Connection Security and Privacy.          Contact me.



VPN
Proxy
Router And Modem
Firewall
Torrent Seedbox
DNS (Domain Name Service)
MAC Address
Certificates in the browser
Location Leaks
Inbound Traffic
Tor Browser
Tor Server
Miscellaneous








VPN

There are two "directions" of VPN:
This section is talking about the first type.



How your traffic looks:

Encryption IP address on outside
Browser Src Dest
None  v request v    ^ response ^ WebSite
OS TCP/IP
HTTPS
 v request v    ^ response ^
PC LAN WebSite
VPN client
HTTPS + VPN
 v request v    ^ response ^
PC LAN VPN Srv
PC's Wi-Fi adapter
HTTPS + VPN + Wi-Fi
 v request v    ^ response ^
PC LAN Router LAN
LAN Wi-Fi
HTTPS + VPN + Wi-Fi
 v request v    ^ response ^
PC LAN Router LAN
Router's Wi-Fi adapter
HTTPS + VPN
 v request v    ^ response ^
PC LAN VPN Srv
Router
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
ISP
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
Internet
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
ISP2
HTTPS + VPN
 v request v    ^ response ^
Router public VPN Srv
VPN server
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
ISP2
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Internet
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
ISP3
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Site server
HTTPS
 v request v    ^ response ^
VPN Srv WebSite
Server OS TCP/IP
None  v request v    ^ response ^ VPN Srv
Web server

The "LAN" and first ISP could be your home LAN and ISP, or ones used by your school or library or restaurant where you use Wi-Fi.

If instead of a browser, you use a secure-messaging application such as Wire or Signal, that adds its own additional, innermost layer of encryption.



Advantages of using a VPN:









Some drawbacks of using a VPN:
[To avoid the last three issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

Search Encrypt Blog's "The Case Against VPNs"






VPN client software:

To use a VPN, you have to have some client-side software installed at some level. Could be:

The client software could be:
OpenVPN is:
It seems to me that if the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

From someone on reddit's /r/VPN:
> On Android, should I install VPN provider's app directly, or
> should I set up OpenVPN per instructions on provider's website?

Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:


Michael Horowitz's "An introduction to six types of VPN software"





From /u/wilsonhlacerda on reddit:
> Which is the cheapest vpn app out there? That won't sell my info?

You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

Yegor S's "Free VPN Myths Debunked"
William Chalk's "Who's Really Behind the World's Most Popular Free VPNs?"
Jan Youngren's "Hidden VPN owners unveiled: 97 VPN products run by just 23 companies"
Osama Tahir's "What VPN services aren't telling you about data logging"

Excerpted from an FT article, on reddit 11/2018:
More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.

...

But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.

"We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

"We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."

...

"It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

From someone on reddit:

VPN Kill Switch For Linux Using Easy Firewall Rules

If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"





Testing to see if all traffic actually goes through the VPN:




Alan Henry's "Why You Should Be Using a VPN (and How to Choose One)"
Thorin Klosowski's "The Biggest Misconceptions About VPNs"
joepie91's "Don't use VPN services"
Dennis Schubert's "VPN - a Very Precarious Narrative"
Max Eddy's "The Best VPN Services for 2019"
TheBestVPN's "Best VPN Services"
Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
Troy Wolverton's "No perfect way to protect privacy"
Jonas DeMuro's "7 good reasons why a VPN isn't enough"
VPN Scam's "How to Avoid VPN Scams in 2017-2018"
reddit's /r/VPN
Wikipedia's "OpenVPN"

Private Internet Access (PIA) VPN
ProtonVPN
Windscribe

Some "VPNs" are just data-collecting operations:
Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
Justin Cauchon about Verizon Safe Wi-Fi VPN



General complaint, from /u/wombtemperature on reddit 5/2017:

This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

They all are frustratingly SLOW. Or interfere with connections.

No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
From /u/Youknowimtheman on reddit:

When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

If you're talking about a 30% drop on 10Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200Mbit just isn't going to happen on a safe and private connection generally.

IPv6, from someone on reddit 6/2017:

> why do many VPN setup guides advise you to disable IPv6 ?

A lot of VPNs only handle IPv4, so on those any IPv6 traffic bypasses the VPN.

Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.

...

... the main reasons are:

That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting ipv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.

