Anonymous Surfing with Tor and Privoxy

COVER STORY Tor and Privoxy

Anonymous surfing with Tor and Privoxy SECRET AGENT Internet users typically reveal their IP addresses, and this lets companies compile a profile of your Internet activities. Tor and Privoxy can help protect your privacy. BY KRISTIAN KISSLING

he epidemic of Internet-based a cheap and transparent form of spying. chine through a number of nodes to a market research continues: many And in some repressive countries, the so-called exit node, which then talks to Tcompanies routinely investigate government may even be watching the target machine (Figure 1). The server their customers’ Internet surfing habits – where you surf. version of Tor acts as one of the interme- Privoxy [1] and Tor [2] puts the spies diate nodes in the chain. The name off your trail. A browser typically talks “Tor” is an acronym for The Onion directly to a remote target, most Router. Private users will more typically commonly a website, and the run Tor as a client, commonly known as web server that hosts the an the Onion Proxy. site logs the correspond- This structure poses one problem: if ing access data. The the data you request passes through var- Tor client prevents ious privately operated nodes before your requests from reaching your machine, any Onion going directly to the tar- Router operator could theoretically log get; instead the requests your traffic. This is why a secret key is are forwarded via a proxy negotiated between your Onion Proxy at running on your home ma- home and every node on the path to the exit node. The key prevents unauthor- ized nodes butting in on the conversa- tion en route. By encrypting data in multiple layers, only the Onion Proxy on your home machine is capable of accessing the data – this protection system also prevents node operators from decrypting the passing traffic. The result of this scheme is that the data is very much like an onion – covered in multiple skins of en- cryption. The exit node breaks through the skin and passes the data to the final target, although the exit node has no way of knowing which machine the request originally came from. None of the Onion Routers knows the Onion Proxy, and this means that Onion Router operators have no way of knowing whose data is passing through their nodes. On the way back from the target, the information is repacked and stays encrypted until the proxy running on your home machine strips the encrypted layers to reveal the data. This makes it im- possible for third parties, including the provider, to know what data you request or send; the person running the target machine just gets to see the IP address of

34 ISSUE 67 JUNE 2006 WWW.LINUX - MAGAZINE.COM Figure 1: Tor forwards a web request through a series of intermediate nodes to obscure the identity of the user. the exit node, which could be Add the path /usr/lib, and anywhere in the world. then (working as root) run ldconfig to update your path Installing Tor information. Tor is still a fairly young pro- Things are slightly simpler gram, as the version number for Debian users; just add the shows; it doesn’t have an in- following entries to your /etc/ terface at this time of writing. apt/sources.list: Suse users can download the source code for the stable deb http://mirrorU version 0.1.0.16, and start by .noreply.org/U installing the Automake tools. pub/tor sarge main If you have Suse 9.3 or 10.0, deb-src http://U Autoconf and Automake are mirror.noreply.org/U included. You additionallly pub/tor sarge main need the GCC and GCC-C++ compilers. YaST automati- Then become root and run cally loads additional re- apt-get update to tell the quired libraries. Don’t forget package manager about the to install the Openssl-devel, new software residing at the and Zlib-devel header files, specified address. You can along with the Libevent then simply type apt-get library [3]. install tor to install. Users with Suse 9.3 can't use YaST to install Tor; in- Here We Go… stead, download the source Let’s give Tor a trial run. Pop code from [2] and follow the up a console window and standard installation steps: enter tor. After a short while, ./configure, make, and make you should see a terse install. This should work out message that says “Tor has fine. Suse 9.3 also needs a successfully opened a circuit. new entry in /etc/ld.so.conf to Looks like it's working” be able to locate the library. (Figure 2). If you are still not

Figure 2: Tor has successfully opened a circuit, and told you about it. COVER STORY Tor and Privoxy

/etc/rc0.d/K20tor chine; to prevent this from happening, ensures that Tor you need to launch YaST, go to the will launch auto- System tab, and click the Runlevel Editor matically when- button. To disable the Privoxy service, ever you boot click Disable. Suse Linux runs Privoxy your machine. in a Chroot jail. Tor has one prob- On Debian, Privoxy typically launches lem that most en- automatically after the install; if not, you cryption and ano- can launch the client by becoming root nymization pro- and giving the /etc/init.d/privoxy restart grams have in command. common: encryp- The next step is to tell Privoxy to for- tion tends to slow ward Socks requests to Tor. To forward down communi- Socks requests, Suse users need to open cations with re- /var/lib/privoxy/etc/config and enter the mote web servers following line below item 5. FORWARD- noticeably. ING:

