet located) which may influence the choice in whether to use it or not. I believe that unless a user is proficient in programming, or at least reading the development language of any particular application, this becomes rather irrelevant, unless some amount of comfort or security might be perceived in knowing that source is available and others might be checking it even if the user of the application can not read it personally. Even closed source projects that become popular generally receive enough user and peer scrutiny that most problems would be quickly exposed.
JonDo (previously known as JAP) is my second choice and is in some ways a more flexible option, in that it is simply a Java application that performs the role of a local (PC based) proxy server that redirects browser requests via the JonDo (formerly JAP) network. This allows the user to configure their choice of any browser rather than requiring a change to Opera. Unfortunately, being Java based means that the application becomes somewhat bloated, requiring 54Mb of memory just for the Java JonDo application, as well as another few Mb for the JAP engine, and then whatever additional is required for the web browser of choice. JonDo does have quite a nice GUI display which shows the strength of the anonymity based on the number of anonymizing proxy servers, and takes care of managing the random proxy changes for greater anonymity. A commercial service known as Homonym has been introduced which uses dedicated servers to provide higher speeds, higher levels of availability and more security along with support for chat, ftp and ssh in addition to web browsing. Another offering from the commercial JonDonym group is JonDoFox, a customized version of Firefox with JonDo code embedded along with other anonymizing optimizations. Unfortunately, JonDo not being a network like Tor is prone to some limitations in terms of the numbers of free servers, and some subsequent downtimes may be more likely with the smaller server base.
Vidalia is my third choice, a close match to JonDo in that it is quite a bit lighter in memory use and generally feels faster, but may not have the same level of anonymizing as JonDo. Vidalia is another integrated package using a combination of Privoxy and a Tor engine to connect to the Tor network, but it offers many new features. As with JonDo, Vidalia behaves as a local proxy for use by any browser, but it also provides configurations allowing it to run either as a simple standalone process or as a Windows service (for security and performance reasons, among others). Vidalia allows the user to participate in the anonymizing process by becoming a Tor Relay to help censored users in a similar way to becoming a BitTorrent relay, and a live realtime facility is available showing a map of the earth with lines representing connections to the Tor server participants. Vidalia uses 24 - 32Mb of memory, with an additional 4Mb used for Privoxy and another 16.5Mb for the Tor engine. One initially confusing aspect of Vidalia is that it provides a configuration access through port 9051, but it is not immediately obvious that Privoxy is listening on port 8118. Browsers using the Vidalia bundle must be configured to use the Privoxy port 8118 as the proxy server, not port 9051. Like JonDo, the Vidalia/Privoxy combination constantly changes proxy servers to mask the trail to provide greater anonymity.
Whatever your preference, both JAP and Tor networks offer a level of secrecy that is better than many commercial systems, though they are not watertight. Expect your surfing to slow down, in some case substantially, because you'll be relayed through a chain of servers, all heavily impacted by BitTorrent users seeking to hide from the RIAA. Note: the latest V5 release of JAP now allows Tor users to use JAP as a software access point to the Tor network.
The XeroBank Browser (previously known as TorPark) provides a new customized version of the Firefox browser configured to work with the free Tor anonymizing service, or with a subscription service for higher speeds using dedicated servers, and other features. Firefox users may feel more comfortable with XeroBank, as it is based on Firefox, but also need not make any changes at all if they make use of either the JonDo or Vidalia bundles to access the Tor engine other than to set the proxy server, and of course, manual cleanup of the cache, cookies and browsing history after use. XeroBank claims to have many advanced features, but for the average user most of these may not be apparent, unless the subscription service is used. While the XeroBank browser is free to use on the Tor network, the XeroBank web site promotes the use of their subscription-based account. During installation, the XeroBank Browser offers the choice of using either the commercial XeroBank Client or the free Tor service. Caution! Some antivirus scanners report trojan infected code in the XeroBank download. Use http://jotti.org to verify all downloads, and use XeroBank and all other applications with caution, but be aware that some of the virus scanners used by jotti.org may also be overly zealous in their reporting of infections. Some claimed virus or trojan infections in various applications are no more than firewall detection, or software product key reporting capabilities mis-diagnosed by the scanner as a potential threat.
The downside of XeroBank as contrasted with using JonDo or Vidalia, is that you would need to use XeroBank for anonymous browsing and your regular browser for other surfing. Using JonDo or Vidalia, you can use the browser of your choice, and just reconfigure to use the proxy when you want to anonymous surfing. This won't automatically clean out all other personal data (cache, history, cookies etc.) when the application is shut down, which OperaTor and XeroBank do.