...

Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.

...

I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
Sven Taylor's "VPNs are Using Fake Server Locations"
Violet Blue's "Is your VPN lying to you?"
Sunday Yokubaitis on companies behind various VPN brands



If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"
Romain Dillet's "How I made my own VPN server in 15 minutes"

One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.



I tried ProtonVPN free, starting 9/2017:
Torrenting not allowed when using free version.

I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

Each time I change to a VPN server in a new country: In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

I started using Windscribe 2/2018:
Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

Installed it on my Android 7 phone, works okay. Apparently you're supposed to mark your home network as "untrusted", so that Windscribe automatically reconnects if connection drops and comes back ? I guess the theory is that you don't need VPN on a "trusted" network ?

I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

A few sites behave badly if I use Windscribe:
If I'm using Windscribe, PayPal USA makes me verify identity and then forces me to change password.
If I'm using Windscribe, Ryanair won't let me log in.
If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

There are several ways to install Windscribe client on Windows:

There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that.

Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

I changed my laptop to Linux, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
"There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
And then they said:
"The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.

12/2018 Found out that Windscribe VPN is blocking a domain I need; when it blocks something, it does it by mapping to localhost. A user can't whitelist a domain; user either turns all blocking down to a lower level, or file a Support ticket asking for that one domain to be whitelisted (for everyone).

3/2019: They confirmed that their DNS's use DNSSEC to talk to other DNS's.

7/2019: Found that their filter/firewall "Robert" supports redirecting (spoofing) domains. This is dangerous, if someone gets into your account.

You could use the Tor network as a VPN:
GouveaHeitor / nipe


If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.



Sven Taylor's "OpenVPN vs IPSec, WireGuard, L2TP, & IKEv2 (VPN Protocols 2019)"
Sven Taylor's "WireGuard VPN: What You Need to Know" (status as of 6/2019)

Sven Taylor's "Multi-Hop VPNs for Maximum Privacy & Security (How-To Guide)"













Proxy

A proxy just redirects your traffic, making it come out from a different computer with a different IP address. It doesn't add any encryption.

Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.

Privacy.net's "What proxy servers are and how they differ from VPNs"
Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"
NewIPNow.com

Hide My Ass! (free proxy server)
Proxify
Public CGI (Web, PHP) anonymous proxy free list
search for Firefox proxy add-ons






Router And Modem

Parts of a router/modem:
These parts may be packaged into two devices (modem and router) or one device (router/modem).

General functional block diagram:

  Internet  
  ISP  
  WAN connection
(fiber, cable, phone line)
 
  MODEM  
  NAT
(many LAN devices share
one public IP address)
 
  Firewall
(filter traffic to
prevent attacks)
 
  Router/switch
(DHCP to assign LAN addresses;
map IP addresses to external/Ethernet/Wi-Fi)
 
LAN Ethernet ports   Wireless Access Point
Devices
connected via Ethernet
  Devices
connected via Wi-Fi


Typical configurations:
Implications: From someone on reddit 7/2019:
You should have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.


Router operating systems:
Nick Congleton's "DD-WRT vs. Tomato vs. OpenWrt: Which Router Firmware Is the Best?"

Router features:
Features that seem unimportant to me: parental controls, dual-band, built-in anti-malware, MU-MIMO, smartphone app to control router, Quality of Service (QoS) or Wi-Fi Multimedia traffic controls, mesh networking, USB port to make a NAS. Your priorities may be different.

Ethan Robish's "Home Network Design - Part 1"

Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"






Firewall

A firewall lets you control what kinds of traffic flow in and out of your network.

Some types:

Wikipedia's "Firewall (computing)"
Palo Alto Network's "What Is a Firewall?"
Cisco's "What Is a Firewall?"
Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

A firewall could be:







Torrent Seedbox

A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

Seedbox Guide's "What is a seedbox?"






DNS (Domain Name Service)

DNS is how domain names such as "google.com" are resolved into IP addresses such as "1.2.3.4".



Most likely, your computer is using either Google's Public DNS (8.8.8.8 or 8.8.4.4), or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

To find out what DNS you are using:
A few other settings are shown by Cloudflare's "Browsing Experience Security Check".

Test both with VPN on and with VPN off. There WILL be times you need to turn the VPN off to access some site.



