Difference between revisions of "Anonymizing yourself"

From TBP Wiki
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 +
[[File:Anonymous.png|thumb]]
 
The internet is a cruel and horrible place. You might want to drop out of the matrix and join an anonymous network. Alternatively, you can take steps to minimize data-minining by reducing your online fingerprint.
 
The internet is a cruel and horrible place. You might want to drop out of the matrix and join an anonymous network. Alternatively, you can take steps to minimize data-minining by reducing your online fingerprint.
  
A broad approach on how to start evading global data surveillance and improving your overall online privacy can be found [https://prism-break.org/ here], and [https://www.privacytools.io/ here].  
+
A broad approach on how to start evading global data surveillance and improving your overall online privacy can be found [https://prism-break.org/ here], and [https://www.privacytools.io/ here].
  
=Anonymous networks=
+
== Anonymous networks ==
<strong>[https://www.torproject.org/ Tor]</strong>
 
Let's get something clear: Tor is NOT illegal to use (unless you live in one of those crazy whackjob countries run by a militant dictator such as Iran or China). Tor traffic was NOT significantly reduced by the removal of Silk Road, and as far as is known, new compromises for the underlying Tor framework did not come about from the removal of Silk Road. If you are interested, concerned or sceptical, check out [http://www.youtube.com/watch?v=CJNxbpbHA-I this video here] and [https://www.torproject.org/docs/faq.html.en read the FAQ].
 
  
Tor sets up a SOCKS proxy to the normal internet, allowing you to send any application’s connection anonymously through the Tor network. Any connections made through Tor will be anonymised but not confidential unless you use end to end encryption in the application, like SSL/TLS for web browsing, or an SSH tunnel. Torrenting is discouraged as it uses up too much bandwidth, and torrenting on Tor is near-impossible due to latency issues.
+
=== [https://www.torproject.org/ Tor] ===
  
<strong>[https://geti2p.net/en/ I2P]</strong>
+
Let's get something clear: [[Tor]] is '''NOT''' illegal to use (unless you live in one of those crazy whackjob countries run by a militant dictator such as Iran or China). Tor traffic was '''NOT''' significantly reduced by the removal of Silk Road, and as far as is known, new compromises for the underlying Tor framework did not come about from the removal of Silk Road. If you are interested, concerned or skeptical, check out [http://www.youtube.com/watch?v=CJNxbpbHA-I this video here] and [https://www.torproject.org/docs/faq.html.en read the FAQ].
I2P is end to end encrypted and separate from the normal internet; this means that connections through I2P are confidential and anonymous. No-one can know who you are talking to, or what you are saying to them, because there are no exit nodes. Tor hidden services (.onions) work in a similar way. All internet applications can be forwarded through I2P including ed2k, Gnutella, and torrents. Unlike Tor, I2P encourages torrenting on the network, although you cannot connect to non-I2P torrent swarms. Also unlike tor, I2P is not an outproxy for the clearweb and uses Tor as an outproxy to non-I2P domains. Hidden services that would be called onions on the TOR network are called eepsites on the I2P network and end in the '.i2p' domain.  
 
  
<strong>[https://freenetproject.org/ Freenet]</strong>
+
Tor sets up a SOCKS proxy to the normal internet, allowing you to send any application’s connection anonymously through the Tor network. Any connections made through Tor will be '''anonymized but not confidential''' unless you use end to end encryption in the application, like SSL/TLS for web browsing, or an SSH tunnel. Torrenting is discouraged as it uses up too much bandwidth, and torrenting on Tor is near-impossible due to latency issues.
Freenet is a distributed filesystem, where you can store files ‘in the cloud’ and download them anonymously from the Freenet network. Many of the files are HTML pages which can be viewed as static websites using a browser, and many are standalone files which can be searched and downloaded anonymously. Freenet content is undeletable as there is no way of knowing which node is holding each file. An example of a freenet link is like this:
+
 
 +
=== [https://geti2p.net/en/ I2P] ===
 +
 
 +
I2P is end to end encrypted and separate from the normal internet; this means that connections through I2P are '''confidential and anonymous'''. No-one can know who you are talking to, or what you are saying to them, because there are no exit nodes. Tor onion services (.onions) work in a similar way. All internet applications can be forwarded through I2P including ed2k, Gnutella, and torrents. Unlike Tor, I2P encourages torrenting on the network, although you cannot connect to non-I2P torrent swarms. Also unlike Tor, I2P is not an outproxy for the clearweb and uses Tor as an outproxy to non-I2P domains. "Hidden" services that would be called onions on the Tor network are called eepsites on the I2P network and end in the '.i2p' domain.
 +
 
 +
=== [https://freenetproject.org/ Freenet] ===
 +
 
 +
Freenet is a distributed filesystem, where you can store files ‘in the cloud’ and download them anonymously from the Freenet network. Many of the files are HTML pages which can be viewed as static websites using a browser, and many are standalone files which can be searched and downloaded anonymously. Freenet content is undeletable as there is no way of knowing which node is holding each file. An example of a Freenet link is like this:
  
 
http://127.0.0.1:8888/USK@Ls9yplmu~tAb7XDGZBdstFdt~aaDagL1xknrN~fvRLo,c-XpJ5njAmwz~iWJm11lifb6Q54Xj6mGBoG6cuiSA1U,AQACAAE/NSAspycenter/1/
 
http://127.0.0.1:8888/USK@Ls9yplmu~tAb7XDGZBdstFdt~aaDagL1xknrN~fvRLo,c-XpJ5njAmwz~iWJm11lifb6Q54Xj6mGBoG6cuiSA1U,AQACAAE/NSAspycenter/1/
Line 21: Line 26:
 
http://[LOCALHOST]:[FREENET PORT]/[TYPE OF KEY IDENTIFIER]@[HASHED IDENTIFIER]/[HUMAN-READABLE ADDRESS (OF SPECIFIC PAGE ON HASH)]/[VERSION OF PAGE]
 
http://[LOCALHOST]:[FREENET PORT]/[TYPE OF KEY IDENTIFIER]@[HASHED IDENTIFIER]/[HUMAN-READABLE ADDRESS (OF SPECIFIC PAGE ON HASH)]/[VERSION OF PAGE]
  
When using freenet, it is recommended to have your connection settings to "normal" (which is the highest it can be set when connecting to strangers), and your encryption settings to Maximum (which uses temporary keys and wipes the cache when you shutdown the server). Once you get more experienced with Freenet, you can switch to darknet mode, which prohibits stranger connections but requires you to connect to at least 5 friends you personally know. They also need to connect to you. NOTE: These friends you connect to can see your plain-text IP address, and as such only add people you truly trust.
+
When using Freenet, it is recommended to have your connection settings to "normal" (which is the highest it can be set when connecting to strangers), and your encryption settings to Maximum (which uses temporary keys and wipes the cache when you shutdown the server). Once you get more experienced with Freenet, you can switch to darknet mode, which prohibits stranger connections but requires you to connect to at least 5 friends you personally know. They also need to connect to you. '''NOTE: These friends you connect to can see your plain-text IP address, and as such only add people you truly trust.'''
  
