Virtual Private Network
VPNs are perhaps the most commonly deployed tactic for browsing the web incognito; their availability and overall ease-of-use factor into this. VPNs are virtual extensions of private networks, allowing users to send and receive data securely over a public network such as the internet. Although virtualized, the connection retains the same security, appearance, and functionality of a private network while shrouding a client connection. VPNs use a few different security protocols:
- L2TP/IPsec (Combines Layer 2 Tunneling with IPsec for encryption.)
While it is beyond the scope of this article to discuss the above protocols in detail, the links should provide more information. Essentially, a VPN is a secure WAN (wide-area network) that creates a tunnel between two endpoints in which to send/receive encrypted data. Also, VPNs allow users to spoof their IP addresses, having it replaced by the VPN. VPNs can be configured to work on an operating system level, forcing all internet traffic through the tunnel. With a VPN in place, an ISP cannot see what is happening within the connection.
The biggest caveat among VPNs is that they are not all created equal; many will collect and sell data, which defeats the purpose of using one to evade ISP snooping. This is the biggest reason to use a paid VPN service who are very upfront about data retention, monitoring, and recording session activity and IP addresses. In the interest of privacy and performance, free VPNs are not recommended.
Purchasing considerations include client diversity (OS support, software support, etc.), server count and load per server, and geographical location; the closer a user is to the VPN server they will be connecting to, the better. The total number of servers offered, the speed of the servers on offer, and their location in respect to the client will help in reducing latency.
It’s difficult to recommend a top VPN service. There are too many variables that are hard to verify like security, transparency, privacy policies and performance, to name a few. Over at Tom’s Hardware, they compiled a list of VPNs based on their own criteria as well as user input. Instead of making a recommendation, we hope that readers can use this information as a guide when assessing a VPN service provider.
Lastly, remember that VPNs are not for anonymity; rather, they limit exposure across the internet. Using a VPN constitutes trusting the VPN provider, which isn’t exactly congruent with being anonymous. For the context of this article, which is cloaking the internet user from the ISP, VPNs are well suited.
Tor is perhaps the closest thing to internet anonymity today. Tor, short for The Onion Router, is an anonymity network developed in the 1990s by a United States Naval Research Laboratory, with the goal of protecting U.S. intelligence online. Like its namesake, Tor implements onion routing as a means of layered encryption (layers like an onion, hence the name).
The client side of Tor is simply a modified browser based on Mozilla Firefox. This browser is what is used to access the Tor network; a series of bridges and relays operated by volunteers donating their bandwidth and computing power to bolster the capabilities of Tor. It is through this series of computers that a user’s encrypted web traffic is routed. The relays, or “onion routers” only peel away one layer of the encryption—just enough to ascertain the next relay destination, which is randomly generated for every connection request (e.g. website visited). The final relay, or exit node, is the one that connects the client to the server they are requesting.
There are many add-ons that can be used in conjunction with Tor, assuming the user is willing to go to such extent.
- Guerrilla Mail (disposable email address)
- Enigmail (email encryption)
- TorBirdy (configures Thunderbird to route connections over the Tor network)
- Tor Messenger (chat client using OTR protocol, developed by Tor and still in beta)
- Adium (IM client using OTR protocol, supports Tor)
- Pidgin (IM client using OTR protocol, supports Tor)
- OnionShare (secure and anonymous file sharing via Tor/Tor network)
- Orbot (runs Tor on Android)
- Onion Browser (runs Tor on iOS)
- Tails (Tor enabled OS, bootable from DVD or USB, that routes all internet traffic over the Tor network)
- Whonix (Tor enabled OS that creates multiple virtual machines, obfuscating and protecting the real IP address/machine)
While Tor is a powerful resource for privacy, it is not without its own caveats. Because Tor routes internet traffic in a circuitous path across the world, speed and latency is expectantly lower than a typical browser. Additionally, Tor is somewhat inherently vulnerable to traffic analysis/attacks, as it cannot protect traffic at the boundaries of the Tor network. Moreover, Tor cannot encrypt traffic between an exit node and the target server, leaving any exit node victim to eavesdropping or monitoring. However, attacks against Tor are actively researched, and welcomed by the Tor project to improve design.
Using Tor with a VPN
Combining Tor with a VPN could provide a “webizen” the best security and privacy of both tools. By using Tor over VPN—one of two configurations, with the other being VPN over Tor—users can get the encryption security of both solutions, while also keeping web browsing truly anonymous. The ISP only sees that a connection to a VPN server is made, while the VPN provider only sees that the server is connected to a Tor entry node. Once within the Tor network, the Tor browser cloaks the user as normal. This option means connecting to your VPN, then opening the Tor browser.
The VPN over Tor method is the reverse of the above option, and is a bit more complicated. It does, however, shore-up Tor’s aforesaid exit node vulnerability. A more detailed guide on both methods can be found here.
HTTPS Everywhere is a browser extension for Chrome, Firefox, and Opera that is a collaboration between EFF and The Tor Project. The extension forces websites to connect with a browser using SSL/TLS encryption. However, the forced HTTPS connection only works if the specific site has a HTTPS certificate. Or, if parts of websites contain HTTPS protection, while others do not, the extension can force HTTPS over HTTP certain parts of the site. HTTPS Everywhere only protects contents of communication, it doesn’t conceal the identities of the sites visited. So, an ISP can see what site was visited, but not what content was viewed. For more information, check out the FAQ.
Adjust DNS Settings
The Domain Name System is how a computer interprets a website as a numerical Internet Protocol address. Often, a PC is configured by default to use the ISP’s DNS server. This allows the ISP to see all browser requests. Consider using a third-party DNS like OpenNIC—this helps ensure content won’t be censored by an ISP, websites visited or ads clicked can’t be logged, and prevents DNS hijacking by ISPs. OpenDNS and Google Public DNS are other options, albeit not as privacy focused.
A quick guide to changing DNS settings in Windows 10 can be found here.
Although not foolproof, everything listed in the article are important steps that can be taken to avoid discordant ISP behavior. Additionally, these steps can provide a more secure online presence.
This may go without saying, but the mobile platform is not one to rely on if aiming to achieve as much anonymity as possible. Moreover, avoid renting/leasing devices from ISPs, as this gives them near full control over the device. Verizon has already demonstrated its eagerness to collect data with the anticipated repeal of FCC privacy rules.
Users can contact their ISPs and find out how to opt-out of any data collecting, for whatever good it might do—there is no guarantee that opting out will prevent ISPs from collecting something. Depending on the provider, this process may be a hassle, and not totally clear.
Lastly, here are some tools that can be used to measure and analyze security and communications, which can help in realizing internet anonymity.
- DNS Leak Test (test the vitality of DNS settings)
- IPLeak.net (test VPN and see what data ISPs and websites can see and collect)
- Lightbeam (analyzes communications between the client, visited websites, and third parties)
- Wireshark (analyzes and captures packets over a network)
The internet should be an apolitical entity, but unfortunately, the governments have quite a bit of influence over it. This can translate to good or bad ramifications for everyday users. Hopefully in the future, with enough interest and will from both citizens and policy makers, new internet privacy policies can be shaped. Until then, hopefully this guide will help in granting users more privacy and control over their internet experience.
- Eric Hamilton.