The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

What to use:

How to set DNS for the case when VPN is off:
I'm surprised that I couldn't get ANY of this to work !!!

  1. Turn off VPN.

  2. Run Doileak.com to see what DNS server is being used.

  3. In router:
    1. Login to router's admin page.
    2. You may have to set "expert mode".
    3. Look for any DNS settings.
    4. My Vodafone router only has a "Secure DNS" setting. The text for this implies that it overrides DNS settings in individual devices, but I'm not sure. Turning it off did not let me specify a DNS server address. Turning it off did not make Linux use its own DNS settings. Power-cycling router didn't help.
    Tim Fisher's "How to Change DNS Servers on Most Popular Routers"

  4. Run Doileak.com to see what DNS server is being used.

  5. In Linux Ubuntu/Mint:
    1. Click on network icon in system tray and choose "Network Settings".
    2. Click on the network interface (Wi-Fi or Wired).
    3. Click on "gear" icon in lower-right.
    4. Click on "Ipv4".
    5. In the "DNS - Server" field, put the value you want, such as "1.1.1.1".
    6. Set the "DNS - Automatic" switch to "off".
    7. Click on "Apply".
    8. Close "Network Settings" app.
    9. Click on network icon in system tray and turn the network interface (Wi-Fi or Wired) off and then back on.
    10. Reboot.
    11. Didn't work, still using ISP's DNS.
    12. Later set DNS on other network interface, and got different results ? Have to do both same way ?
    Another try:
    1. Edit "/etc/network/interfaces" as root, add line "dns-nameservers 1.1.1.1".
    2. Run "cat /etc/resolv.conf"
    3. Reboot.
    4. Run "cat /etc/resolv.conf", now new line appears in it.
    5. Didn't work, still using ISP's DNS.
    Ended up worse than before: now, with VPN on, I'm getting a DNS leak to 1.1.1.1. Removed the line from /etc/network/interfaces and rebooted, that fixed it.

    Maybe should remove "nameserver 127..." line from /etc/resolv.conf somehow ?

  6. In Windows:
    1. ???
    Mauro Huculak's "How to configure Cloudflare's 1.1.1.1 DNS service on Windows 10 or your router"

  7. In Android:
    1. Turn off VPN.
    2. XSLab's "How to Change DNS Settings on Android"
    3. Followed the "long-press on Wi-Fi network" instructions, everything fine except as soon as I set IP to "static", the "Save" button went away and nothing I did would bring it back.

  8. Run Doileak.com to see what DNS server is being used.

  9. In Firefox:
    1. Click on hamburger icon / Preferences.
    2. Click on General.
    3. Scroll to bottom, click on Network Settings.
    4. In "Configure Proxy Access to the Internet", click on "No Proxy".
    5. Scroll to bottom, click on "Enable DNS over HTTPS", set "Use Provider" to desired value.
    6. Didn't work, now getting DNS requests from both the provider I chose AND from my ISP's DNS. One request from provider, plus N from ISP's DNS. Could be that first is for the main page and then others are for images/scripts on the page ?

  10. In Chrome / Chromium:
    1. ???

  11. Run Doileak.com to see what DNS server is being used.

  12. Turn VPN back on.

  13. Run Doileak.com to see what DNS server is being used.




If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". A web page may be able to use Javascript to find out your real IP address, even though you're using a VPN etc.
Wikipedia's "DNS leak"
DNS leak test
Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"



Nykolas Z's "DNS Security and Privacy - Choosing the right provider"

Some good reasons to use Google's Public DNS:
Joseph Caudle's "Why and How to Use Google's Public DNS"
Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

Choosing a DNS by speed:
John E Dunn and Tamlin Magee's "Best free DNS services 2018"
Remah's "How to Find the Best DNS Server"
Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

From someone on reddit:
"some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"



There are various flavors of encrypted connection to DNS, it's confusing:

Test with: Doileak.com and Cloudflare's "Browsing Experience Security Check".

Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
DNSCrypt
DNSCrypt Proxy
Domain Name System Security Extensions (DNSSEC)



OpenDNS (includes blacklist of bad sites, at the DNS server)






MAC Address

This is an address unique to the network access card/hardware in your device.

Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.



Change your MAC address:
Mac Makeup
Technitium MAC Address Changer (Windows only)
Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
OSTechNix's "How to change MAC address in Linux"







Certificates in the browser

What are the security and privacy implications of these ?

