Another way to surf securely

[Guest Ou**or**n]

I came across this article in the Globe and Mail about a combination product and service called Surf Easy.

 

It is a USB key that contains a browser and software to open an encrypted connection through their site for your to use when surfing the web. This makes your destination invisible to your local computer, your local network and your ISP. Also all cookies and browser history files are safely stored within the USB key itself which you unplug and keep with you.

 

It was originally designed for security when you're using either public computers or connecting your own computer through other networks (hotels, airports, your work, etc.). However it is equally valuable if used at home.

 

I'm not a very trusting individual when it comes to our government and proposed laws that will require ISP's to potentially track my browsing habits. Additionally you never know what tracking public networks have in place as they all have firewalls which track the destination of every outbound connection. The tracking data such as these logs is out there, sometimes just waiting to fall into the wrong hands. Suspicious spouses can also have software installed on home computers or within home networks that can track the same information. This gives a lot of security by making all this invisible.

 

Very intriguing idea.

 

http://www.surfeasy.com/

[joshg72826 130]

Don't be thinking this prevents ISP's or the government's ability to record/track your activities. It's just a device for basic privacy when you go on a public computer or you don't want you wife to see what you've been browsing. They offer pretty much the same feature in google chrome's incognito. It just doesn't leave any local data on the computer you're on such as history url, cookies and such.

 

Remember your ISP is your access to the Internet. If you want to go to site X, you're asking your ISP: "Hey, I want to go to this site!". The ISP will say "Ok, what's your computer ID so I can relay the information back n forth". You're computer says "Sure, here's my IP address and my Computer MAC address".

 

Doesn't matter if the local data is encrypted, if the ISP gets the information to relay it... you can bet your ass it's recorded.

 

Hopefully it draws a clearer picture.

[haliwood 101]

Actually this would prevent the ISP from seeing anything that you browse (other than that the only website that you browse is the surfeasy servers.

 

I use ssh tunneling to a proxy which is probably similar or exactly what they are using in surfeasy. So when you request say cerb.ca, the server on your computer encrypts that, sends it through your isp encrypted to surfeasy servers, they unencrypt it, fetch the page, encrypt it again, send it back.

 

Here's what everyone would see

 

You: cerb.ca >>> tunnel: cerb.ca converts to surfeasy.com/asdfkjfdasdf >> isp: surfeasy.com:asdflkjasjf >> surfeasy.com: adsfasdkfj converts to cerb.ca

 

And the same thing on the way back to you.

 

Although ssh tunneling is a little more advanced and requires access to an anonymous proxy server, there is a simpler free alternative called Tor ( torproject.org ) it basicaly does the same thing as I've explained above except instead of proxies, it bounces your encrypted request through several other tor users.

 

The only downside to tunnels like this is the isp doesn't know what you do, but surfeasy knows everything you do.

[backrubman 64800]

...

The only downside to tunnels like this is the isp doesn't know what you do, but surfeasy knows everything you do.

 

So true. There are a host of these kind of services... as CERB does not have a trusted SSL certificate your session is otherwise travelling in the clear. This is particularly a problem on an open Wifi network like you find at most hotels.

I always use http://strongvpn.com/ when using an open WiFi network at a hotel or restaurant. Note that if you don't, anyone in range can capture your login credentials to CERB (yes, the password is transmitted as an MD5 hash but it's trivial to turn it back into the real password) as well as email or any other passwords that fly by and even if we don't bother doing that (decoding the password), we'd still see your CERB handle in the clear and what you were reading and writing (including PMs).

 

The poor mans choice or the "in a pinch" solution is to access CERB via https as opposed to http. It's a self signed certificate so you'll get a warning from your browser that the site's certificate is not trusted but at least your CERB handle and the rest of your session will be encrypted. So in this case someone monitoring on the WiFi network will know you accessed CERB but nothing more than that. With a VPN tunnel they don't even know that much.

