25

Recently I have thought more and more about how to make my Internet traffic anonymous. Not for illegal reasons, but just to stop leaving information about me. The methods I know of to anonymize my browsing are services like proxies and VPNs.

I have thought about going the VPN way with services like CyberGhost VPN or vpntunnel.se. As far as I know the problem with proxies is that only http and https traffic will be hidden, but as soon as I use another program than my browser the traffic is not anonymous.

I thought about installing VirtualBox on my Windows 7 system, then running an Ubuntu Linux VM. I would then install the VPN client on the VM. Does that make sense? I am primarily concerned about the risk of virus infection on Windows.

The service vpntunnel.se advertises that it doesn’t store any user data besides the username and email address, but since they are in the EU I don’t know if they actually have to store anything extra because of the data retention laws.

Does anyone have more experience about this? Any ideas on how to make this scenario even more secure?

user276955
  • 15
  • 6
hans
  • 251
  • 1
  • 3
  • 3
  • 1
    You're asking multiple questions at once here: How best to anonymize traffic? Should I sandbox my browser in a VM? Can VPN providers provide anonimity? How can I make VPN browsing more secure? StackExchange works best with one question at a time, so you might want to consider simplifying. (And maybe opening more questions as needed.) – Graham Hill Apr 03 '12 at 08:31
  • 4
    Of course, as D.W. points out, the answer to all these questions is the same: "Hello, I'm The Doctor. Basically, Tor." :-) – Graham Hill Apr 03 '12 at 13:17
  • Just don't forget to test your setup with http://www.stayinvisible.com or similar. –  Apr 13 '12 at 10:32
  • 1
    TorrentFreak asked several VPN providers how they protected their user's privacy. http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ – S.L. Barth Jul 06 '12 at 17:07
  • 1
    And all it takes is one small, insignificant slip-up or omission in detail to completely bypass all attempts at anonymizing your internet access. – Fiasco Labs Nov 20 '12 at 21:36
  • No no no, VPNs are the worst advice you can give. Use Tor, don't change anything, and you'll be fine. – 09182736471890 Dec 06 '19 at 02:51

9 Answers9

14

As far as hiding IP address goes:

Tor does provide a decent level of anonymity but creates its own set of problems, in particular Tor users are a frequent target for traffic sniffing and man-in-the-middle attacks due to compromised exit nodes (see How much can I trust Tor?), so I don't recommend it.

Instead of Tor you can use I2P, which does not suffer this vulnerability because it uses a predefined exit node (or the one you manually choose), and the exit nodes are usually well-maintained servers, so they're way less likely to be malicious or compromised.

VPN is easily tracked down by traffic analysis - tracking packet sizes, network lag and timings, etc. Tor is more resilient to that, and I2P is supposed to be even more resilient but it was not yet investigated as thoroughly as Tor was. Cryptohippie VPN also takes traffic analysis into account and adds additional layers of protection against it.

However, obscuring traffic origin is just a part of the problem.

A web browser is ridiculously easy to track using browser fingerprints, even you've disabled cookies, JavaScript, and everything else you can disable. Panopticlick explains what browser fingerprints are and demonstrates just how easy is, and it's not nearly complete - BrowserSpy.dk lists much more ways of tracking.

VPNs and anonymity networks do not (and usually can not) do anything about your browser fingerprint. You can reduce tracking, but not defeat tracking.

Here's one simple scenario to consider. Every time you browse the web without an anonymity network, the browser fingerprint is sent out there from your real IP. The fingerprint-IP pair can be recorded. If you browse the web with an anonymity network later, your browser fingerprint stays the same - others can still recognize you. Moreover, they may have your real IP address recorded. You're no longer anonymous.

It's enough to go online without an anonymity network just once to blow your cover, both in the past and future, forever (until you significantly change your software setup).

So remember you're being tracked, and NEVER EVER use the same web browser with and without an anonymity network.

