Anonymous Surfing with Java Anonymous Proxy GHOST SURFING

KNOW-HOW Java Anonymous Proxy

Anonymous surfing with Java Anonymous Proxy GHOST SURFING

Many Websites log IP addresses and access times to identify users. If you don’t want to wind up as data in someone’s market research, the Java Anonymous

Proxy will keep your surfing secret. BY TOBIAS EGGENDORFER

nless you happen to be a VIP, anonymization service. An anonymiza- Users employ a variety of techniques you can drop into a baker’s shop tion service is a service that lets the user for surfing on the Internet without detec- Uanywhere but in your own home surf the web anonymously. The service tion (see the box titled “Private Surfing”.) town and pay cash for a loaf of bread obscures the user’s true IP address, pre- One popular privacy tool is Java Anony- without revealing your personal data. venting snoopers from following the user mous Proxy (JAP) [1], a portable proxy Nobody will record the way you move or around the web. that supports anonymization in Linux. attempt to discover your behavior pat- terns. In day-to-day life, anonymity is Cookies and Anonymity the rule. In contrast, the Internet allows JAP gives you maximum anonymity, but Many Websites require cookies to work seamless logging of visitor traffic on imprudent handling of cookies can endan- properly, so you may not be able to get websites. ger your privacy. Many Websites set cook- away with disabling them completely. This continuous data collection allows ies, which they use to identify returning This said, most browsers give you the for unique visitor identification; all it visitors. This is not a big issue assuming option of restricting the validity of any takes to identify a user is a short phone that cookies are set while you are surfing cookies to the current browser session. call to your provider, who is easily iden- anonymously. But if you provide user data, When you close the browser, the cookies or if cookies from previous sessions pre- are deleted, thus removing the danger of tified via a whois entry, to get your per- exist in your browser, any protection JAP inadvertent identification. sonal data. Governments have passed can give you is compromised. The remote Solutions such as Cookiecooker [9] are laws to prevent the most extreme misap- Web server will still be able to identify you suitable for mixing cookies from ad serv- propriation of personal data, but Internet despite the anonymization service. ers, but they can also lead to you being users with static IP addresses are still To help mitigate the risk, you could install incorrectly identified. Although Cook- easily identified on the web through a two browsers, one for anonymous surf- iecooker provides some protection simple whois request. ing and the other for “public” surfing. against this, there is always the danger To protect your privacy, you need to This would avoid mixing cookies and of ending up hijacking somebody else’s bring in heavy artillery in the form of an would reduce the risk of identification. session.

44 ISSUE 60 NOVEMBER 2005 WWW.LINUX - MAGAZINE.COM Java Anonymous Proxy KNOW-HOW

control of a mix somewhere in mid- 1x encrypted 2x encrypted stream, there is nothing the attacker can do with the sniffed data. As multiple

Response users route their data packets through each cascade, each cascade contains a nicely stirred cocktail of packets from y 1 2 G different users, preventing any conclu- JAP Mix Mix G G Prox Browser G E E E E T Webserver sions about the packet order. T T T Do you have neighbors who take GET URI 2x encrypted 1x encrypted delivery of a parcel in your absence and Time then hand it over to you saying “Hey, big Ideal: On the same computer parcel you got there” before going on to Figure 1: The message is encrypted separately for each mix, like a letter in multiple envelopes, speculate about what it could be? JAP and progresses through the mix cascade to improve anonymity. puts an end to this kind of speculation by chopping the data into 998-byte JAP encrypts all requests and sends them If a mix in this cascade decrypts a chunks and padding smaller chunks to a mix – an intermediate system on the message sent to it, it can only see the with random data. Internet that mixes user data from several cypher text for the next mix. As every Just like PGP or SSL, JAP relies on a sources. The data bounces through sev- mix uses a different key, a high level of mixture of symmetric and asymmetric eral mixes before finally reaching a proxy privacy is assured. It that sends the request to the web server. is like putting a letter This article describes how you can surf in a number of secretly with JAP. opaque envelopes. Each mix can only Understanding JAP open one envelope The underlying principle behind JAP is (Figure 1). simple: data passes from the web client This design pro- through a chain of several mixes before vides an additional reaching a proxy server. At each step, benefit: as outgoing the data is mixed with data from other messages always look users. The packets are also encrypted at different from incom- each step. The proxy encrypts the mes- ing messages, there is sage in a way that the last mix can no way of mapping decrypt it. The last mix takes the cypher incoming packets to text and encrypts it to allow the last-but- outgoing packets. one mix to read it. The results are then Even if an attacker re-encrypted for the last-but-two mix, were to sniff a mix’s Figure 2: The proxy is easy to set up on the browser-side. You can and so on. traffic stream or take reconfigure the default port of 4001 in JAP.