 

So please, especially on a WiFi network, use:

https://www.cerb.ca/vbulletin/index.php

 

The Tor network is too slow and many evil people set up exit nodes just so they can do this kind of evil monitoring when your traffic does hit the Internet in the clear (through their exit node). I'd really recommend avoiding Tor. It is more useful for a journalist that is trying to do research and access sites otherwise blocked by a Government (like they do in China).

 

Just in case you were wondering, yes, Bill C-30 lawful access (or whatever it called this hour) is completely laid to waste and useless by VPN services like the one I mentioned. They only will be able to catch dumb people... Ah, that's it! Discrimination! A Charter challenge -- The bill can only be used to catch dumb people and is therefore discrimination, perfect!

[Phaedrus 209521]

The Tor network is too slow and many evil people set up exit nodes just so they can do this kind of evil monitoring when your traffic does hit the Internet in the clear (through their exit node). I'd really recommend avoiding Tor.

 

So use HTTPS or some other encrypted session over Tor :) Although for CERB access, I don't honestly care - anyone who wants to see 90% of what I've written here can simply sign up for an account and do so, and to be honest my PMs aren't all that exciting either. It should also be noted that a bad exit node can still only intercept things for a little while as Tor changes the path you're using every ten minutes (I think, and I'm too lazy to actually check).

 

The speed is a bit irritating, true, but I tend to just open a lot of tabs in the browser and let stuff load in the background, so it's not an issue most of the time.

[Phaedrus 209521]

Thanks for that, Backrubman - very interesting (especially Marlinspike's ppt). A question for you though: do MITM attacks such as those discussed have any means of directly determining the original source of the session if they're done at a Tor exit node? I'm talking about using the intercepted session itself, rather than anything gleaned from the compromised account on whatever service it happens to be, which is obviously an entirely different kettle of fish.

[backrubman 64800]

Thanks for that, Backrubman - very interesting (especially Marlinspike's ppt). A question for you though: do MITM attacks such as those discussed have any means of directly determining the original source of the session if they're done at a Tor exit node? I'm talking about using the intercepted session itself, rather than anything gleaned from the compromised account on whatever service it happens to be, which is obviously an entirely different kettle of fish.

 

What an excellent and intelligent question. Like anything and everything Internet security related the correct answer always seems to be something like "it depends".

 

Tor uses an onion peel method so that as you pass though each successive node on the way to an exit node, the packet is once again encapsulated and encrypted yet another time. So as an evil exit node we are in general only going to know that we need to send the answer back to the node from which it came and not have a direct way of determining the originating IP but we can intercept all your traffic in the clear, even SSL as you now know.

 

That said, many protocols make it easy to determine the original IP. Consider if you will sending an email from any popular email program like Outlook, Outlook express or Thunderbird. The SMTP (Simple Mail Transfer Protocol) session conversation starts with "this is who I am" from the originating computer which gets added to the message headers. To add insult to injury, the receiving email server is likely to say, "no, that's not who you are, just who you say you are" and add an X-Authentication-Warning to the message headers which will still contain your original IP address. Now, let's consider if you will someone that even knows this and therefore wants only to collect his email but send nothing. Well, even if one of those messages your computer downloads is a "bounce" because you muffed the destination address (or a transient fault at the far end) then your IP is in the headers of the bounced message. Outlook also has a common bug that can keep an outbound message "stuck" in your outbox until restarted, so you fire up Outlook and the jig is up.

 

This is but one of many possible examples. Most all Internet protocols were designed in a friendlier time and often transport IP addresses as part of the data stream or payload and this includes many instant messaging protocols as well. FTP also and then maybe it has to go PASV mode (after trying the older method) but too late!

Even a piece if malware or spyware on your computer you don't know about might reveal your identity every few seconds trying to phone home but alas, it's not one that is known to the anti-virus programs yet and never be so it can go undetected forever if it isn't too evil or too common.

