Anonymizers
(Heavily stolen from www.livinginternet.com and André Bacard's
remailer FAQ)
Bálint KOZMAN, 2002.10.26. Budapest
mailto: qzy@inf.elte.hu
In short: an anonymizer is a tool/service behind which one can
"hide" when using some services of the Internet.
Basicly there are two types of anonymizers:
- web-anonymizers
- email-anonymizers (remailers)
Web-anonymizers
Anonymizers make web surfing anonymous. The first
anonymizer was Anonymizer.com, developed in 1997 by Lance Cottrell during
studies towards a Ph.D. in Astrophysics at the University of California,
San Diego. Cottrell is a noted privacy advocate, developed the widely used
Mixmaster remailer, and established the Kosovo Privacy Project enabling
individuals to anonymously report from within the 1999 Kosovo war zone
without fear of retaliation.
Anonymizers retransmit Internet content similarly to
the well-known web-caching proxies. An anonymizer removes all of your identifying
information while it surfs for you, enabling you to remain one step removed
from the sites you access.
You can see some of the data that web sites can track
about you at the following addresses:
Privacy.net, CyberArmy.com and here is the result about my connection produced by
the Privacy.net site. Here you can find a
technical description about how these datas were retrieved.
Most anonymization sites create a URL by appending
the name of the site you wish to access to their URL, as in the following
example: http://anon.free.anonymizer.com/http://www.amazon.com/.
Once you anonymize an access with an anonymizer prefix, every subsequent
link you select is also automatically accessed indirectly and anonymously.
Most anonymizers can anonymize at least the web (http:), file transfer protocol
(ftp:), and gopher (gopher:) Internet services.
Anonymization will add up of course some delay in accessing
the destination site, depending on your Internet service and time of day.
Some anonymizers keep a local cache of several hundred megabytes of commonly
accessed sites, so that you can sometimes get a faster access to a site through
the anonymizer than through direct access.
Chaining of anonymization links is not recommended,
since it simply multiplies your risk to confidentiality by the number of
nodes in the chain. Note that most anonymizers only mask your identity from
the destination sites - your surfing can still be intercepted on the way from
your computer to the intermediate anonymizer site, for example by your internet
service provider. Some anonymizers provide an extra service that encrypts
your communications to the anonymizer site as well, rendering your surfing
completely confidential.
How to use web-anonymizers?
Summary: you can anonymize sites one by one, or specify
an anonymizer as your start page or proxy server.
To visit a page anonymously, visit your preferred anonymizer site, and
then enter the site you want to visit in the
anonymization field. If you set your web browser starting page to an anonymizer,
then you can be sure that every subsequent web access you make will be anonymized.
You can anonymize bookmarks, by prefixing their URL's
with the anonymization site address. You can visit an anonymized page, and
add it to your bookmarks just like any other page. You can anonymously provide
password and other information to sites that request it, if you choose, without
revealing any other information such as your IP address. You can configure
an anonymizer as your permanent proxy server by making the site name the
setting for the HTTP, FTP, Gopher, and other proxy options in your applications
configuration menu. Here you can find a small description
about how to set up your browser to use an anonymizer.
Note that proxy servers set up in corporate and institutional
networks are usually focused on recording of access logs, and protection
from viruses and malicious code, and may not provide identity confidentiality.
Disadvantages/limitations of web-anonymizers
- HTTPS. Secure protocols like "https:" cannot be properly anonymized,
since your browser needs to access the site directly to properly maintain
the secure encryption.
- Plugins. If you access a site invokes a third-party plugin, then
you can't be assured that these programs won't establish independent direct
connections from your computer to a remote site. Widely used, standard programs
can usually be trusted.
- Logs. All anonymizer sites claim that they don't keep a log of your
requests. Some sites, such as the Anonymizer, keep a log of the addresses
accessed, but don't keep a log of the connection between accessed addresses
and users logged in.
- Java. Any Java applications that you access through an anonymizer
will not be able to bypass the Java security wall and access your name,
email address, or file system. Some services such as the Anonymizer state
that Java security is not compromised "if you use the URL-based anonymizer",
but that it might be "if you use the anonymizer as a regular proxy".
- Active X. Presumably safe, authorized Active X applications are
certified with a certificate number. Active-X applications have almost unlimited
access to your computer system. They can access and reveal your name and
email address, and they can access your file system to perform file creations,
reads, and deletions. Your protection with Active-X is traceability -- if
a program maliciously causes damage to your system you can track the author
down through the certificate registration system.
- JavaScript. Under most systems, the JavaScript scripting language
should be secure, and not reveal data or perform destructive acts to your
computer system. Some services such as the Anonymizer state that there may
be a security problem "if you use the URL-based anonymizer, so the URL-based
anonymizer disables all JavaScript", and that "If you use the anonymizer
as a regular proxy, then JavaScript is safe and is left enabled."
Here is a list of sites that provide anonymizer
services.
Remailers
Summary: Remailers let you send and receive email while
keeping your real email address secret.
Remailers are sites that retransmit your email with
an anonymous return address. While encryption provides protection from reading
your communications, remailing also protects knowledge of your email's destination.
The first widely used remailer was hosted by Johan Helsingius's in Helsinki,
Finland. He eventually closed it down when a court case brought by the Church
of Scientology forced him to reveal the real email address of a user that
had posted information about the Church.
The two most currently popular type of remailers are described below:
- Cypherpunk. Also called Type I remailers, and usually incorporate
PGP encryption. You can chain Cypherpunk remailers, but each extra node
in the chain increases the opportunities for communication interception.