In fact, this is not limited to web browsers. Other applications may have a fingerprint too (e.g. BitTorrent clients do), but they are not researched as thoroughly as web browsers were. If you're going to use an application via an anonymity network, be cautious about its setup and make sure it goes into the anonymity network right away, without contacting with the "non-anonymous" Internet even once. Otherwise your attempts at anonymity are in vain.

To avoid disclosing your IP by fingerprinting and not bother remembering which app should be anonymous and which should not (while every mistake is grave), I recommend running anonymity-oriented Linux distros, like Tails or Liberté. This way you'll be sure which programs are anonymous and which are not, and they won't be able to leak their fingerprints into the "non-anonymous" Internet because these distros explicitly prohibit any non-anonymous communications. It's possible to run them in a VM, but better do on a dedicated machine to avoid hardware-based fingerpriting and use better random number generators.

Finally, tracking may be not application- or instance-specific; user accounts on websites uniquely identify you (duh). If you want to stay anonymous, you have to access your user accounts via an anonymity network either always or never. The easiest way to do this is to establish a different identity for anonymous browsing.

Control your data online

Remember, you are tracked. You can reduce tracking, but not defeat tracking. And you leave a lot of info about yourself as you browse, from what your interests are to what places you visit to where you live. For example, search engine history tells a lot about you and sometimes can uniquely identify you. Some other websites collect A LOT of info about you or force you to disclose it, and what's worse, they often disclose it to third parties.

For a start, use an anonymous search engine: ixquick, startpage.com (anonymous Google with slightly outdated data), DuckDuckGo or run a local seeks instance to be sure. There are some search engines available inside I2P network too.

Social networks are evil. You can either not use them altogether or own your data by using Diaspora.

Online map services are not necessarily evil, but they get important info about you. I'm not aware of any anonymous map services, but of course I recommend avoiding Google Maps. Perhaps OpenStreetMap tracks less or doesn't track, but I haven't checked.

Same goes for email, IM, etc. Communicate via SSL'd and non-logged email and IM or use end-to-end encryption via a web of trust.

Finally, try to reduce tracking. Use a browser that supports DoNotTrack HTTP header and enable DoNotTrack headers in settings. Use some tracking-blocker browser extension. Use Mozilla Collusion to analyze and disable tracking. Use DNSCrypt if you don't want your ISP to know which websites you visit, or at least don't forget to check for DNS leaks if you're trying to use a custom DNS server without encryption. Remember you're being tracked at all times, no matter what you do to get rid of it. Read privacy policies. Be paranoid.

Community
  • 1
Shnatsel
  • 2,832
  • 2
  • 17
  • 15
  • You have links for everything but the 'browser fingerprint' concept. Can you expand on that? Would a 'browser on a stick' defeat that problem? – schroeder Nov 20 '12 at 20:38
  • 1
    https://panopticlick.eff.org/ provides a good explanation and a demo. I've updated the answer with a clarification on browser fingerprints. – Shnatsel Nov 20 '12 at 20:44
  • You got dangerously close to the tinfoil while still being pragmatic. well done. – Mindwin Remember Monica Sep 09 '16 at 15:49
  • About the first point - this is not a Tor problem. Any proxy, VPN or even I2P can monitor unencrypted traffic at the exit point... – toster-cx Feb 20 '17 at 10:04
  • The link for Diaspora is dead. https://diasporafoundation.org/ – user124384 Mar 09 '18 at 19:54
  • 1
    @Shnatsel **Your claims regarding Tor and I2P are largely incorrect.** Various studies (see FreeHaven) have shown that a non-negligible fraction of I2P users can be deanonymized by a moderate-sized adversary with a low budget, whereas Tor has much greater sybil resistance due to its use of directory authorities and pinned guards. Additionally, I2P's unidirectional channels increase fingerprinting risk. Not to mention, I2P's limited number of "exits" vastly increases the fraction of the network they are able to analyze. – forest Jan 06 '19 at 06:43
10

Boot to a live CD containing Tor bundle, for the activities you want to be anonymous. Or, boot to a live CD and use a VPN.