 

I know you reconize that compromised accounts are a "different kettle of fish" (and seem very security aware much to your credit as most people are not) but this is for the benefit of anyone else reading this post:

Let's also consider what we can do with the credentials of a compromised gmail, hotmail or webmail account of any kind. We can log in and look at the headers in your sent messages folder, likely going to find it there from that one time you didn't use Tor.

 

So I guess the answer is that it is difficult to imagine what you would do on Tor for very long that would not eventually result in someone running an evil exit node that does not know your real IP by some direct or indirect method and running your traffic over Tor is almost a guarantee that the bad guys will be looking at it at some point. I would rather surf directly in the clear and hope no one is watching (not that I do anything worth watching) rather than use Tor and know that someone probably is.

 

Chances are if someone logs into any one of many compromised account types they don't even have to worry about IP addresses, they can order some books from Amazon on your behalf to your curb side address or if it is a personal bank account they might just let the bank know your new address so your statements go elsewhere :)

 

Hope that answers your question. If not or you have any more, I am at your service. You are truly wise to recognize these dangers, most people prefer to remain ignorant.

 

Additional comments:

any means of directly determining the original source of the session if they're done at a Tor exit node? I'm talking about using the intercepted session itself, rather than anything gleaned from the compromised account

 

I gave it a little additional thought (the compromised accounts would be what most evil people would be after) on what the best attack vector would be if this was the goal and I guess I'd just answer your request for any web page (from my evil exit node) with just what you asked for except I'd inject or embed a little bit of invisible javascript code to phone home (to me) and let me know who you were straight away. Oh, running "noscript" extension (which breaks almost everything) under Firefox? How about a little piece of Adobe Flash code then? Guess I'm not as sharp as I used to be -- more of a Financial Trader these days and less of a security guru but it comes back. And you're right of course Phaedrus, no SSL or Internet security to worry about in Athens in those days but then they did have a Trojan Horse :)

[Satin 1237]

What about something like Hotspot Shield? I was wondering if Hotspot Shield combined with a product like Surf Easy would work to add that extra layer of protection as well as making your foot steps harder to follow? I am essentially tunneling am I not with Hotspot Shield?

[backrubman 64800]

What about something like Hotspot Shield? I was wondering if Hotspot Shield combined with a product like Surf Easy would work to add that extra layer of protection as well as making your foot steps harder to follow? I am essentially tunneling am I not with Hotspot Shield?

 

I hadn't really looked into Hotspot Shield until you asked about it (have now) but it is basically the same thing as paid for VPN services but it is free (Adware supported) so the down side is you get what you pay for (free - pay nothing get very little or nothing) but you do get ads or pop ups in return for a little encryption and the poor service and speed that can be expected from something that is free. I'd be less than inclined to intentionally install adware on my computer.

 

Your question about combining this with Surf Easy, well, I wouldn't recommend it. Surf Easy as I understand it kind of wants to run in it's own little sandbox anyways and might not play well with something else.

 

I guess combining two services would be like wearing two condoms, if one breaks the other might hold but then it's likely to be so tight they both might pop off :)

 

The paid for VPN services are a must if you are going to use a Wifi network in a hotel, restaurant or anywhere else and care at all about privacy.

 

So my best solution (the one I use): Incognito mode in Crome (saves nothing on the local computer, like Surf Easy), using a high quality paid for (but not expensive) strong VPN service like http://strongvpn.com/ and a Gmail account for email with two factor authentication (Google Authenticator) on your smart phone so your Gmail account password changes once a minute. Even if someone gets my phone and my notebook, they still need the passwords in my head.

 

Note that if I seem overly paranoid it's just because there be dragons out there and it used to be my job to keep them out town. Really have nothing to hide.

[Satin 1237]

I basically use Hotspot Shield so I can watch Hulu and previously to use Pandora. Both of these services didn't play nice if you lived in Canada. I have used the paid version of Hotspot and it actually isn't all that bad as far as speed goes. I have little to compare it to, but your suggestion of Strong VPN looks interesting and I will give it a look over.