- Mixmaster. Also called Type II remailers, originally designed by
Lance Cottrell, who also developed Anonymizer.com. Mixmaster remailers are
good for chaining to further obscure any connection between the email's source
and destination. These remailers divide all messages into fixed size packets,
so that all communications between remailers look the same, greatly complicating
any attempts at traffic analysis.
Most remailers also vary the retention time before remailing to help protect
against time-based analyses.
What is a remailer?
A remailer is a computer service which privatizes your
email. High-quality remailers are in sharp contrast to the average Internet
Service Provider [ISP] which is terribly anti-private. In many cases, ISP
could accurately stand for "Internet Surveillance Project". Almost every
ISP can monitor, store, and share your web wanderings and email with many
"authorized persons" without your knowledge. In many countries ISPs are
monitored constantly by government agencies.
The way a remailer works
Let's take an elementary, imaginary example. Suppose
that a battered woman, Susan, wants to post a message crying out for help.
How can Susan post her message and receive responses confidentially? She
might use a "PSEUDO anonymous" remailer run by e.g. André Bacard called
the "SecretBacard.com" remailer. (This remailer is fictitious!) If she
wrote to him, his "SecretBacard.com" computer would STRIP AWAY Susan's real
name and address (the header at the top of Susan's email), replace this
data with a dummy address (for example, <anon123@SecretBacard.com>
and forward Susan's message to the newsgroup or person of Susan's choice.
Also, his computer would automatically notify Susan that her message had
been forwarded under her new identity <anon123@SecretBacard.com>.
Suppose that Debbie responds to Susan. André's computer will STRIP
AWAY Debbie's real name and address, give Debbie a new identity, and forward
the message to Susan. This process protects everyone's privacy. This process
is tedious for a person but easy for a computer.
Are there many remailers?
Yes, there are dozens of popular remailers. Historically,
remailers have tended to come and go. First, they require equipment and
labor to set up and maintain. Second, a minority of individuals who use
remailers are a pain in the neck. These selfish persons drive remailer operators
into early retirement. Third, many remailer owners get sick of losing money.
I hope we are entering an era of financially profitable remailers. This
profitability will permit better reliability and stability.
The difference between a "PSEUDO anonymous" and an "anonymous" remailer
Most people use the expression "anonymous remailer" as
short hand for both types of remailers. This causes confusion. A "PSEUDO
anonymous" remailer is basically an account that you open with a remailer
operator. The fictitious SecretBacard.com (described above) is a Pseudo anonymous
remailer. This means that I, the operator, and my assistants KNOW your real
email address. Your privacy is as good as the remailer operator's power
and integrity to protect your records. In practice, what does this mean?
Someone might get a court order to force a PSEUDO anonymous remailer operator
to reveal your true identity. The Finnish police forced Julf Helsingius to
reveal at least one person's true identity. The advantage of most Pseudo
anonymous remailers is that they are user-friendly. If you can send email,
you can probably understand PSEUDO anonymous remailers. The price you pay
for ease of use is less security.
Truly ANONYMOUS remailers are a different animal. They
provide much more privacy than PSEUDO anonymous remailers. However, in general,
they are much harder to use than their PSEUDO anonymous cousins.
There are basically two types of ANONYMOUS remailers.
They are called "Cypherpunk remailers" and Lance Cottrell's "Mixmaster remailers".
Note that I refer to remailers in the plural. If you want maximum privacy,
you should send your message through two or more remailers. If done properly,
you can insure that NOBODY (no remailer operator or any snoop) can read
both your real name and your message. This is the real meaning of ANONYMOUS.
In practice, nobody can force an ANONYMOUS remailer operator to reveal your
identity, because the operator has NO CLUE who you are!
New trends in remailers
A few years ago, Microsoft (with its hotmail.com), Yahoo!,
and many other companies began offering free-of-charge, web-based email accounts.
You could call these "remailers" (in the broad sense of the word). These
email accounts can provide a measure of privacy, if you sign up for them
using an alias ("nom d'Internet"), pick good passcodes, and access your
account(s) carefully. These (non-encrypted) services are designed for convenience,
not privacy or security. Hackers made worldwide headlines when they broke
into one of these systems and stole user's passwords.
How safe are remailers?
For most low-security tasks, such as responding to personal
ads, PSEUDO anonymous remailers with passcode protection are undoubtedly
safer than using real email addresses. However, all the best made plans of
mice and men have weaknesses. Suppose, for example, that you are a government
employee, who just discovered that your boss is taking bribes. Is it safe
to use a PSEUDO anonymous remailer to send evidence to a government whistle-blower's
email hot line? Here are a few points to ponder:
- The person who runs your email system might intercept your secret
messages to and from the remailer. This gives him proof that YOU are reporting
your corrupt boss. This evidence could put you in danger.
- Maybe the remailer is a government sting operation or a criminal
enterprise designed to entrap people. The person who runs this service might
be your corrupt boss' golfing buddy.
- Hackers can do magic with computers. It's possible that civilian
or Big Brother hackers have broken into the remailer (unbeknownst to the
remailer's administrator), and that they can read your messages at will.
- It is possible that Big Brother collects, scans, and stores all messages,
including passcodes, into and out of the remailer.
- If you use a United States based remailer, a U.S. judge could subpoena
the remailer's records. Ditto if you are in France, etc.
- For these reasons, hard-core privacy people are leery of PSEUDO anonymous
remailers. These people use Cypherpunk or Mixmaster programs that route their
messages through several ANONYMOUS remailers. In addition, they use PGP
encryption software for all messages.