Freenet has existed since 2000, and because of this, there are a large number of web 1.0 abandoned sites made by early adopters of the service. Also, because of being so old, it is programmed in Java, which was commonplace at the time.
+
Freenet has existed since 2000, and because of this, there are a large number of web 1.0 abandoned sites made by early adopters of the service. Also, because of being so old, it is programmed in [[Java]], which was commonplace at the time.
  
Please note that the Freenet network (much like Tor) attracts pedophiles and a large amount of sites contain child pornography. Some sites jokingly add a disclaimer saying "This site does not contain child pornography. click here to continue".
+
Please note that the Freenet network (much like other, especially anonymous, networks) attracts criminals and a number of sites contain child pornography. Some sites jokingly add a disclaimer saying ''This site does not contain child pornography. click here to continue.''
  
=Browsers=
+
== Browsers ==
<strong>See privacytools.io</strong>
 
  
* Always use an open-source browser. This ensures it can be freely audited. Google Chrome is not open-source, and while Chromium is, it hasn't been fully audited yet.
+
'''See [https://www.privacytools.io/ privacytools.io].'''
* Use a search engine that respects your privacy such as [https://startpage.com/ StartPage] (encrypted google searches) or [ixquick.com ixquick] (non-Google searches, owned by StartPage) instead of Google. Note that while [https://duckduckgo.com/ DuckDuckGo] is a better alternative than Google or Bing, it's based in the US and has known issues that [https://8ch.net/tech/ddg.html raise the possibility of privacy concerns].
 
  
<strong>[https://download-chromium.appspot.com/ Chromium]</strong>
+
* Always use an [https://wiki.tbpindustries.com/wiki/Web_browsers open-source browser]. This ensures it can be freely audited. [[Google]] [[Chrome]] is not open-source, and while Chromium is, it hasn't been fully audited yet.
 +
* Use a search engine that at least claims to respect your privacy such as [https://metager.org/ MetaGer](encrypted google searches) or [ixquick.com ixquick](non-Google searches, owned by StartPage) instead of Google. Note that while [https://duckduckgo.com DuckDuckGo] is a better alternative than Google or Bing, it's based in the US and has known issues that [https://8ch.net/tech/ddg.html raise the possibility of privacy concerns].
 +
 
 +
=== Chromium ===
  
 
Using Chromium is generally not recommended because even though you can disable its known tracking features (the RLZ identifier is in Chrome, not Chromium), Chromium's code isn't as audited as Firefox's and Chromium's security addons don't provide the same fine-grained control over web requests as Firefox's, due to its extension API being slightly less broad (no control over WebSockets, for instance). If you absolutely refuse to use anything else, follow these instructions:
 
Using Chromium is generally not recommended because even though you can disable its known tracking features (the RLZ identifier is in Chrome, not Chromium), Chromium's code isn't as audited as Firefox's and Chromium's security addons don't provide the same fine-grained control over web requests as Firefox's, due to its extension API being slightly less broad (no control over WebSockets, for instance). If you absolutely refuse to use anything else, follow these instructions:
Line 40: Line 46:
 
* Go to your settings menu, click advanced settings scroll down to privacy, and turn everything off.
 
* Go to your settings menu, click advanced settings scroll down to privacy, and turn everything off.
 
* Go to Content Settings above that and check "Block 3rd party cookies and site data"
 
* Go to Content Settings above that and check "Block 3rd party cookies and site data"
* Unless you want to use a script blocker, also turn off Javascript.
+
* Unless you want to use a script blocker, also turn off JavaScript.
 
* Now scroll down to "Continue running background apps while Chromium is closed" and disable that as well unless you trust your addons.
 
* Now scroll down to "Continue running background apps while Chromium is closed" and disable that as well unless you trust your addons.
  
Despite all of this, there are a few forks that offer parity with the stable release, which are also open-source and have taken invasive Google crap out of the browser, as well as implemented some extra security measures. Alternatively, you can compile the browser yourself and apply one of these many patches.  
+
Despite all of this, there are [[Chromium#Notable_forks|a few forks]] that offer parity with the stable release, which are also open-source and have taken invasive Google crap out of the browser, as well as implemented some extra security measures. Alternatively, you can compile the browser yourself and apply one of these [[Chromium#Notable_patches|many patches]].
  
Setting Startpage as a search engine
+
=== Firefox ===
  
What is given to you by Startpage's website won't work, so use this link in the third box when adding it as a search engine: https://startpage.com/do/search?query=%s&cat=web&pl=chrome&language=english Alternatively, you would be better off using a locally hosted page.  
+
It is recommended that you compile [[Firefox]] from scratch/source, as it allows you to make use of security oriented USE flags such as ''hardened'' and forcing it to use more up to date system-wide libraries (eg: systemsqlite).
 +
To ensure maximum security while browsing the internet, always turn off third party cookies, unless you're using a proper firewall like uMatrix, for finer-grained control, in which case you should still put the appropriate measures into place. Mozilla describes them as: ''For example, cnn.com might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.''
  
<strong>[https://www.mozilla.org/en-US/firefox/ Mozilla Firefox]</strong>
+
'''Change your search engine'''. There are ways to get around Google’s insane profiling. See [[Search engines]].
  
It is recommended that you compile Firefox from scratch/source, as it allows you to make use of security oriented USE flags such as hardened and forcing it to use more up to date system-wide libraries (eg: systemsqlite). To ensure maximum security while browsing the internet, always turn off third party cookies, unless you're using a proper firewall like uMatrix, for finer-grained control, in which case you should still put the appropriate measures into place. Mozilla describes them as: For example, cnn.com might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.
+
'''Use freshplayer [GNU/Linux only]'''. Freshplayer is a  NPAPI wrapper for PPAPI Flash that works on Firefox. It is inherently safer and more performant, if you must use flash.
  
Change your search engine. There are ways to get around Google’s insane profiling. See Search engines.
+
If you can, use a [[fork]] of Firefox, such as [[GNU IceCat]] or [[Debian Iceweasel]].
  
Use freshplayer [GNU/Linux only]. Freshplayer is a NPAPI wrapper for PPAPI Flash that works on Firefox. It is inherently safer and more performant, if you must use flash.
+
==== Security extensions ====
 
+
There are many extensions available for Firefox to make you less trackable. Refer to the [[Firefox#Adblocking.2C_privacy.2C_and_security|Firefox]] article for a comprehensive list of addons.
If you can, use a fork of Firefox, such as GNU IceCat, Debian Iceweasel, or [https://www.palemoon.org/ Pale Moon].
 
 
 
=Fingerprinting=
 
  
 +
== Fingerprinting ==
 
Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will usually be unique amongst others.
 
Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will usually be unique amongst others.
Threat Countermeasure
+
{| class="wikitable"
 
+
|-
 +
| '''Threat'''
 +
| '''Countermeasure'''
 +
|- valign="top"
 +
|
 
* Plugins such as Flash or Java leak information.
 
* Plugins such as Flash or Java leak information.
 
+
| '''Recommended:''' Disable and uninstall browser Plugins (note: Plugins are different than Extensions) such as Flash and Java.
Recommended: Disable and uninstall browser Plugins (note: Plugins are different than Extensions) such as Flash and Java.
 
 
 
 
Alternative: Set the plugin to "Ask to activate". You will still be vulnerable whenever you activate that plugin.
 
Alternative: Set the plugin to "Ask to activate". You will still be vulnerable whenever you activate that plugin.
 
+
|- valign="top"
* Javascript leaks information
+
|
 
+
* JavaScript leaks information
Recommended: Disable Javascript
+
| '''Recommended:''' Disable JavaScript
 
+
Alternative: Use [https://addons.mozilla.org/en-US/firefox/addon/umatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/noscript NoScript] to whitelist JavaScript on a per-site basis. You will still be vulnerable on those sites.
Alternative: Use [https://addons.mozilla.org/en-US/firefox/addon/umatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/noscript NoScript] to whitelist Javascript on a per-site basis. You will still be vulnerable on those sites.
+
|- valign="top"
 
+
|
 
* HTTP Header information can be identifying
 
* HTTP Header information can be identifying
 
+
| '''Recommended:''' Use an extension such as [https://dephormation.org.uk/index.php?page=81 Secret Agent] to randomize header information. Alternatively, you can change your HTTP_ACCEPT headers by modifying your [https://github.com/CrisBRM/user.js/ about:config/prefs.js] file.
Recommended: Use an extension such as [https://dephormation.org.uk/index.php?page=81 Secret Agent] to randomize header information. Alternatively, you can change your HTTP_ACCEPT headers by modifying your [https://github.com/CrisBRM/user.js/ about:config/prefs.js] file.
+
|- valign="top"
 
+
|
 
* Cookies can be used to track you
 
* Cookies can be used to track you
 
+
| [https://support.mozilla.org/en-US/kb/disable-third-party-cookies Disable 3rd Party Cookies] and use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies Self-Destructing Cookies] to automatically purge cookies.
[https://support.mozilla.org/en-US/kb/disable-third-party-cookies Disable 3rd Party Cookies] and use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies Self-Destructing Cookies] to automatically purge cookies.
+
|- valign="top"
 
+
|
 
* IP Addresses can be personally identifiable
 
* IP Addresses can be personally identifiable
 
+
| '''Recommended:''' Use an [[Anonymizing_yourself#Anonymous_Networks|anonymous network]], a non-logging [[VPN]] service, or a non-logging proxy service. Check out our very comprehensive article on [[VPN|VPNs]] for ways to further foil this mechanism.
Recommended: Use an anonymous network, a non-logging VPN service, or a non-logging proxy service.
+
|- valign="top"
 
+
|
 
* Cross-site Requests may expose you to tracking.
 
* Cross-site Requests may expose you to tracking.
 
+
| '''Recommended:''' Use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/requestpolicy-continued/ RequestPolicyContinued] to selectively whitelist such requests.
Recommended: Use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/requestpolicy-continued/ RequestPolicyContinued] to selectively whitelist such requests.
+
|-
 
+
|
 
* The HTTP referrer header may leak information
 
* The HTTP referrer header may leak information
 
+
| '''Recommended:''' Turn off sending HTTP referer information.
Recommended: Turn off sending HTTP referer information.
 
 
 
 
Alternative: Install an extension such as [https://addons.mozilla.org/en-US/firefox/addon/smart-referer/ Smart Referer] to keep referer information limited to a single domain, or [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] to spoof it on a per-hostname basis.
 
Alternative: Install an extension such as [https://addons.mozilla.org/en-US/firefox/addon/smart-referer/ Smart Referer] to keep referer information limited to a single domain, or [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] to spoof it on a per-hostname basis.
 +
|}
  
See also: [https://panopticlick.eff.org/ EFF Panopticlick] and [http://samy.pl/evercookie evercookie]. For a more comprehensive guide on how to foil most fingerprinting mechanisms, see https://github.com/CrisBRM/user.js  
+
See also: [https://panopticlick.eff.org/ EFF Panopticlick] and [http://samy.pl/evercookie evercookie].
 
+
For a more comprehensive guide on how to foil most fingerprinting mechanisms, see https://github.com/CrisBRM/user.js
=Web cache=
 
  
 +
== Web cache ==
 
Web caches mirror web requests locally for t time, thus ensuring a decrease in the number of servers hit, thereby somewhat reducing your privacy exposure and decreasing page load speeds.
 
Web caches mirror web requests locally for t time, thus ensuring a decrease in the number of servers hit, thereby somewhat reducing your privacy exposure and decreasing page load speeds.
  
<strong>Squid</strong>
+
=== Squid ===
 +
Whilst modern browsers have their own cache implementations, they are often outdated, slow, and not very secure. [http://www.squid-cache.org/ Squid] is a modern, high performance web cache and proxy server that supports a plethora of protocols. It can be used in combination with any browser that supports proxies. Best used in conjunction with a DNS caching server like Unbound.
  
Whilst modern browsers have their own cache implementations, they are often outdated, slow, and not very secure. [http://www.squid-cache.org/ Squid] is a modern, high performance web cache and proxy server that supports a plethora of protocols. It can be used in combination with any browser that supports proxies. Best used in conjunction with a DNS caching server like Unbound.  
+
== DNS ==
 +
DNS is what allows your computer to convert a domain name (such as wiki.tbpindustries.com) into an IP address to connect to. That process is called resolving.  
  
=DNS=
+
When your computer attempts to resolve a domain name it queries a DNS server. Usually this will belong to your ISP if you have not configured it manually. Not all DNS servers are created equal—some block queries to certain websites, others hijack queries and redirect them elsewhere, and some log your queries. You should look for a DNS server that is close by (for minimum latency) that doesn't log your IP address. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and higher performance.
  
DNS is what allows your computer to convert a domain name (such as wiki.installgentoo.com) into an IP address to connect to. That process is called resolving.
+
Warning! Google DNS and OpenDNS log queries. Google "anonymizes" query information after a period of time, but keeps associated ISP information permanently.[https://developers.google.com/speed/public-dns/faq#privacy] OpenDNS logs your IP address and may also correlate it with other information that is normally non-personally identifying.[https://www.opendns.com/privacy-policy] Avoid those two services.
  
When your computer attempts to resolve a domain name it queries a DNS server. Usually this will belong to your ISP if you have not configured it manually. Not all DNS servers are created equal—some block queries to certain websites, others hijack queries and redirect them elsewhere, and some log your queries. You should look for a DNS server that is close by (for minimum latency) that doesn't log your IP address. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and higher performance.
+
=== [[DNSCrypt]] ===
Warning: Google DNS and OpenDNS log queries. Google "anonymizes" query information after a period of time, but keeps associated ISP information permanently.[https://developers.google.com/speed/public-dns/faq#privacy] OpenDNS logs your IP address and may also correlate it with other information that is normally non-personally identifying.[https://www.opendns.com/privacy-policy] Avoid those two services.
 
 
 
<strong>DNSCrypt</strong>
 
  
 
End-to-end encryption for your DNS requests. This prevents any intermediaries (such as advertising or the FBI) from monitoring your DNS request. Ideally, it should be used with a caching DNS server like Unbound.
 
End-to-end encryption for your DNS requests. This prevents any intermediaries (such as advertising or the FBI) from monitoring your DNS request. Ideally, it should be used with a caching DNS server like Unbound.
Unbound.png Unbound
 
  
<strong>Unbound</strong>
+
=== [[Unbound]] ===
  
 
[https://www.unbound.net/ Unbound] is a [https://www.unbound.net/documentation/howto_optimise.html high performance] validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries.
 
[https://www.unbound.net/ Unbound] is a [https://www.unbound.net/documentation/howto_optimise.html high performance] validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries.
<strong>OpenNIC</strong>
 
  
The [https://opennicproject.org/ OpenNIC Project] is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.  
+
=== OpenNIC ===
 +
The [https://opennicproject.org/ OpenNIC Project] is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.
  
=Operating systems=
+
== Operating systems ==
 +
While unfortunately, government organizations around the world have a variety of back doors into a variety of operating systems, one can still attempt to be anonymous through a variety of methods. Free software alternatives to [[Windows]] or [[OS X]] appear to be more secure than their counterparts, since their code is almost always individually reviewed.
  
While unfortunately, government organizations around the world have a variety of back doors into a variety of operating systems, one can still attempt to be anonymous through a variety of methods. Free software alternatives to Windows or OS X appear to be more secure than their counterparts, since their code is almost always individually reviewed.
+
===Tails===
Tails
+
[https://tails.boum.org/ Tails] is an OS specifically designed to preserve your privacy and anonymity. It forwards all your packets through the Tor network and uses anti-forensics like memory wiping to leave no trace on the computer you are using it on.  Tails mitigates layer 2 surveillance by randomizing MAC address on boot. Tails can be run in a VM, but this renders the OS less secure.
  
[https://tails.boum.org/ Tails] is an OS specifically designed to preserve your privacy and anonymity. It forwards all your packets through the Tor network and leaves no trace on the computer you are using it on. Your files and emails are also encrypted using top of the line cryptographic tools.
+
===Heads===
Whonix
+
[https://heads.dyne.org/ Heads] is a Live OS relatively like tails based on Devuan. Like Tails, it sends your packages through the Tor network and leaves the no trace on the computer. Unlike Tails, though, it is fully libre, and uses Linux-libre. It also uses no systemd, and instead opts for OpenRC and SysV. Sadly (and also gladly), due to its freetard attitude it contains no proprietary drivers, making it run on a limited number of machines.
  
[https://www.whonix.org/ Whonix] is an OS based on Debian GNU/Linux and Tor which focuses on anonymity, privacy and security. It is designed to be used inside a host OS.  
+
===Whonix===
 +
[https://www.whonix.org/ Whonix] is a system of virtual machines, a client and server, each based on Debian GNU/Linux and configured with Tor which focuses on anonymity, privacy and security. The client VM is designed to route all traffic through the gateway/server VM which in turn routes it through Tor. This prevents the client VM from accidentally leaking your real public IP because it never knows it. All traffic is transparently routed through Tor preventing applications which are not designed for use with Tor from leaking.
  
=Sandboxes=
+
== Sandboxes ==
<stong>Firejail</stong>
 
  
Firejail is a Linux-only sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.
+
=== Firejail ===
  
Ignoring the security factor and focusing more on the anonymisation potential, it is important to use sandboxes in order to minimise certain exploits in the software that could otherwise be used to identify you. For instance, in Firefox, Firejail limits its data leaks by replacing the standard temporary file directory with a more secure version, which is completely erased when the Firefox session ends.  
+
[[Firejail|Firejail]] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.
  
=Tools=
+
Ignoring the security factor and focusing more on the anonymization potential, it is important to use sandboxes in order to minimise certain exploits in the software that could otherwise be used to identify you. For instance, in Firefox, Firejail limits its data leaks by replacing the standard temporary file directory with a more secure version, which is completely erased when the Firefox session ends.
  
[https://mat.boum.org/ MAT] or Metadata Anonymisation Toolkit, is a toolbox composed of a GUI application, a CLI application and a library, to anonymize/remove metadata.
+
== Tools ==
 +
[https://mat.boum.org/ MAT] or Metadata Anonymization Toolkit, is a toolbox composed of a GUI application, a CLI application and a library, to anonymize/remove metadata.
  
[https://github.com/psal/anonymouth Anonymouth] is a tool designed to take your documents and change the wording so you can't be found through word choice, grammar, theme, tone, and etc. Here is an article on [https://archive.is/xNP9r anti-stylometry (the scientific study of literary style)] discusing it and [https://archive.is/vZ2Cw here] is another article. While Anonymouth is audited and considered safe, [https://se7en.neocities.org/articles/anon-word-attack.html there are ways] that a non-free program that is like Anonymouth can harm you.
+
[https://github.com/psal/anonymouth Anonymouth] is a tool designed to take your documents and change the wording so you can't be found through word choice, grammar, theme, tone, and etc. Here is an article on [https://archive.is/xNP9r anti-stylometry (the scientific study of literary style)] discussing it, and here is [https://archive.is/vZ2Cw another article]. While Anonymouth is audited and considered safe, [https://se7en.neocities.org/articles/anon-word-attack.html there are ways] that a [[non-free]] program that is ''like'' Anonymouth can harm you.
  
[http://www.privoxy.org/ Privoxy] is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
+
[http://www.privoxy.org/ Privoxy] Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
  
[https://www.caida.org/tools/taxonomy/anonymization.xml Anonymization Tools Taxonomy] A list of anonymization tools. Hasn't been updated since 2004.  
+
[https://www.caida.org/tools/taxonomy/anonymization.xml Anonymization Tools Taxonomy] A list of anonymization tools. Hasn't been updated since 2004.
 
 
=Routers=
 
  
 +
== Routers ==
 
A router that supports free and open source firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. There are many GNU/Linux based firmwares available for common routers:
 
A router that supports free and open source firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. There are many GNU/Linux based firmwares available for common routers:
 
 
* [https://openwrt.org/ OpenWrt]: An open source Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers;
 
* [https://openwrt.org/ OpenWrt]: An open source Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers;
 
* [https://librecmc.org/ LibreCmc]: The FSF's fork of OpenWrt with all non-free software removed;
 
* [https://librecmc.org/ LibreCmc]: The FSF's fork of OpenWrt with all non-free software removed;
Line 163: Line 167:
 
* [http://www.polarcloud.com/tomato Tomato]: Partially FOSS firmware released in 2008. It is still actively updated by community mods;
 
* [http://www.polarcloud.com/tomato Tomato]: Partially FOSS firmware released in 2008. It is still actively updated by community mods;
 
* [https://github.com/grugq/portal PORTAL]: An acronym for Personal Onion Router To Assure Liberty. It forces all internet traffic through the Tor network to limit the possibility of user mistakes.
 