[backrubman 64800]

I basically use Hotspot Shield so I can watch Hulu and previously to use Pandora. Both of these services didn't play nice if you lived in Canada. I have used the paid version of Hotspot and it actually isn't all that bad as far as speed goes. I have little to compare it to, but your suggestion of Strong VPN looks interesting and I will give it a look over.

 

Great. Well I didn't know there was a paid for version of Hotspot Shield (there is or was a freebie version that would invade your screen with ads). So I'm not surprised that the paid version would be comparable to the VPN service I pay for. Strong VPN is well known for their speed and good technical support (not that I have ever had to use it) but if your happy with Hotspot Shield then I think it would come down to price and value. Can't be all bad at all if it is fast enough for Hulu and you have the added benefit of some extra security too so it's all good.

 

Thanks for letting me know about this!

[Phaedrus 209521]

Thanks for the lengthy and detailed reply!

 

What I'm really concerned about/interested in is browser traffic (although you can obviously configure any app to use Tor, it does seem to be primarily aimed at use with a browser, and the fact that you're using it with a browser doesn't mean any other traffic in or out of your machine uses it, even other browsers).

 

I gave it a little additional thought (the compromised accounts would be what most evil people would be after) on what the best attack vector would be if this was the goal and I guess I'd just answer your request for any web page (from my evil exit node) with just what you asked for except I'd inject or embed a little bit of invisible javascript code to phone home (to me) and let me know who you were straight away.

 

Would that actually work? Or would the phone-home also go over Tor, and have home appear to be the exit node again? You'd have to override the browser's current proxy config, which sounds less trivial (and also sounds like something you wouldn't bother with if you'd acquired that level of control in any case)

 

Oh, running "noscript" extension (which breaks almost everything) under Firefox? How about a little piece of Adobe Flash code then?

 

Ya, noscript is a real pain in the ass, isn't it? :) FWIW FF's Tor plugin blocks flash and other directly-loaded content, so they seem to have thought of that...

[backrubman 64800]

Thanks for the lengthy and detailed reply!

 

What I'm really concerned about/interested in is browser traffic (although you can obviously configure any app to use Tor, it does seem to be primarily aimed at use with a browser, and the fact that you're using it with a browser doesn't mean any other traffic in or out of your machine uses it, even other browsers).

Would that actually work? Or would the phone-home also go over Tor, and have home appear to be the exit node again? You'd have to override the browser's current proxy config, which sounds less trivial (and also sounds like something you wouldn't bother with if you'd acquired that level of control in any case)

 

Yeah, I think it would be pretty trivial in fact. Lets say your real IP (for the sake of discussion) is 1.1.1.1 and this is what I want to find out. So my javascript that I inject into the web page I send back to you (from my evil exit node along with the rest of the web page you asked for too) opens up a non-visible window (doesn't show on your screen or it's 1 pixel x 1 pixel and no border) and attempts to fetch the URL http://me-the-bad-guy.Ill-get-you-yet.com/log-this/1.1.1.1.75654. Why the 75654? Well now I can relate that token with your traffic I've been watching all along. Doesn't matter that the request to http://me-the-bad-guy.Ill-get-you-yet.com comes from some other IP address (even my Tor exit node) as your real IP I wanted is embedded in the URL you tried unknowingly to access and now in the log files on my bad guy web server along with the unique 75654 identifier. You get it? Your talking to an evil end point so I can do a lot of evil things to you.

 

Ya, noscript is a real pain in the ass, isn't it? :) FWIW FF's Tor plugin blocks flash and other directly-loaded content, so they seem to have thought of that...

 

Yes, so much so and the reliance on javascript so great that right now most people turn it off pretty quickly after trying it. HTML 5 will let us do a lot more "javascript" type things without javascript but then there are already exploits in the wild for that too.

 

It's an arms race and unfortunately we will always find more effective ways of killing people. The stuff I referred you to was older (but easier understood), they have made many more equally impressive advances at being bad since and the really good stuff is not in the wild but I'll bet you the Government has it. They sure had everything when I worked for them.