A final item for review recently brought to my attention by Peter, one of our visitors, is UltraSurf, which seems to be primarily targeted at people in China wanting to circumvent official government internet censorship. We will not get into the politics or ethics of either the censorship or circumvention of censorship, however the facility exists and may be useful to some people. UltraSurf is a very simple application, a single tiny 281Kb download containing just one executable, u.exe. When running, this little program uses just 7.5Mb of memory and performs the same role of proxy server as other applications, redirecting all browser requests via the UltraSurf proxy servers. While this is an interesting new development claiming to be very sophisticated, it seems on the surface to be rather simplistic, and does not appear to change proxy servers in the same way that JAP and Tor do. Browsing speeds also seemed to be somewhat slower than with either Tor or JAP browsing. The program appeared to be clean on a http://jotti.org virus scan, other than one possible trojan reported by F-Prot, so as with all software, while it appeared to be safe on my tests, test it out and scan it yourself. By default, UltraSurf changes proxy settings and launches Internet Explorer when it starts, but I was able to shut down Explorer and start FireFox and Opera with the proxy reconfigured to use the same port and successfully browse via UltraSurf.
For all anonymizing services, check that you are running in anonymous mode by first browsing to one of many servers which reports your IP address, for example http://www.whatismyip.com/ and take note of your IP address. Reconfigure your browser to make use of the anonymizing service, and reload / refresh the browser and verify that the reported IP address has changed. Some IP reporting servers will also tell you which country, and even which city you now appear to be connecting from.
Most of the services reviewed are able to run directly from a USB flash drive if the executables are simply copied as is from their installation directories. This works really well, just plug your flash drive into any PC with a USB port, launch both the anonymizing proxy software and a browser, set the browser to redirect via the anonymizer and you will be in business. In the case of both OperaTor and XeroBank, all you need to is launch the browser from your flash drive and you will be ready to start browsing.
While some 'LiveCD' applications such as XeroBank Machine and Incognito Live CD have been created and may provide similar functions, they mostly seem to be currently released in various stages of alpha or beta test versions and have bugs or limitations. For example, the XeroBank Machine provides two options. You can either run the xBMachine.exe from a Windows prompt which starts a QEMU virtual machine and then runs a GenToo Linux kernel, or by booting from a "Live CD". This Live CD boots the same customized GenToo Linux environment from CD without any Windows involvement. In simple terms, both xBMachine options simply provide a different "hardened" OS platform to run the Firefox based XeroBank Browser. Is LiveCD really useful? To some people, yes, not to me. It does mean that like SandBoxie, your guest operating system is protected from malicious web sites via your browsing, and when you stop the QEMU virtual machine or reboot the PC from hard disk rather than CD all traces are removed. I am a Unix / Linux geek so I am totally at home with them, but for the average person, I suspect the LiveCD and QEMU based options will provide a confusing level of complexity that will just interfere with their browsing and desire to be safe. Not much can beat truly safe browsing habits, whatever browser or add-on tools you use. xBMachine is a 380Mb zip file download, which unpacked yields a 391Mb ISO image to create a CD as well as another 10Mb or so of the QEMU environment. The QEMU hosted browser uses 292+Mb of memory, requires the ISO image present, and took more than 5 minutes to load and be ready for use on a 1.8Ghz dual core Intel PC with 1Gb or memory. It provides a Linux X-Windows GUI with a profile configuration, a network configuration, xBBrowser, e-mail, Pidgin instant messenger, terminal and an option to configure for the paid subscription network. I don't know about you, but I am not willing to wait 5 or more minutes and have close to 300Mb of disk space tied up in a browser that took another minute or two to load, and then in my case never managed to connect out anyway. For those who feel that having source available makes a better product, go ahead and try to download the XeroBank source. All of the links gave me a 7Mb source zip file which was corrupted and would not open. Would this give you "open source available" feelings of security? I don't think so.
I'm a freeware and open source fan, I can read and write programs, but not when the source file is corrupted, and I am not likely to start poring through tens of thousands of lines of code even if I could unpack the source. Even if it does unpack, how do we know that exact source was used to build the tool, and not another set of customized source with a built in Trojan or spyware? The reality is that we really don't know unless we both inspect the source code and then compile it and compare the distributed executable.
One final comment on anonymizing, your browsing activities will never be 100% secure and guaranteed to be anonymous. It will be very difficult for anyone to trace you while browsing through the Tor network, except as reported in the Tor wiki, "when you access pages that use Java, Javascript, Macromedia Flash and Shockwave, QuickTime, RealAudio, ActiveX controls, and VBScript are all known to be able to access local information about your operating system and local network. These technologies will work over proxies and can tunnel the information back to their source."
Sunday, May 31, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment