Methods of anonymity online. Part 2. Data Leaks

Hi, habrayuzer!

Today we will continue to talk about anonymity on the Internet.
The second part was a little more difficult for beginners. It will consist of two sections:

• In the first section, we end up talking about centralized solutions for “anonymity”: VPN, SSH, SOCKSx.
• In the second, we consider specific leaks of deanonymizing data.

All parts here:
Part 1: Methods of anonymity online. Just about the complicated .
Part 2: Methods of anonymity online. Data leaks .
Part 3: Methods of anonymity online. Firefox .
Part 4: Methods of anonymity online. Tor & VPN. Whonix .

Centralized means of "anonymity"

Immediately I will note the main thing: no centralized solution can provide a high level of anonymity, since it is necessary to trust the central site.
We will not talk about organizational, political and bureaucratic difficulties in disclosing anonymity.
Perhaps the VPN server in Panama is indeed more secure than the same server in Spain. Or maybe not.
Just as we will not talk about the chain of nodes, as their reliability is difficult to assess. On the one hand, in view of organizational difficulties, the risk of disclosure is lower, and on the other, we must be fairly confident in each node.
Let us turn to the specifics.

Proxy servers: http and SOCKSx

Let's take a closer look at http-headers in http-proxy.
The HTTP header is a string in an http message with some parameters of the form: “ Name: Value ”. There are a lot of headers; in the course of interaction, they are exchanged between clients and servers.
For example, the following field: “ Date: Sat, 12 Dec 2012 15:41:52 GMT ” returns the current time and date from the server to the client.
One of these headers: X-Forwarded-For, in fact, is the standard for the server to get the original client address when accessing the server through an HTTP proxy. And in this header, if it is not filtered, the whole chain of proxy servers is transmitted from beginning to end, for example:

• X-Forwarded-For: client1, proxy1, proxy2 ...
• X-Forwarded-For: 169.78.138.66, 169.78.64.103 ...

Also to the headers that disclose deanonimizing information include: HTTP_VIA, HTTP_FORWARDED, etc.
')
HTTP proxy servers that hide the client's ip address are called anonymous. Such servers are divided into types, the division is very conditional, but, nevertheless, there are:

• Simple anonymous proxies (anonymous). These servers do not hide the fact of using the http-proxy, but they replace the client's ip-address with your own.
• Elite anonymous (high anonymous / elite). Such servers also hide the fact of using http-proxy.

SOCKS proxies, as you remember, do not transmit any headers.

Consider the difference between SOCKS 4, 4a and 5. There are different versions of SOCKS:

• SOCKS4. Such servers require from the client, for example, a web browser, only the ip-address of the resource to which it refers (the addressee). Therefore, the client needs to somehow find out this ip-address, and the client can only find out its direct DNS request bypassing the proxy. This can lead to de-anonymization, since the ISP can see DNS requests in open form, this vulnerability is called DNS-leaks, it is described later in the second part of the article.
• SOCKS4a. It is an extension of SOCKS4. The main difference is that SOCKS4a-server receives from the client only the DNS-name of the addressee, and not its ip-address. This is necessary when the client cannot independently determine the destination IP address by the DNS name.
• SOCKS5. It is also an extension of SOCKS4. SOCKS5 server supports UDP, IPv6, authorization, etc. And, although SOCKS5 proxies can receive from the client both the ip address and the DNS name of the target resource, some applications that support SOCKS5 can receive the destination ip address before contact a SOCKS5 proxy, which can also lead to a leak of DNS queries.

Ssh. SSH vs. VPN Comparison

An SSH tunnel is a tunnel created by means of an SSH connection and used to encrypt transmitted data. As the Wikipedia article of the same name says: " SSH (English Secure SHell -" secure shell ") is an application-level network protocol that allows remote control of the operating system and tunneling TCP connections (for example, for file transfer) ."
When using an SSH tunnel, the open traffic of any protocol is encrypted at one end of the SSH connection, the client, and decrypted at the other, SSH server.
The scheme of SSH-tunnel operation is shown in the figure:

The SSH protocol supports several work options:

• In the first variant, the tunneled application must have HTTP / SOCKS proxy settings for directing traffic through the local proxy server to the SSH tunnel. If there are no such settings, then you can use co-encryption programs that send traffic through a proxy server.
• In the second case, you can organize almost full-fledged VPN-connection and do without setting up SOCKS. Starting with version 4.3, an open implementation of SSH, OpenSSH, can use Layer 2 and Layer 3 network interfaces of the OSI model, that is, organize analogs of VPN connections.

Let's compare VPN and SSH in terms of anonymity.

Goals
Historically, VPN and SSH were intended for different purposes, which explains their pros and cons.