 

Right now, we terminate off shore, out of the reach of bill C-30 and the National Security Agency and call it the best we can do. I used to watch attacks on our corporate firewall that were nothing short of "diabolical". I've seen packet captures that make my hair stand on end. Definitely don't trust Tor my friend.

[Phaedrus 209521]

Yeah, I think it would be pretty trivial in fact. Lets say your real IP (for the sake of discussion) is 1.1.1.1 and this is what I want to find out. So my javascript that I inject into the web page I send back to you (from my evil exit node along with the rest of the web page you asked for too) opens up a non-visible window (doesn't show on your screen or it's 1 pixel x 1 pixel and no border) and attempts to fetch the URL http://me-the-bad-guy.Ill-get-you-yet.com/log-this/1.1.1.1.75654. Why the 75654? Well now I can relate that token with your traffic I've been watching all along. Doesn't matter that the request to http://me-the-bad-guy.Ill-get-you-yet.com comes from some other IP address (even my Tor exit node) as your real IP I wanted is embedded in the URL you tried unknowingly to access and now in the log files on my bad guy web server along with the unique 75654 identifier. You get it? Your talking to an evil end point so I can do a lot of evil things to you.

 

Yes, I see what you're getting at... but would it work? Most of us are sitting behind NAT - in which case, does the browser actually know its own publicly-visible IP address? Or would you just get a load of RFC1918 private addresses? I can tell you that the machine I'm using now has a local address in 192.168/16 and IIRC my ISP assigns addresses from 10/8... but this isn't terribly useful information to an attacker. If you want to find out who someone is, you're really after the address of their access point, and then you'd have to work backwards from there through ISP records or whatever. Obviously that bit isn't an issue for LE/governments/etc, but may be harder for the genuine bad guys...

[backrubman 64800]

Two reasons I'm going on about it. The first is simply that I know more about networking than about, say, what you can and can't achieve with the

JavaScript (or whatever else) in the browser, so I at least have some idea of the right questions to ask :) The second is that we're talking about Tor, which is touted as an anonymizing service rather than anything else, and hiding your IP really does seem to be the main reason to use it in the first place (leaving aside the issue of attracting attention to yourself by attempting to be anonymous in the first place, which is another matter entirely and probably one shared by any other means of achieving the same goal).

 

Yes and just like the onion router network known as Tor has been updated, so has the onion peeler engine that lays the anonymity of Tor to waste. An arms race for sure.

 

It is obvious you do understand networking, I am most impressed the more we discuss the issues. I under estimated you (a mistake I will not make again) in that I simplified my examples into ones that might be easier to understand. I am a CCIE with a strong Internet security background (or was until very recently, now it's more of a hobby job and the Financial Markets are my real passion, but I digress) and obviously you have much more understanding of networking than any "typical" Internet user. Of course in these public posts we are speaking to a broader audience then just among ourselves.

 

With regard to what can be achieved with the "execution of arbitrary" code (of any type) the obvious answer is anything a computer is capable of being programmed to do. I have seen many examples of someone simply visits the wrong web site (one with bad intentions) and poof! they have a virus. This virus then quickly invites 10 of it's closest friends to the party and they invite their friends. The most common of which is the "fake anti virus" type of infection or the ones that demand money for the removal. We have seen this with all popular browsers and again it is an arms race in that as soon as a vulnerability is patched a new one appears almost the next day.

 

Actually (going off-topic and trivializing the discussion for a moment), I was having a think about this... and it struck me that one of the major benefits of a US-terminated VPN would be the ability to watch Daily Show/Colbert Report clips without the links from elsewhere on the web being hijacked by a combination of my ISP and damn Comedy Central. I hate that :)

 

Yes, many people subscribe to the high performance, paid for VPNs so they can get content which is otherwise blocked or restricted and many of these services let you change your external IP address to one that terminates in a country of your choice (e.g. UK versus US) at will for just this reason.