See also:

Community
  • 1
D.W.
  • 98,860
  • 33
  • 271
  • 588
3

If you want to anonymize then use the Tor network, but you'd have to make sure you aren't signed into anything, you've cleared your cookies beforehand, and you don't sign into anything while on the Tor network... that's how you allow yourself to stay anonymous.

If you use a VPN it will mainly help by just taking any of your accounts and data and "you" as a computer user somewhere else on the planet. But it doesn't keep moving like the Tor network does.

If you use either method, ALL traffic from your network card is routed fhs Tor or the VPN, not just the browser.

forest
  • 65,613
  • 20
  • 208
  • 262
TheNoob
  • 61
  • 2
  • This will not help because of browser fingerprinting, see https://panopticlick.eff.org/ and http://security.stackexchange.com/questions/13416/whats-the-best-way-to-make-my-internet-traffic-anonymous/24267#24267 – Shnatsel Nov 20 '12 at 22:27
2

Ok, there is a downside to VPNs. For example, the VPN Service HideMyAss is alleged to have provided log information to law enforcement.

The justification HideMyAss gave was:

As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

So a VPN will work for most legal use, but might not stand up against an investigation by the authorities. It is not just "talking about vpns" that might lead authorities to know who you rent a VPN from, but also paper trails such as payments to the company.

Lazrus
  • 558
  • 4
  • 10
1

I like to run an instance of Microsoft Windows Server 2003 or 2008 on Amazon AWS. You can remote desktop into an running instance and surf the web anonymously. Your IP address will change every-time you start your instance.

Drew Lex
  • 2,013
  • 2
  • 19
  • 24
1

I have not used it, but there is a project called Tails that distributes a secure live CD that is "boot and use" easy.

It is essentially a collection of preconfigured tools (Tor, HTTPSeverywhere, OpenPGP), most of which have already been mentioned here.

Remember though, that you can easily leave traces even with all these precautions. It's all useless if you then proceed to post your name and address on a message board.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
0

You can do that by going with a VPN provider that's both robust and reliable.

Across the world, businesses use VPNs to connect to remote data centers, or for employees to connect remotely to the physical network of their workplace, while individuals can use VPNs to get access to network resources when they’re not physically on the same LAN (local area network), or as a method for securing and encrypting their information from the potential liabilities that lie ahead once exposed to unsecured networks such as public WiFis or hotspots.

On the same note, I would suggest you stay away from the free VPN services out there as they can do more harm and defeat the purpose of having a VPN in the first place.

In the FREE vs. PAID matter, its is important to understand that most legit businesses will offer 7 days of free trial, but a free connection on a indefinite period of time is sure to get its profit elsewhere; in ways that can harm your security and defeat the whole purpose of having a VPN in the first place.

Julien Carter
  • 1
0

To get anonymous i would recommend you to look for a VPN with a no Log policy. In general it depends on the level of anonymity you are looking for. There are some good VMs out there too, like Whonix where you set up 2 vms and send all your trafic though it. You are able to combine that one with a vpn, too.

There are whole OS out there which focus on anonymity, like qubesOS.

Would be also a good idea to look for a VPN which offers a Proxy sevice too, like Windscribe.

A realy important point, as important as the no log policy is the firewall option in a VPN, always make sure, this is avivable in the VPN you are going to use.

As Shnatsel said before, try to use save alternatives to the big search engines. You can start using addons in your browser too, which blocks social media links, or something like privacy badger or https everywhere. That wouldn't be for anonymity but for secure your internet traffic as far as you want it.

There are several possibilities to stay anonymous online, but i would recommend you not to trust in just Tor, as many users out there do. It of cause is a very good tool to stay anonymous, but it still got its bad sides and it can become not as secure as you might think very fast.

Dr3xler
  • 308
  • 1
  • 8
-4

You may try to use Incognito Chrome while surfing the Internet with web browser.

zakiakhmad
  • 464
  • 3
  • 10
  • 7
    See this post: http://security.stackexchange.com/a/875/33. Incognito mode only anonymizes it on *your* end - it doesnt save history etc. This does not help solve the question at all. – AviD Nov 21 '12 at 11:01