Connection Security and Privacy.          Please send any comments to me.       



VPN
Proxy
Firewall
Torrent Seedbox
DNS (Domain Name Service)
MAC Address
Certificates in the browser
Location Leaks
Tor Browser
Tor Server
Miscellaneous








VPN

There are two "directions" of VPN:
This section is talking about the first type.



How your traffic looks:

Encryption IP address on outside
Browser Src Dest
None  v request v    ^ response ^ WebSite
OS TCP/IP
HTTPS
 v request v    ^ response ^
PC LAN WebSite
VPN client
HTTPS + VPN
 v request v    ^ response ^
PC LAN VPN Srv
PC's Wi-Fi adapter
HTTPS + VPN + Wi-Fi
 v request v    ^ response ^
PC LAN Router LAN
LAN Wi-Fi
HTTPS + VPN + Wi-Fi
 v request v    ^ response ^
PC LAN Router LAN
Router's Wi-Fi adapter
HTTPS + VPN
 v request v    ^ response ^
PC LAN VPN Srv
Router
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
ISP
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
Internet
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
ISP2
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
VPN server
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
ISP2
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Internet
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
ISP3
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Site server
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv
Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.

If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption.



Advantages of using a VPN:



Some drawbacks of using a VPN:
[To avoid the last three issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

Search Encrypt Blog's "The Case Against VPNs"






VPN client software:

To use a VPN, you have to have some client-side software installed at some level. Could be:

The client software could be:
OpenVPN is:
It seems to me that if the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

From someone on reddit's /r/VPN:
> On Android, should I install VPN provider's app directly, or
> should I set up OpenVPN per instructions on provider's website?

Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:


Michael Horowitz's "An introduction to six types of VPN software"





From /u/wilsonhlacerda on reddit:
> Which is the cheapest vpn app out there? That won't sell my info?

You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

Yegor S's "Free VPN Myths Debunked"
William Chalk's "Who's Really Behind the World's Most Popular Free VPNs?"

Excerpted from an FT article, on reddit 11/2018:
More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.

...

But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.

"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."

...

"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

From someone on reddit:

VPN Kill Switch For Linux Using Easy Firewall Rules

If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"





Testing to see if all traffic actually goes through the VPN:




Alan Henry's "Why You Should Be Using a VPN (and How to Choose One)"
Thorin Klosowski's "The Biggest Misconceptions About VPNs"
joepie91's "Don't use VPN services"
Dennis Schubert's "VPN - a Very Precarious Narrative"
Max Eddy's "The Best VPN Services for 2019"
TheBestVPN's "Best VPN Services"
Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
Troy Wolverton's "No perfect way to protect privacy"
Jonas DeMuro's "7 good reasons why a VPN isn't enough"
VPN Scam's "How to Avoid VPN Scams in 2017-2018"
reddit's /r/VPN
Wikipedia's "OpenVPN"

Private Internet Access (PIA) VPN
ProtonVPN
Windscribe

Some "VPNs" are just data-collecting operations:
Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
Justin Cauchon about Verizon Safe Wi-Fi VPN



General complaint, from /u/wombtemperature on reddit 5/2017:

This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

They all are frustratingly SLOW. Or interfere with connections.

No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
From /u/Youknowimtheman on reddit:

When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

If you're talking about a 30% drop on 10Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200Mbit just isn't going to happen on a safe and private connection generally.

IPv6, from someone on reddit 6/2017:

> why do many VPN setup guides advise you to disable IPv6 ?

A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.

Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.

...

... the main reasons are:

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting ipv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.

...

Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.

...

I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
Sven Taylor's "VPNs are Using Fake Server Locations"
Violet Blue's "Is your VPN lying to you?"
Sunday Yokubaitis on companies behind various VPN brands



If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"
Romain Dillet's "How I made my own VPN server in 15 minutes"

One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.



I tried ProtonVPN free, starting 9/2017:
Torrenting not allowed when using free version.

I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

Each time I change to a VPN server in a new country: In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

I started using Windscribe 2/2018:
Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

Installed it on my Android 7 phone, works okay.

I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

A few sites behave badly if I use Windscribe:
If I'm using Windscribe, PayPal USA makes me verify identity and then forces me to change password.
If I'm using Windscribe, Ryanair won't let me log in.
If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

There are several ways to install Windscribe client on Windows:

There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that.

Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

I changed my laptop to Linux, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
"There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
And then they said:
"The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.

12/2018 Found out that Windscribe VPN is blocking a domain I need; when it blocks something, it does it by mapping to localhost. A user can't whitelist a domain; user either turns all blocking down to a lower level, or file a Support ticket asking for that one domain to be whitelisted (for everyone).

3/2019: they confirmed that their DNS's use DNSSEC to talk to other DNS's.

You could use the Tor network as a VPN:
GouveaHeitor / nipe


If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.



Sven Taylor's "OpenVPN vs IPSec, WireGuard, L2TP, & IKEv2 (VPN Protocols 2019)"













Proxy

A proxy just redirects your traffic, making it come out from a different computer with a different IP address. It doesn't add any encryption.

Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.

Privacy.net's "What proxy servers are and how they differ from VPNs"
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"
NewIPNow.com

Hide My Ass! (free proxy server)
Proxify
Public CGI (Web, PHP) anonymous proxy free list
search for Firefox proxy add-ons






Firewall

A firewall lets you control what kinds of traffic flow in and out of your network.

Some types:

Wikipedia's "Firewall (computing)"
Palo Alto Network's "What Is a Firewall?"
Cisco's "What Is a Firewall?"
Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

A firewall could be:







Torrent Seedbox

A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

Seedbox Guide's "What is a seedbox?"






DNS (Domain Name Service)

DNS is how domain names such as "google.com" are resolved into IP addresses such as "1.2.3.4".



Most likely, your computer is using either Google's Public DNS (8.8.8.8 or 8.8.4.4), or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

To find out what DNS you are using, open a command prompt and run "nslookup google.com". First address shown is your DNS's address. But an IPv4 address that starts with "10.", "172." or "192." likely is an "internal" address, meaning that something in your computer or VPN or router or ISP is grabbing that address and mapping it to something else. See Tim Fisher's "Private IP Address". A leak-test such as Doileak.com will tell your what DNS server actually is being used.



The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

If you're using Google's DNS, and don't want Google to know what sites (domains) you visit, you can change to another DNS.

If you're using the ISP's DNS, and are not using a VPN, there's no point in changing DNS, the ISP sees all of the sites you use regardless of the DNS.

If you're using the ISP's DNS, and are using a VPN, you could change to another DNS, accessed through the VPN, and the ISP will not be able to see anything except that you're accessing the VPN. No sites (domains), no pages or URLs or searches.



If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". A web page may be able to use Javascript to find out your real IP address, even though you're using a VPN etc.
Wikipedia's "DNS leak"
DNS leak test
Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"



Nykolas Z's "DNS Security and Privacy - Choosing the right provider"

Some good reasons to use Google's Public DNS:
Joseph Caudle's "Why and How to Use Google's Public DNS"
Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

Choosing a DNS by speed:
John E Dunn and Tamlin Magee's "Best free DNS services 2018"
Remah's "How to Find the Best DNS Server"
Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

From someone on reddit:
"some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"



There are various flavors of encrypted connection to DNS, it's confusing:

Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
DNSCrypt
DNSCrypt Proxy
Domain Name System Security Extensions (DNSSEC)



OpenDNS (includes blacklist of bad sites, at the DNS server)






MAC Address

This is an address unique to the network access card/hardware in your device.

Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.



Change your MAC address:
Mac Makeup
Technitium MAC Address Changer (Windows only)
Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
OSTechNix's "How to change MAC address in Linux"







Certificates in the browser

What are the security and privacy implications of these ?

Some questionable certs may appear under "Authorities": a couple from China, DigiNotar. Various CA's have been hacked from time to time. Firefox is in process of removing trust for Symantec-issued certs.

Certs that appear under "Servers" reveal a little bit about your browsing history: they may show what domains you've visited.

As far as I know, there is no downside to removing Server certificates, and removing a few Authorities is okay too (as long as you don't remove them all).

Will any of the browsers report "hey, a new certificate was installed since last time the browser was running" ? I think they should.

Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"
Pieter Arntz's "When you shouldn't trust a trusted root certificate"
Hanno Bock's "Check for bad certs from Komodia / Superfish"







Location Leaks

Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

Inside Android, an app can use Google Location Services API or Network Location Provider.

Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address: I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard






Tor Browser

Tor is a network, where the Tor browser talks to an entrance node, which talks to a middle node, which then talks to either an exit node (for normal internet traffic) or an onion web site.

It is possible to use Tor browser and still not have privacy or anonymity. If you're the only person on your network using Tor, perhaps your activity can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.



If you're using Tor browser instead of a VPN, only the browser's traffic is going through the Tor network; traffic from other applications and background services does not. I say: leave the VPN running 24/365, even when you're using Tor browser.



Tails is a Linux system where all internet traffic goes through the Tor network. Another is Kodachi (article). I think both are designed to be run from a USB stick, without persistence, so any changes to OS and apps etc get wiped when you shut down.



You could use the Tor network as a VPN: GouveaHeitor / nipe

BUT: Tor network only handles TCP traffic, not UDP; see Tor FAQ item



Tor Browser

Privacy.net's "Everything you wanted to know about Tor but were afraid to ask"
Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
Tor Project's "Check your Tor browser"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"
Matt Traudt's "About to use Tor. Any security tips?"

Juan Sanchez and Garth Griffin's "Who's Afraid of the Dark? Hype Versus Reality on the Dark Web"

/r/Onions







Tor Server



Can you have one web site which is accessible through both clearnet and also onion (Tor) ?
If you are renting a VM and hosting the site yourself, make sure your provider allows this. If your site is on a shared hosting service, the service would have to offer onion as a feature (and I'm unaware of any mainstream service that does so).

Ablative Hosting makes same site appear on clearnet and onion:


A "Tor2Web proxy" lets people using a normal browser access an onion server. But:
Matt Traudt article



Onion domain names are limited to 16 chars (v3 increases it to 56 chars) and are assigned essentially at random; you can't specify a domain name you want.

NordVPN's "How to make a .onion site"
DeepWebSitesLinks' "Deep Web Hosting ..."
/r/onions' "Hosting a Hidden Service"
Riseup's "Best Practices for Hosting Onion Services"
Bashir Barrage's "How To Build a DarkWeb Server" (PDF)

Scan your onion site for problems:
OnionScan
tokyoneon's "Detect Misconfigurations in 'Anonymous' Dark Web Sites with OnionScan"




From someone on reddit 4/2019:

> How do I go about hosting a Tor site. I know how to make a clear web site using node JS ...

Unless this is just a toy project and nothing really bad will happen if you get traced, do not take the advice to run Tor on a machine, run a Web server on that same machine, and have Tor forward .onion address to that Web server.

With the naive configuration, you will be pwned if anybody puts in any real effort, so don't use that configuration if being owned is a problem and you think anybody might put in any effort.

The biggest problem with hidden services is that there are roughly 87 billion bugs, misconfigurations, and bad defaults that can show up anywhere in your Web server, framework, language, database, libraries, or whatever, and leak the server's real IP address to remote clients. Or even give remote clients the ability to run arbitrary code on the Web server, which means that you lose if it can even send any clearnet traffic at all.

You have to close all the holes you can, and then you have to assume that you'll still have missed some. That means that you can't let the server know its own real IP address. That means that you can't have the Tor process running in the same network address space as the Web server process. You shouldn't have them share a kernel, and really shouldn't even have them on the same physical hardware.

Have a look at the Whonix physical isolation configuration. I think that's unsupported and requires some skill to set up, but it's still safer than rolling your own for most people in most circumstances.

The bottom line is that this is a "full stack" endeavor. You have to think about everything from the hardware up through the application. Otherwise you will lose. If there's any part of your system that you do not completely understand, you have to deprive it of any sensitive information, and then surround it with a wall of stuff that you do understand. Otherwise you will lose.

Keep everything as simple as possible. Use as little software as possible, and choose software that's as bulletproof as possible. Don't put in any nonessential features.

Remember that many of your clients will be running with JavaScript disabled.

If it's a really hot service, assume it will be compromised anyway, so put another layer between you and it. Buy your hosting in a way that can't be traced to you, and manage it over Tor or I2P.







Miscellaneous



EFF's "What Should I Know About Encryption?"




Bookmark and Share

This page updated: April 2019

Home     Site Map

Privacy policy