Figure 3: Configuring Tor as the proxy server for your browser. Privoxy for forward-socks4a / U Dessert 127.0.0.1:9050 . convinced and want to make very sure, Tor does not take all the risk out of just Google for my ip. This takes you to browsing. As you may be aware, your Note the dot following the port; if you a few pages that not only tell you your browser needs to look up the target ma- forget this, no forwarding will take place. computer’s IP, but other details like the chine’s address by sending a request to You need to modify the same file for country you are probably in, your oper- a DNS server; the server then resolves Debian, however, in this case the file re- ating system, and the browser you use, the host name (such as www.linux- sides below /etc/privoxy. or even the web pages you visited re- magazine.com) to the IP address Now update your proxy settings cently. (212.227.104.121). The DNS server then for Firefox and Mozilla to reflect the To bamboozle these pages, first tell sends the resolved IP address back to the changes. Enter 127.0.0.1 as the IP the browser to route all traffic via the Tor browser. If somebody were to check the address, and 8118 as the port in all cases, Onion Proxy. If you have Firefox, just go DNS server’s logfiles, they could find out and then surf to the website that showed to the Preferences, and select Connection which machine had looked up www. your IP address previously. If your IP Settings | Manual Proxy Configuration. linux-magazine.com and when. Privoxy address is shown properly, Privoxy is Enter 127.0.0.1 as your SOCKS Host, and can prevent this from happening by working properly; and if you see 9050 as your Port (Figure 3). Now select using Socks 4a, which, unlike Socks 4 the wrong IP address instead of the the SOCKS v4 entry and finish the con- and Socks 5, does not need to convert correct address, Tor is also working. figuration: your browser will now route hostnames to IP addresses first. all traffic to port 9050 first, and Tor will Privoxy is a filtering proxy for HTTP Quick Change forward it onto the Internet. Mozilla that is often used with Tor. You can Previously, if you used your browser users need Edit | Preferences | Advanced read all about using Privoxy as a web in mixed mode, that is, anonymously | Proxies for this. filter in the October 2005 issue of Linux in some cases and open in others, Now, when you query your IP address, Magazine [4]. there was no alternative to switching the results should look a lot different from the previous result set: the web Installing server now thinks you live in Germany Privoxy (Figure 4) – looks like Tor really is work- Users with Suse ing. 9.3 and 10.0 can If you have Suse, and want to launch simply run YaST Tor automatically when you start your to install Privoxy. machine, become root and add a line for If you have /usr/local/bin/tor & to your /etc/rc.d/ Debian, just type boot.local file; on Debian, a file named apt-get install privoxy. After you GLOSSARY complete the in- Chroot: A security measure that maps stall, Suse will the root directory for Privoxy to /var/lib, launch Privoxy thus preventing would-be attackers automatically from accessing directories farther up the each time you Figure 4: The website thinks you live in Germany, as the exit node filesystem tree. boot your ma- contacting the server is running on a German server.

36 ISSUE 67 JUNE 2006 WWW.LINUX - MAGAZINE.COM Tor and Privoxy COVER STORY

pears, letting you the switcher and relaunch your browser, configure your select User Agent Switcher in the Tools new proxy set- menu, and opt for Internet Explorer 6 (or tings. Don’t forget Opera 8.5 if you prefer); the User Agent to assign a name Switcher should now identify you as to these settings, using Internet Explorer – luckily, this just to be able to does not mean that you will be installing identify them the usual security problems that come later. When you with the real Internet Explorer. ■ are finished, click Ok. Use the list INFO next to the Proxy [1] The Privoxy project: entry to toggle http:// www. privoxy. org/ Figure 5: The Firefox “Switch Proxy” extension gives you an easy between various [2] Tor: http:// tor. eff. org/ solution for enabling and disabling a collection of proxies. proxy configura- [3] Libevent as Suse-RPM: http://linux01. tions. gwdg.de/~pbleser/rpm-navigation. the proxy on and off manually. Thank php?cat=Libraries/libevent/ Becoming a Microsoft goodness this has changed: there is now [4] “Doorkeepers: Privoxy and Web- an Switch Proxy extension for Mozilla Agent cleaner content filters,” by Thomas and Firefox, which you can install by While we are at it, what reason is there Leichtenstern; Linux Magazine #59, double-clicking the Get more extensions for you to tell everyone that you use 2005; p. 54. link in the Extensions window [5]. After Linux and prefer the Firefox browser? [5] The Switch Proxy extension for relaunching the browser, you should There isn’t a good reason to reveal this Firefox and Mozilla: https:// addons. have a new status bar for Switch Proxy information, especially some of the less mozilla. org/ extensions/ moreinfo. php? (Figure 5). well-behaved pages then slam the door application=firefox&id=125 To configure Tor and Privoxy as a new on Linux users. [6] The User Agent Switcher for Mozilla proxy, click Add, select the Standard The User Agent Switcher [6] extension and Firefox: http:// chrispederick. com/ work/ useragentswitcher/ entry, and then click Next. A window ap- helps you change this. After you install