* [https://github.com/grugq/portal PORTAL]: An acronym for Personal Onion Router To Assure Liberty. It forces all internet traffic through the Tor network to limit the possibility of user mistakes.
 +
For more detailed information see: [[Routers#Third party firmwares|Routers]]. You can also [[Routers#Use a computer as a router|use a computer as a router]].
  
You can also use a computer as a router.  
+
== Android and cell phones==
 +
By their nature cellphones cannot be completely anonymous, but there are some steps that can be taken to at least limit your footprint. Be forewarned that the cellular network itself is ''designed'' to track you with only 30 seconds of delay, without a GPS chip.
  
=Android and cell phones=
+
Using an Android-based phone is a plus over iPhones or Windows Phone (if you can even call it that), but it is highly recommended that you [https://se7en-site.neocities.org/articles/cellphones.html avoid using cell phones all together]. Even better, use a dumb phone with no camera. If you absolutely think you '''need''' (not want) a cell phone, follow these tips:
 
 
By their nature cellphones cannot be completely anonymous, but there are some steps that can be taken to at least limit your footprint. Using an Android-based phone is a plus over iPhones or Windows Phone (if you can even call it that), but it is highly recommended that you [https://se7en.neocities.org/articles/cellphones.html avoid using cell phones all together]. Even better, use a dumb phone with no camera. If you absolutely think you need (not want) a cell phone, follow these tips:
 
 
 
<strong>Android replacements</strong>
 
  
 +
=== Android replacements ===
 
* [http://www.replicant.us/ Replicant]: A project to completely replace all proprietary components of Android;
 
* [http://www.replicant.us/ Replicant]: A project to completely replace all proprietary components of Android;
* Custom ROMs;
+
* [[Android ricing#ROMs|Custom ROMs]];
* [https://copperhead.co/android/ CopperheadOS]: a hardened fork of Android with PaX kernel patches and more. (Note: The lead developer of the CopperheadOS project was removed from the project, and deleted the update signing keys; due to the uncertainty surrounding these events, the use of CopperheadOS isn't recommended.)
+
* <s>[https://copperhead.co/android/ CopperheadOS]: a hardened fork of Android with PaX kernel patches and more.</s> (Note: The lead developer of the CopperheadOS project was removed from the project, and deleted the update signing keys; due to the uncertainty surrounding these events, the use of CopperheadOS isn't recommended.)
* [https://developer.mozilla.org/en-US/Firefox_OS/Introduction Firefox OS]: An alternative operating system by Mozilla that runs on some Android devices.
+
* [https://grapheneos.org/ GrapheneOS]: An open source privacy and security focused mobile OS with Android app compatibility, runs on Google Pixel devices.
 +
* [https://developer.mozilla.org/en-US/Firefox_OS/Introduction Firefox OS]: An alternative operating system by Mozilla that runs on some Android devices. (EoL)
  
<strong>Alternative GApps</strong>
+
=== GNU/Linux Phones ===
 +
* [https://puri.sm/products/librem-5/ Librem 5]: A security and privacy oriented phone by Purism that comes with the [[GNU/Linux]] distro PureOS preinstalled. Features kill switches and a removable battery, but it is quite pricey.
 +
* [https://www.pine64.org/ PinePhone]: A cheaper GNU/Linux phone by Pine64 that has to be flashed with a distro by SD card. Comes with kill switches and a removable battery, but the hardware isn't too powerful compared to Android phones.
  
 +
=== Alternative GApps ===
 
* [https://f-droid.org/ F-Droid]: Part of the Replicant project. An app store that only contains Free Open Source Software;
 
* [https://f-droid.org/ F-Droid]: Part of the Replicant project. An app store that only contains Free Open Source Software;
 
* [http://forum.xda-developers.com/showthread.php?t=1715375 NOGAPPS Project]: Replaces the Play Store, Google Maps API, Network Location API, and others in the future;
 
* [http://forum.xda-developers.com/showthread.php?t=1715375 NOGAPPS Project]: Replaces the Play Store, Google Maps API, Network Location API, and others in the future;
Line 186: Line 193:
 
* [https://archive.today/S3rMI Relevant thread] on google app store alternatives.
 
* [https://archive.today/S3rMI Relevant thread] on google app store alternatives.
  
<strong>Removing ads</strong>
+
=== Removing ads ===
 
 
 
* [https://f-droid.org/repository/browse/?fdfilter=adaway&fdid=org.adaway AdAway] (Requires root): Hosts file based ad-blocking;
 
* [https://f-droid.org/repository/browse/?fdfilter=adaway&fdid=org.adaway AdAway] (Requires root): Hosts file based ad-blocking;
 
* [https://f-droid.org/repository/browse/?fdfilter=adblock&fdid=org.adblockplus.android Adblock Plus];
 
* [https://f-droid.org/repository/browse/?fdfilter=adblock&fdid=org.adblockplus.android Adblock Plus];
 
* [http://repo.xposed.info/module/tw.fatminmin.xposed.minminguard MinMinGuard] (Requires root and Xposed Framework): Disables the ad activity in apps to prevent the ad from loading. This also means there wont be a blank space where the ad was supposed to be.
 
* [http://repo.xposed.info/module/tw.fatminmin.xposed.minminguard MinMinGuard] (Requires root and Xposed Framework): Disables the ad activity in apps to prevent the ad from loading. This also means there wont be a blank space where the ad was supposed to be.
  
<strong>Enforcing permissions</strong>
+
=== Enforcing permissions ===
 
+
* [https://repo.xposed.info/module/eu.faircode.xlua XPrivacyLua] (EdXposed needed for Android 10);
* [http://forum.xda-developers.com/showthread.php?t=2320783 XPrivacy];
+
* [https://repo.xposed.info/module/org.synergylabs.pmpandroid Protect My Privacy] (ditto);
* [http://repo.xposed.info/module/org.synergylabs.pmpandroid Protect My Privacy];
 
 
* App Ops: Available since Android 4.3. Removed in 4.4.2, but still retained in custom ROMs. Allows you to tweak individual permissions on a per-app basis;
 
* App Ops: Available since Android 4.3. Removed in 4.4.2, but still retained in custom ROMs. Allows you to tweak individual permissions on a per-app basis;
 
* Available by default on Android 6 (M).
 
* Available by default on Android 6 (M).
  
<strong>Browsers</strong>
+
=== Browsers ===
 
+
* [https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/ Fennec F-Droid]: A Firefox fork;
* [https://f-droid.org/repository/browse/?fdfilter=browser&fdid=org.mozilla.firefox Mozilla Firefox for Android];
+
** [https://addons.mozilla.org/en-us/android/addon/ublock-origin/ uBlock Origin]: The only trustworthy adblocker;
* * [https://addons.mozilla.org/en-us/android/addon/ublock-origin/ uBlock Origin];
+
** [https://addons.mozilla.org/en-US/android/addon/smart-https-revived/ Smart HTTPS]: Automatically enables HTTPS on websites that support it;
* * [https://www.eff.org/https-everywhere HTTPS Everywhere];
+
** [https://addons.mozilla.org/en-US/android/addon/self-destructing-cookies/ Self-Destructing Cookies];
* * [https://addons.mozilla.org/en-US/android/addon/self-destructing-cookies/ Self-Destructing Cookies];
+
** [https://addons.mozilla.org/en-US/android/addon/smart-referer Smart Referer]: Hides HTTP referer;
* * [https://addons.mozilla.org/en-US/android/addon/smart-referer Smart Referer];
+
** [https://addons.mozilla.org/en-US/android/addon/canvasblocker/ CanvasBlocker]: Feeds fake data to websites using advanced fingerprinting techniques making use of APIs like audio, WebGL, canvas size and so on;
* * [https://addons.mozilla.org/en-US/android/addon/blender-1 Blender]
+
* [https://www.bromite.org/ Bromite]: A Chromium fork with ad blocking and enhanced privacy.
 
 
=OPSEC/Operational Security=
 
  
 +
== OPSEC/Operational Security ==
 
All the software in the world won't help you if ignore the human element. Obvious no-nos:
 
All the software in the world won't help you if ignore the human element. Obvious no-nos:
 
 
* Using the same username everywhere;
 
* Using the same username everywhere;
 
* Using the same email address everywhere;
 
* Using the same email address everywhere;
 
* Logging into the same accounts through your real IP and a proxy/VPN/tor;
 
* Logging into the same accounts through your real IP and a proxy/VPN/tor;
 
* Posting photos or images which can be traced back to you via a [https://tineye.com/ reverse] [https://images.google.com/ image] [https://yandex.ru/images search].
 
* Posting photos or images which can be traced back to you via a [https://tineye.com/ reverse] [https://images.google.com/ image] [https://yandex.ru/images search].
 
+
* Using the same MAC Address / Hostname on an untrusted network can identify you to local attackers/surveillance. Check out [http://hacktownpagdenbb.onion/Links/Chapter-3.html Computer MAC Addresses and their importance]{{dead link}}
Dread Pirate Roberts was brought down by many of the above points.
+
[[Wikipedia:Dread_Pirate_Roberts_%28Silk_Road%29 |Dread Pirate Roberts]] was brought down by many of the above points.
  
 
More subtle no-nos:
 
More subtle no-nos:
 
+
* [[Wikipedia:Forensic_linguistics |Forensic Linguistics]] is the science of figuring out someone's identity by the words, phrases and grammar they use. Recommendation to counter this: [[Anonymizing_yourself#Tools|Anonymouth]];
* Forensic Linguistics is the science of figuring out someone's identity by the words, phrases and grammar they use. Recommendation to counter this: Anonymouth;
 
 
* Using the same browser with your real IP as your proxy/VPN/Tor IP (see fingerprinting above);
 
* Using the same browser with your real IP as your proxy/VPN/Tor IP (see fingerprinting above);
 
* Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;
 
* Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;
 
* Being unprepared for a proxy/VPN/Tor to drop out.
 
* Being unprepared for a proxy/VPN/Tor to drop out.
  
Steve Rambam gave an [https://www.youtube.com/watch?v=dNZrq2iK87k excellent talk] at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.
+
Steve Rambam gave [https://www.youtube.com/watch?v=dNZrq2iK87k an excellent talk] at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.
  
To err is human. As clever as you think you are, all it takes is one connection from your real IP address to deanonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.  
+
To err is human. As clever as you think you are, all it takes is one connection from your real IP address to deanonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.
 
 
=Tor Warning=
 
 
 
Some people are against Tor due to the fact of how the network operates. The way Tor operates is through a series of relays (which is the Tor Project's word for nodes). Anyone can host these relays. Due to this fact, the NSA, or another spy agency, can allegedly monitor the internal and external connections to and fro the Tor network.One must consider that the NSA would have a finite amount of Bandwidth, and would only be allowed to host such things in the United States. Therefore, the likely-hood of the NSA spying on the users is little to none. Furthermore, the connection is (mostly) encrypted between these nodes. Connecting to a Tor site (.onion) within the Tor network (through what is called an Internal Node) is generally considered safe as the connection is encrypted. However, connecting to clearnet services through the Tor network is dangerous because as it leaves the network (through what is called an Exit Node), the connection becomes less encrypted, and can be viewed by the owner of the node.You can also disable the ability to use nodes based in America, The United Kingdom, and the rest of the US allies, thus preventing tor from using possible NSA (or similar agencies') nodes.
 
 
 
=External links=
 
  
 +
== External links ==
 
* http://browserspy.dk/
 
* http://browserspy.dk/
* https://www.howsmyssl.com/
+
* https://www.howsmytls.com/
 
* https://www.dnsleaktest.com
 
* https://www.dnsleaktest.com
 
* http://www.whatismyreferer.com/
 
* http://www.whatismyreferer.com/
Line 249: Line 246:
 
* https://alternativeto.net/software/bugmenot/
 
* https://alternativeto.net/software/bugmenot/
 
* https://alternativeto.net/software/fake-mail-generator/
 
* https://alternativeto.net/software/fake-mail-generator/
 +
* https://www.eff.org/issues/anonymity
 +
* ('''Tor Link''') http://hacktownpagdenbb.onion/1.html {{dead link|OnionV2}}
 +
 +
== See also ==
 +
 +
[[Category:HowTo]]
 +
[[Category:Software]]
 +
[[Category:Anonymity networks‏‎]]

Latest revision as of 16:26, 11 May 2023

Anonymous.png

The internet is a cruel and horrible place. You might want to drop out of the matrix and join an anonymous network. Alternatively, you can take steps to minimize data-minining by reducing your online fingerprint.

A broad approach on how to start evading global data surveillance and improving your overall online privacy can be found here, and here.

Anonymous networks

Tor

Let's get something clear: Tor is NOT illegal to use (unless you live in one of those crazy whackjob countries run by a militant dictator such as Iran or China). Tor traffic was NOT significantly reduced by the removal of Silk Road, and as far as is known, new compromises for the underlying Tor framework did not come about from the removal of Silk Road. If you are interested, concerned or skeptical, check out this video here and read the FAQ.

Tor sets up a SOCKS proxy to the normal internet, allowing you to send any application’s connection anonymously through the Tor network. Any connections made through Tor will be anonymized but not confidential unless you use end to end encryption in the application, like SSL/TLS for web browsing, or an SSH tunnel. Torrenting is discouraged as it uses up too much bandwidth, and torrenting on Tor is near-impossible due to latency issues.