• VPN is designed to provide secure remote access to corporate network resources. Once the computer connects to the VPN server, it becomes part of the “local” network, and therefore it can receive all its services: shared resources, local VoIP service, NetBios, UDP, and broadcast requests, unified VPN, also become possible. politicians, etc. VPN in most cases sends traffic to the entire operating system and applications.
• SSH was originally intended for secure remote device management. An SSH connection is a connection to a “specific device” and not to a “network.” Although SSH masters can do a lot of cool things with it.

Security
VPN and SSH protocols are fairly secure except for PPTP. Most of the possible attacks come down to Man-in-the-middle and the substitution of certificates or keys, but this is a problem of authentication and user care.

Convenience
Convenience is a conditional and subjective concept, it depends on your goals and experience.

It is easy to connect to the VPN server, but for beginners it may be difficult to configure it.
While the SSH server is easier to configure, for example, it may not seem quite convenient for someone to manually configure the SSH tunnel for each application.

Speed
The speed of each tool depends on the specific implementation and protocols used. If we compare SSH and OpenVPN, I’ll share the research already done :

• network - 96.5 Mbps.
• network / SSH - 94.2 Mbps.
• network / VPN - 32.4 Mbps.

Summing up, it is worth noting that VPN servers are more popular than SSH. There are many commercial VPN providers on the Internet. However, SSH tunnels are also sold in abundance on specialized forums.
What to deploy on your server in Antarctica is your business.

Helpful advice

Sometimes there is a situation where a VPN connection may be disconnected for some reason. If in the case of a proxy server, network communication is terminated, then in the case of VPN, traffic will continue to go directly. The most reliable option to prevent this is to use a routing table, where only the VPN server gateway is specified as the default default gateway.
This is done simply:
1. Remove any default routes:

2. We allow access to the Internet only to the address of the VPN server:

3. Add a default route with a gateway - VPN server:

Where: 192.168.0.1 - Internet gateway; 55.55.55.55 - VPN gateway.
Another way is to install non-existing DNS servers in the properties of an open Internet connection, for example, 127.0.0.1. In this case, web surfing and other similar tasks become impossible without connecting to a VPN server.
There are also special programs, for example, VPN-watcher, which for specified applications checks the VPN connection several times per second and suspends their work if the VPN connection is terminated.
Thanks for another Pongo method : “ Another way to protect yourself from a vpn break is to set up a firewall. A standard windows firewall is also suitable. There are instructions with pictures . And you can’t create blocking rules, but limit to the 10th item. For individual programs (for example, for openvpn), you can separately create permitting rules so that these programs work even if the VpN is not connected. "
Thanks for another way of amarao : " I think if you build a secure structure, then you just need to allocate two sessions - secure and not secure. Put the session leader in cgroups, from where the non-vpn interface is simply not available for use - in this case the information will be sent only through this interface. "

De-animizing data and possible vulnerabilities

Let's see what kind of identification information we can transfer to the Internet. I will not consider vulnerabilities (including 0day) in programs whose operation may lead to complete computer control in general.

General

IP address . The most "popular" identifier in the network. Its value may be different in different situations, but as a rule it is the custom to frighten network “anonymuses” by disclosing an ip address.
Solution : with hiding ip-addresses cope means described in the first article: " Methods of anonymity in the network. Just about the complicated "

DNS-leaks occurs when an application can send its DNS queries using the ISP's DNS servers. This is often the case when people, through a local proxy server (hi, SOCKS 4, 5!), Try to send traffic to the Tor network of various applications that resolve DNS names to bypass Tor.
To check whether you are subject to this leak can be found here: www.dnsleaktest.com
Solution : when working with a VPN connection, the most convenient option is to use static DNS servers of the VPN provider or, if you have a personal VPN server, use OpenDNS servers (208.67.222.222, 208.67.222.220) or Google DNS (8.8.8.8 , 8.8.4.4).
To prevent such leaks in Tor, it is recommended that you use the Tor Browser Bundle or, if you really want to send traffic to another application to Tor, then the most secure and versatile option is an insulating proxy, which will be discussed in one of the following articles.
There are no DNS queries on the I2P network. When working with outproxy, DNS queries are performed at the outproxy itself.
Thanks for the advice of Rulin : " ... when using the Socks proxy in Firefox, DNS-leaks will occur by default, to get rid of this, you need: In the address bar, type about: config, Click" I'll be careful, I promise! ",
Find the option network.proxy.socks, double click to change the value to true,
Everything, now when using socks proxy, dns requests will also go through socks ".
The “network.proxy.socks_remote_dns” setting determines where DNS queries will be performed when using SOCKS5. The value “True” establishes that they will be executed through SOCKS proxies, and not on the client.

Profiling occurs when most traffic takes a long time to go to the Internet through one node, for example, Top. Then it is possible to relate the activity seen to a single pseudonym. The output node may not know your ip-address, but will know what you are doing.
Solution : do not use constant Tor chains, regularly change output nodes (VPN servers, proxy servers), or, looking ahead, use the Whonix distribution.