Some questionable certs may appear under "Authorities": a couple from China, DigiNotar. Various CA's have been hacked from time to time. Firefox is in process of removing trust for Symantec-issued certs.

Certs that appear under "Servers" reveal a little bit about your browsing history: they may show what domains you've visited.

As far as I know, there is no downside to removing Server certificates, and removing a few Authorities is okay too (as long as you don't remove them all).

Will any of the browsers report "hey, a new certificate was installed since last time the browser was running" ? I think they should.

Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"
Pieter Arntz's "When you shouldn't trust a trusted root certificate"
Hanno Bock's "Check for bad certs from Komodia / Superfish"







Location Leaks

Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

Inside Android, an app can use Google Location Services API or Network Location Provider.

Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address: I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard






Inbound Traffic



From discussion on reddit 7/2019:
Normally, a router's firewall blocks all incoming traffic unless it's related to outgoing traffic. The firewall will temporarily open ports used by the outgoing traffic.

Port forwarding allows unsolicited incoming traffic to a port or range of ports through the firewall to a specific IP address in your LAN.

By opening a inbound port, you are exposing a device to unsolicited traffic from the Internet. Unless you can restrict the incoming traffic to a trusted remote address, the device may be at risk of being compromised. Open ports only when there is no option, such as gaming. Only open the necessary ports, and close them when finished. For other use cases, [carefully evaluate how much you can restrict access and what kind of authentication is being used.]

...

Tunneling home over an inbound VPN will give the outside client machine access to everything in your network, and apps like Hamachi work great for playing games that are only designed to work over LAN. However, inbound VPN is not suitable for services that need to be accessible by clients you don't control or clients that you don't want to have access to your whole internal network. You would not use an inbound VPN just make a web server accessible, nor would you use an inbound VPN for most services designed to work over the Internet.

...

Low-security file sharing protocols like SMBv1 are only safe to use over a secure LAN and should never be exposed to the internet.

...

UPnP is a multi-purpose protocol. One of its functions is to enable a device to dynamically set up port forwarding on a UPnP-enabled router. This can be convenient when multiple devices (such as multiple gaming consoles) need port forwarding. The application/game must work on multiple, different ports. If it doesn't, then it's impossible for multiple consoles to work in the same network. While UPnP can be convenient, there are documented instances of security vulnerabilities associated with it.

Most people will want to set up port forwarding manually on the router or use UPnP. In most cases, it makes sense to pick one method. ... Using a combination of both will give the static rules precedence. Some people disable UPnP port forwarding entirely for security reasons, but using both doesn't create any issue. The only reason to say "I'm only using UPnP" is to avoid confusion between the static and dynamic port forwarding rules. You can use both. While it's true that UPnP is insecure by design, the convenience it offers home users is usually well worth the concerns in small networks where you manage all the devices. ... For any given application/game, you only need to use one. It's certainly possible to use static port forwarding for one application and UPnP for another.

...

In a home network, it's strongly recommended to have only one device functioning as a router. It's fine to have other routers in the network, so long as they are configured to operate purely as Wi-Fi Access Points (AP). If you have multiple functioning routers, then you'll have double or even triple NAT. While it's possible to get port forwarding to work through multiple routers, it's messy and unnecessary. UPnP won't work at all through multiple routers.

...

Usually, you need only concern yourself with opening ports for incoming traffic. All consumer-grade routers open all ports in the outgoing direction by default, so you can generally ignore any application- or game-specific requirements to open outbound ports. You may come across some applications and games where it's not specified which direction (inbound/outbound) needs to be opened. This is really unfortunate, as you end up having to open more ports than necessary. Do be sure you open the correct protocol (UDP or TCP). If in doubt, open both.

...

Before you test port forwarding through your router [to a server on your LAN], make sure the application/game is running on your server. Then try connecting to it locally from another local device. ... Once you have confirmed that a local connection works, you can proceed to test port forwarding [inbound from the internet]. ...

...

If you run the actual application/game executable (not through a browser), maybe run it on a device that is not connected to your home network (LAN). If you have a smartphone, for example, switch from Wi-Fi to cellular Internet.