JAP Transmission The data exchange between JAP and the dom channel ID. The new channel relies padded with 16 random bytes to take it mix, or between mixes in the chain, uses on a symmetric key, the asymmetric, RSA up to the standard size. The mix again a standard format. Each packet has a size encrypted version of which is stored in encrypts the first 128 bytes with the next of 998 bytes, and header flags are used to the first 128 bytes of the data packet. The mix’s key. If the open flag is not set, the specify important information. rest of the packet is encrypted symmetri- key exchange does not take place. This The 32-bit channel ID is the most impor- cally using AES. increases the size of the packet’s payload tant bit of information; the ID assigns the The payload has a 3-byte header that component. mix packet to a mix channel. The channel specifies the exact length (2 bytes) and the Mixes set the close flag in the header to ID always occupies the first 4 bytes of a user data type (1 byte). This data type can close a connection and pad the data com- mix packet. This is followed by 2 bytes, 5 be FTP or HTTP. The last mix in a cascade ponent with 992 random bytes. When- of which are used for flags. The flags identifies a suitable proxy based on the ever a mix receives a packet of this kind, it describe the makeup of the data packet. data type. drops the channel ID and the matching The remaining 11 bits are reserved for The asymmetric part is the interesting bit symmetric key. The packet also tells JAP possible future extensions. The channel here. The first 16 bytes contain the 128-bit that all data have been transmitted and ID uniquely identifies the link between key used for symmetric encryption by closes the TCP connection to the browser. JAP and the mix, or between two mixes. each mix. To allow the next mix to learn To prevent attackers from deducing the The open flag (bit 45) is set on establish- its key, all the data in the packet are left packet type from the header data, mixes ing a connection to specify a new, ran- shifted by 16 bytes, and the data packet is also encrypt the header.

WWW.LINUX - MAGAZINE.COM ISSUE 60 NOVEMBER 2005 45 KNOW-HOW Java Anonymous Proxy

encryption for communication between your local network, you will need to for Linux. Compared with the relatively mixes and the local proxy. JAP encrypts enable the Forwarder to give other complex technology on which the JAP is messages to the mixes with random machines access. based, JAP is very easy to install and symmetric session keys. On first contact, use. Once you have installed JAP on the symmetric key is then encrypted Choosing a Cascade your own system, you can test your con- asymmetrically using the mix’s public The other settings, which you can access figuration using the testing service pro- key. via the Settings or Details buttons, are vided at [8]. ■ self-explanatory. The only question JAP Installation newcomers then face is the choice of the INFO Despite its apparent complexity, JAP is best available cascades. [1] Java Anonymous Proxy (JAP): simple to install and use. Just download Cascades define your degree of ano- http:// anon. inf. tu-dresden. de/ index_ the JAP version that matches your own nymity: the more users that populate a en. html Java version from [1]. To discover your cascade, and the bigger the cocktail of [2] The Cloak: http:// www. the-cloak. com Java version type: packets, the more difficult it becomes to [3] Guardster: http:// www. guardster. com sniff the cascade and identify individual [4] Anonymization.net: java -version surfing behavior. http:// www. anonymization. net On the other hand, the more users Then launch JAP by giving the following there are accessing the service, the [5] US Senate proxy: command: slower Internet access will be. JAP dis- http:// online. securityfocus. com/ news/ 1780 tributes this information via its informa- java -jar JAP.jar & tion service, which gives you a list of [6] JAP and crime prevention: currently available mix cascades and http:// anon. inf. tu-dresden. de/ strafverfolgung/ index_en. html This command should work fine, assum- their performance. ing you have a GUI and assuming For security reasons, the JAP client [7] JAP at the command line: http:// anon. inf. tu-dresden. de/ develop/ that the DISPLAY variable is set appro- checks if the list is correctly signed. This commandline_jap_en. html priately. precaution prevents a would-be attacker All you have to do now is modify the from inserting a rogue cascade. [8] Anonymity test: http:// anon. inf. tu-dresden. de/ proxy configuration (Figure 2). By anontest/ test_en. html default, JAP listens on port 4001 and Conclusions only allows queries by localhost. If you Java Anonymous Proxy (JAP) is a [9] Cookiecooker: http:// cookie. inf. tu-dresden. de are looking to install a single JAP for portable anonymous proxy application

Private Surfing Web-based anonymization services such anonymization service providers to offer check the open proxy’s logfiles and then as The Cloak [2], Guardster [3], or Anony- encrypted services via HTTPS, although contact the provider. However, few web mization.net [4] provide a simple form of these services may not come for free. servers actually save this header content anonymization. When you type in a URL, A proxy provides an elegant solution to in their logfiles. (Note that some proxies the anonymization service requests the the problem of parsing HTML pages and do reveal the user behind the requests by page from the target Web server, often replacing links. This involves configuring adding an HTTP header that contains the analyzing the HTML and replacing links the browser to transmit every single IP address of the requesting machine. ) so that the links also use the anonymiza- HTTP request to the proxy. The proxy An open proxy is no solution to the issue tion service. Finally, the service serves up then talks to the target server. Unfortu- of non-encrypted traffic. If an attacker can the requested page (Figure 3). nately, a conventional proxy gives you sniff the communication between the Web-based anonymization has a few nothing in the line of anonymity. For proxy and the web user, that user is no drawbacks, one of which is the question example, the AOL proxy knows its users. longer anonymous. of trust. The user does not know what the So-called open service logs or how anonymous the ser- proxies are better vice really is. For another thing, it may be suited to the goal impossible to rewrite links that generate of anonymity; Javascript, and that would certainly break open proxies are replaces the surfer’s cover. (To counter this, The proxy servers that links Cloak has the option of removing all anyone can use. modified Javascript content from any pages you Even the US Sen- document forwards URL visit.) ate has provided sends URL Finally, the path between your own an open proxy, Client Anonymization Webserver browser and the anonymization service is although unwit- Service not encrypted, so any host, including tingly [5]. To iden- your own provider’s proxies, could tify a surfer using Figure 3: A Web-based anonymization service separates the user actively log your surfing activities. This an open proxy, from the Web server, but the intermediate anonymization server problem has prompted many web-based you first need to could still track user information.

46 ISSUE 60 NOVEMBER 2005 WWW.LINUX - MAGAZINE.COM