MitM attacks are aimed at listening and modifying traffic on the output node, such as Tor or any proxy server. An interesting option is to modify the output node of digital signatures, GPG or SSL fingerprints, hash sums of downloaded files.
Solution : be careful when you receive warnings about the validity of certificates and keys.

Deanonimizing activity in an anonymous session . For example, when a client from an anonymous session enters his page on the social network, his Internet provider will not know about it. But the social network, despite the fact that it does not see the real ip-address of the client, knows for sure who has logged in.
Solution : do not allow any left activity in the anonymous session.

Simultaneous connection via anonymous and open channel . In this case, for example, if the Internet connection is broken, both client connections with the same resource will break. According to this fact, it will be easy for the server to calculate and compare two simultaneously completed connections and calculate the real address.
Solution : do not allow simultaneous connection to the resource via anonymous and open channel.

Definition of text authorship . Read more here . The application can compare the text written anonymously and other plaintext, exactly belonging to the author, and determine the coincidence of authorship with a high degree of probability.
Solution : jokes, jokes, but this topic has not been studied enough yet. You can advise to hide the text, which can be uniquely associated with you. Then there is nothing to compare and anonymous text.

The MAC address of the network interface becomes known to the wi-fi access point when the client connects to it.
Solution : if you are worried that the access point will remember the MAC address of your interface, just change it before connecting.

On this resource dedicated to our “digital shadow”: myshadow.org/trace-my-shadow , among other things, we can see what data we transmit about ourselves to the network:

What can browsers tell?

Cookies are text files with some values ​​stored by the application (often a browser) for different tasks, for example, authentication. It often happens that a client first visited a resource from an open session, the browser saved cookies, and then the client connected from an anonymous session, then the server can match the cookies and calculate the client.
Moreover, there are so-called 3rd-party cookies, which are saved here, for example, after viewing an advertising banner from another site (3rd-party). And the site-owner of this banner is able to track us on all resources where its banners are located.
For those who want to learn the topic of cookies in more detail, I advise you to read the articles:

• Cookie without cookies .
• Persistent non-blocking cookies using HTTP headers .
• Evercookie - the most resistant cookies .

Flash, Java, Adobe . These plugins are essentially separate applications that run on behalf of the user. They can bypass proxy settings, store their individual long-lived cookies (Flash - Local Shared Objects), etc. It is unnecessary to speak about vulnerabilities regularly published in them.

Fingerprint browser . The browser provides the server with dozens of data categories, including the so-called user agent . All this can form a rather unique “digital browser fingerprint”, by which it can be found among many others already in an anonymous session.
What kind of data your browser sends to the server, you can see, for example, here , here (it is panopticlick.eff.org ) and here .

Javascript scripts executed on the client side can collect even more information for the server, including its explicitly identifying information. Moreover, if the site we visit is prone to XSS , then the Javascript scripts included in it will help the attacker to carry out a successful attack with all the ensuing consequences.

Web Bugs are the invisible details of the web pages used to monitor visits to the site, and can additionally send different data about the client to the server. Google's Web Bugs are widespread throughout the web.

An HTTP referer is an http header with which the website can determine where the traffic is coming from. That is, if you clicked on the link that sends the http referer, then the site to which this link leads will be able to find out exactly which site you went to it from.

Solution : about the safe configuration of each of the browsers, including the blocking of each of the above described categories of identifying data, is very detailed and clearly written on the resource: fixtracking.com , from the remarkable search engine DuckDuckGo:

Applications

It is important to understand that initially many applications were conceived and designed not so much for ensuring anonymity, as for normal and effective work in “difficult” network conditions: bypassing blocking firewalls, proxy servers.
As an example, I will cite only a small part of the applications that can independently transmit data that identifies us to the network.

• Some BitTorrent clients ignore proxy settings, sending traffic over open channels.
• Windows Update sends the server a dozen categories of data, including a unique 128-bit identifier (GUID). Windows Update is also vulnerable to MitM, and therefore, the output node, for example, Tor, can be a source of attack.
• License keys paid or serial numbers of free applications can also be transferred to the Internet, for example, when activated or updated, thereby identifying the user.
• Windows Media Player can independently request information about the music or exchange service data.
• Time zone data can be transmitted using the IRC chat via the CTCP protocol, the Client-to-client protocol.
• A Windows operating system dump sent in case of an error also contains identifying data.
• File metadata may include important data: creation date, authorship, etc.

Solution : do not use any untrusted and unverified application in an anonymous session.

Conclusion

Thanks for attention! I will be glad to constructive comments and clarifications.
UPDATE : In the next article I will talk about the scheme " in which the use of the Internet is not stressful and there are no traces of this kind ." Namely: analyze the settings of the web browser regarding anonymity, for example, Firefox.