I2P

I2P is end to end encrypted and separate from the normal internet; this means that connections through I2P are confidential and anonymous. No-one can know who you are talking to, or what you are saying to them, because there are no exit nodes. Tor onion services (.onions) work in a similar way. All internet applications can be forwarded through I2P including ed2k, Gnutella, and torrents. Unlike Tor, I2P encourages torrenting on the network, although you cannot connect to non-I2P torrent swarms. Also unlike Tor, I2P is not an outproxy for the clearweb and uses Tor as an outproxy to non-I2P domains. "Hidden" services that would be called onions on the Tor network are called eepsites on the I2P network and end in the '.i2p' domain.

Freenet

Freenet is a distributed filesystem, where you can store files ‘in the cloud’ and download them anonymously from the Freenet network. Many of the files are HTML pages which can be viewed as static websites using a browser, and many are standalone files which can be searched and downloaded anonymously. Freenet content is undeletable as there is no way of knowing which node is holding each file. An example of a Freenet link is like this:

http://127.0.0.1:8888/USK@Ls9yplmu~tAb7XDGZBdstFdt~aaDagL1xknrN~fvRLo,c-XpJ5njAmwz~iWJm11lifb6Q54Xj6mGBoG6cuiSA1U,AQACAAE/NSAspycenter/1/

This follows this scheme

http://[LOCALHOST]:[FREENET PORT]/[TYPE OF KEY IDENTIFIER]@[HASHED IDENTIFIER]/[HUMAN-READABLE ADDRESS (OF SPECIFIC PAGE ON HASH)]/[VERSION OF PAGE]

When using Freenet, it is recommended to have your connection settings to "normal" (which is the highest it can be set when connecting to strangers), and your encryption settings to Maximum (which uses temporary keys and wipes the cache when you shutdown the server). Once you get more experienced with Freenet, you can switch to darknet mode, which prohibits stranger connections but requires you to connect to at least 5 friends you personally know. They also need to connect to you. NOTE: These friends you connect to can see your plain-text IP address, and as such only add people you truly trust.

Freenet has existed since 2000, and because of this, there are a large number of web 1.0 abandoned sites made by early adopters of the service. Also, because of being so old, it is programmed in Java, which was commonplace at the time.

Please note that the Freenet network (much like other, especially anonymous, networks) attracts criminals and a number of sites contain child pornography. Some sites jokingly add a disclaimer saying This site does not contain child pornography. click here to continue.

Browsers

See privacytools.io.

  • Always use an open-source browser. This ensures it can be freely audited. Google Chrome is not open-source, and while Chromium is, it hasn't been fully audited yet.
  • Use a search engine that at least claims to respect your privacy such as MetaGer(encrypted google searches) or [ixquick.com ixquick](non-Google searches, owned by StartPage) instead of Google. Note that while DuckDuckGo is a better alternative than Google or Bing, it's based in the US and has known issues that raise the possibility of privacy concerns.

Chromium

Using Chromium is generally not recommended because even though you can disable its known tracking features (the RLZ identifier is in Chrome, not Chromium), Chromium's code isn't as audited as Firefox's and Chromium's security addons don't provide the same fine-grained control over web requests as Firefox's, due to its extension API being slightly less broad (no control over WebSockets, for instance). If you absolutely refuse to use anything else, follow these instructions:

  • If you seriously sync Chromium to your Google account, you're a fucking dumbass. De-sync the two immediately.
  • Go to your settings menu, click advanced settings scroll down to privacy, and turn everything off.
  • Go to Content Settings above that and check "Block 3rd party cookies and site data"
  • Unless you want to use a script blocker, also turn off JavaScript.
  • Now scroll down to "Continue running background apps while Chromium is closed" and disable that as well unless you trust your addons.

Despite all of this, there are a few forks that offer parity with the stable release, which are also open-source and have taken invasive Google crap out of the browser, as well as implemented some extra security measures. Alternatively, you can compile the browser yourself and apply one of these many patches.

Firefox

It is recommended that you compile Firefox from scratch/source, as it allows you to make use of security oriented USE flags such as hardened and forcing it to use more up to date system-wide libraries (eg: systemsqlite). To ensure maximum security while browsing the internet, always turn off third party cookies, unless you're using a proper firewall like uMatrix, for finer-grained control, in which case you should still put the appropriate measures into place. Mozilla describes them as: For example, cnn.com might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.

Change your search engine. There are ways to get around Google’s insane profiling. See Search engines.

Use freshplayer [GNU/Linux only]. Freshplayer is a NPAPI wrapper for PPAPI Flash that works on Firefox. It is inherently safer and more performant, if you must use flash.

If you can, use a fork of Firefox, such as GNU IceCat or Debian Iceweasel.

Security extensions

There are many extensions available for Firefox to make you less trackable. Refer to the Firefox article for a comprehensive list of addons.

Fingerprinting

Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will usually be unique amongst others.

Threat Countermeasure
  • Plugins such as Flash or Java leak information.
Recommended: Disable and uninstall browser Plugins (note: Plugins are different than Extensions) such as Flash and Java.

Alternative: Set the plugin to "Ask to activate". You will still be vulnerable whenever you activate that plugin.

  • JavaScript leaks information
Recommended: Disable JavaScript

Alternative: Use uMatrix or NoScript to whitelist JavaScript on a per-site basis. You will still be vulnerable on those sites.

  • HTTP Header information can be identifying
Recommended: Use an extension such as Secret Agent to randomize header information. Alternatively, you can change your HTTP_ACCEPT headers by modifying your about:config/prefs.js file.
  • Cookies can be used to track you
Disable 3rd Party Cookies and use an extension such as Self-Destructing Cookies to automatically purge cookies.
  • IP Addresses can be personally identifiable
Recommended: Use an anonymous network, a non-logging VPN service, or a non-logging proxy service. Check out our very comprehensive article on VPNs for ways to further foil this mechanism.
  • Cross-site Requests may expose you to tracking.
Recommended: Use an extension such as uMatrix or RequestPolicyContinued to selectively whitelist such requests.
  • The HTTP referrer header may leak information
Recommended: Turn off sending HTTP referer information.

Alternative: Install an extension such as Smart Referer to keep referer information limited to a single domain, or uMatrix to spoof it on a per-hostname basis.

See also: EFF Panopticlick and evercookie. For a more comprehensive guide on how to foil most fingerprinting mechanisms, see https://github.com/CrisBRM/user.js

Web cache

Web caches mirror web requests locally for t time, thus ensuring a decrease in the number of servers hit, thereby somewhat reducing your privacy exposure and decreasing page load speeds.

Squid

Whilst modern browsers have their own cache implementations, they are often outdated, slow, and not very secure. Squid is a modern, high performance web cache and proxy server that supports a plethora of protocols. It can be used in combination with any browser that supports proxies. Best used in conjunction with a DNS caching server like Unbound.