Tor Browser

Tor is a network, where the Tor browser talks to an entrance node, which talks to a middle node, which then talks to either an exit node (for normal internet traffic) or an onion web site.

It is possible to use Tor browser and still not have privacy or anonymity. If you're the only person on your network using Tor, perhaps your activity can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.



If you're using Tor browser instead of a VPN, only the browser's traffic is going through the Tor network; traffic from other applications and background services does not. I say: leave the VPN running 24/365, even when you're using Tor browser.



Tails is a Linux system where all internet traffic goes through the Tor network. Another is Kodachi (article). I think both are designed to be run from a USB stick, without persistence, so any changes to OS and apps etc get wiped when you shut down.



You could use the Tor network as a VPN:
GouveaHeitor / nipe
Edu4rdSHL / tor-router

BUT: Tor network only handles TCP traffic, not UDP; see Tor FAQ item

TorProject's "TransparentProxyLeaks"



Tor Browser

Privacy.net's "Everything you wanted to know about Tor but were afraid to ask"
Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
Tor Project's "Check your Tor browser"
Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"
Matt Traudt's "About to use Tor. Any security tips?"

Onion search engines: Torch, NotEvil, Ahmia.fi

Juan Sanchez and Garth Griffin's "Who's Afraid of the Dark? Hype Versus Reality on the Dark Web"

/r/Onions







Tor Server



Can you have one web site which is accessible through both clearnet and also onion (Tor) ?
If you are renting a VM and hosting the site yourself, make sure your provider allows this. If your site is on a shared hosting service, the service would have to offer onion as a feature (and I'm unaware of any mainstream service that does so).

Ablative Hosting makes same site appear on clearnet and onion:


A "Tor2Web proxy" lets people using a normal browser access an onion server. But:
Matt Traudt article



Onion domain names are limited to 16 chars (v3 increases it to 56 chars) and are assigned essentially at random; you can't specify a domain name you want.

NordVPN's "How to make a .onion site"
DeepWebSitesLinks' "Deep Web Hosting ..."
/r/onions' "Hosting a Hidden Service"
Riseup's "Best Practices for Hosting Onion Services"
Bashir Barrage's "How To Build a DarkWeb Server" (PDF)

Scan your onion site for problems:
OnionScan
tokyoneon's "Detect Misconfigurations in 'Anonymous' Dark Web Sites with OnionScan"




From someone on reddit 4/2019:

> How do I go about hosting a Tor site. I know how to make a clear web site using node JS ...

Unless this is just a toy project and nothing really bad will happen if you get traced, do not take the advice to run Tor on a machine, run a Web server on that same machine, and have Tor forward .onion address to that Web server.

With the naive configuration, you will be pwned if anybody puts in any real effort, so don't use that configuration if being owned is a problem and you think anybody might put in any effort.

The biggest problem with hidden services is that there are roughly 87 billion bugs, misconfigurations, and bad defaults that can show up anywhere in your Web server, framework, language, database, libraries, or whatever, and leak the server's real IP address to remote clients. Or even give remote clients the ability to run arbitrary code on the Web server, which means that you lose if it can even send any clearnet traffic at all.

You have to close all the holes you can, and then you have to assume that you'll still have missed some. That means that you can't let the server know its own real IP address. That means that you can't have the Tor process running in the same network address space as the Web server process. You shouldn't have them share a kernel, and really shouldn't even have them on the same physical hardware.

Have a look at the Whonix physical isolation configuration. I think that's unsupported and requires some skill to set up, but it's still safer than rolling your own for most people in most circumstances.

The bottom line is that this is a "full stack" endeavor. You have to think about everything from the hardware up through the application. Otherwise you will lose. If there's any part of your system that you do not completely understand, you have to deprive it of any sensitive information, and then surround it with a wall of stuff that you do understand. Otherwise you will lose.

Keep everything as simple as possible. Use as little software as possible, and choose software that's as bulletproof as possible. Don't put in any nonessential features.

Remember that many of your clients will be running with JavaScript disabled.

If it's a really hot service, assume it will be compromised anyway, so put another layer between you and it. Buy your hosting in a way that can't be traced to you, and manage it over Tor or I2P.







Miscellaneous



EFF's "What Should I Know About Encryption?"
Latacora's "The PGP Problem"






This page updated: July 2019

Home     Site Map

Privacy policy