DNS

DNS is what allows your computer to convert a domain name (such as wiki.tbpindustries.com) into an IP address to connect to. That process is called resolving.

When your computer attempts to resolve a domain name it queries a DNS server. Usually this will belong to your ISP if you have not configured it manually. Not all DNS servers are created equal—some block queries to certain websites, others hijack queries and redirect them elsewhere, and some log your queries. You should look for a DNS server that is close by (for minimum latency) that doesn't log your IP address. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and higher performance.

Warning! Google DNS and OpenDNS log queries. Google "anonymizes" query information after a period of time, but keeps associated ISP information permanently.[1] OpenDNS logs your IP address and may also correlate it with other information that is normally non-personally identifying.[2] Avoid those two services.

DNSCrypt

End-to-end encryption for your DNS requests. This prevents any intermediaries (such as advertising or the FBI) from monitoring your DNS request. Ideally, it should be used with a caching DNS server like Unbound.

Unbound

Unbound is a high performance validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries.

OpenNIC

The OpenNIC Project is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.

Operating systems

While unfortunately, government organizations around the world have a variety of back doors into a variety of operating systems, one can still attempt to be anonymous through a variety of methods. Free software alternatives to Windows or OS X appear to be more secure than their counterparts, since their code is almost always individually reviewed.

Tails

Tails is an OS specifically designed to preserve your privacy and anonymity. It forwards all your packets through the Tor network and uses anti-forensics like memory wiping to leave no trace on the computer you are using it on. Tails mitigates layer 2 surveillance by randomizing MAC address on boot. Tails can be run in a VM, but this renders the OS less secure.

Heads

Heads is a Live OS relatively like tails based on Devuan. Like Tails, it sends your packages through the Tor network and leaves the no trace on the computer. Unlike Tails, though, it is fully libre, and uses Linux-libre. It also uses no systemd, and instead opts for OpenRC and SysV. Sadly (and also gladly), due to its freetard attitude it contains no proprietary drivers, making it run on a limited number of machines.

Whonix

Whonix is a system of virtual machines, a client and server, each based on Debian GNU/Linux and configured with Tor which focuses on anonymity, privacy and security. The client VM is designed to route all traffic through the gateway/server VM which in turn routes it through Tor. This prevents the client VM from accidentally leaking your real public IP because it never knows it. All traffic is transparently routed through Tor preventing applications which are not designed for use with Tor from leaking.

Sandboxes

Firejail

Firejail is a Linux-only sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.

Ignoring the security factor and focusing more on the anonymization potential, it is important to use sandboxes in order to minimise certain exploits in the software that could otherwise be used to identify you. For instance, in Firefox, Firejail limits its data leaks by replacing the standard temporary file directory with a more secure version, which is completely erased when the Firefox session ends.

Tools

MAT or Metadata Anonymization Toolkit, is a toolbox composed of a GUI application, a CLI application and a library, to anonymize/remove metadata.

Anonymouth is a tool designed to take your documents and change the wording so you can't be found through word choice, grammar, theme, tone, and etc. Here is an article on anti-stylometry (the scientific study of literary style) discussing it, and here is another article. While Anonymouth is audited and considered safe, there are ways that a non-free program that is like Anonymouth can harm you.

Privoxy Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.

Anonymization Tools Taxonomy A list of anonymization tools. Hasn't been updated since 2004.

Routers

A router that supports free and open source firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. There are many GNU/Linux based firmwares available for common routers:

  • OpenWrt: An open source Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers;
  • LibreCmc: The FSF's fork of OpenWrt with all non-free software removed;
  • DD-WRT: A firmware focusing on the Linksys WRT54G series routers;
  • Tomato: Partially FOSS firmware released in 2008. It is still actively updated by community mods;
  • PORTAL: An acronym for Personal Onion Router To Assure Liberty. It forces all internet traffic through the Tor network to limit the possibility of user mistakes.

For more detailed information see: Routers. You can also use a computer as a router.

Android and cell phones

By their nature cellphones cannot be completely anonymous, but there are some steps that can be taken to at least limit your footprint. Be forewarned that the cellular network itself is designed to track you with only 30 seconds of delay, without a GPS chip.

Using an Android-based phone is a plus over iPhones or Windows Phone (if you can even call it that), but it is highly recommended that you avoid using cell phones all together. Even better, use a dumb phone with no camera. If you absolutely think you need (not want) a cell phone, follow these tips:

Android replacements

  • Replicant: A project to completely replace all proprietary components of Android;
  • Custom ROMs;
  • CopperheadOS: a hardened fork of Android with PaX kernel patches and more. (Note: The lead developer of the CopperheadOS project was removed from the project, and deleted the update signing keys; due to the uncertainty surrounding these events, the use of CopperheadOS isn't recommended.)
  • GrapheneOS: An open source privacy and security focused mobile OS with Android app compatibility, runs on Google Pixel devices.
  • Firefox OS: An alternative operating system by Mozilla that runs on some Android devices. (EoL)

GNU/Linux Phones

  • Librem 5: A security and privacy oriented phone by Purism that comes with the GNU/Linux distro PureOS preinstalled. Features kill switches and a removable battery, but it is quite pricey.
  • PinePhone: A cheaper GNU/Linux phone by Pine64 that has to be flashed with a distro by SD card. Comes with kill switches and a removable battery, but the hardware isn't too powerful compared to Android phones.

Alternative GApps

Removing ads

  • AdAway (Requires root): Hosts file based ad-blocking;
  • Adblock Plus;
  • MinMinGuard (Requires root and Xposed Framework): Disables the ad activity in apps to prevent the ad from loading. This also means there wont be a blank space where the ad was supposed to be.

Enforcing permissions

  • XPrivacyLua (EdXposed needed for Android 10);
  • Protect My Privacy (ditto);
  • App Ops: Available since Android 4.3. Removed in 4.4.2, but still retained in custom ROMs. Allows you to tweak individual permissions on a per-app basis;
  • Available by default on Android 6 (M).

Browsers

OPSEC/Operational Security

All the software in the world won't help you if ignore the human element. Obvious no-nos:

  • Using the same username everywhere;
  • Using the same email address everywhere;
  • Logging into the same accounts through your real IP and a proxy/VPN/tor;
  • Posting photos or images which can be traced back to you via a reverse image search.
  • Using the same MAC Address / Hostname on an untrusted network can identify you to local attackers/surveillance. Check out Computer MAC Addresses and their importanceTemplate:Dead link

Dread Pirate Roberts was brought down by many of the above points.

More subtle no-nos:

  • Forensic Linguistics is the science of figuring out someone's identity by the words, phrases and grammar they use. Recommendation to counter this: Anonymouth;
  • Using the same browser with your real IP as your proxy/VPN/Tor IP (see fingerprinting above);
  • Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;
  • Being unprepared for a proxy/VPN/Tor to drop out.

Steve Rambam gave an excellent talk at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.

To err is human. As clever as you think you are, all it takes is one connection from your real IP address to deanonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.

External links

See also