Anonymous quick reference guide. Types of encryption and traffic protection, choice of software.
It doesn't matter what reasons you choose to encrypt what you send over the Internet. This may be a concern for the secrecy of personal data, an attempt to circumvent the prohibitions of a particular state, or other motives. In the modern world, ordinary people have a good choice of cryptographic protocols and programs that implement them. In this article, we will go through all classes of such solutions (even if many of them are widely known), discuss reliability, and see what implementations are available.
Proxy servers
Proxy servers are the most affordable way to anonymize traffic: they are cheap and widely distributed. Their principle of operation is very simple: a proxy is a postman who delivers envelopes with letters instead of you, carefully erasing the sender's name, and returns the answer personally to you.
Initially, this technology was designed to protect internal corporate networks from the rest of the Internet (employees got access from the internal network to the Internet through a gateway), but it was historically the first way to anonymize traffic.
How the proxy server works.
Working through a proxy, the computer redirects all its requests through an intermediary (proxy server), and the intermediary, posing as your computer, requests data from sites. Proxy servers are highly specialized, so each type of Internet connection has its own proxy type. For example, there is an FTP proxy for FTP (File Transfer Protocol). We will analyze three types of proxy servers in detail.
HTTP and HTTPS can only work with HTTP requests, and the only difference between them is that HTTPS encrypts the transmitted data, while HTTP does not. Therefore, HTTP proxies are not recommended for use, they can only change the IP address, and they are unable to protect data. Also, be careful when choosing the proxy server itself, as some of them will not only not protect your data, but may also reveal your identity.
INFO
Pay attention to the server type-transparent proxy or anonymous proxy. The first ones won't hide your identity!
Using such a proxy is not difficult: find a server on the Internet or create one that you can trust, and open the browser settings (network access), enter the data.
The SOCKS type is used in applications that either don't use HTTP and HTTPS, or don't have built-in proxy server support. Unlike the previous type, this one will not publish your IP address a priori, so you don't have to worry about anonymity. However, SOCKS itself does not provide any encryption, it is just a transport Protocol. To apply it, there is, for example, the Shadowsocks utility.
SOCKS4 and SOCKS5 are different server versions. I strongly recommend using the fifth version, as it has many features and is more secure. For example, it supports using a username and password, and DNS queries. And it's even better to use
Shadowsocks — this is SOCKS5 on steroids. There is also powerful encryption, traffic hiding, and the ability to bypass various blockages. There are clients for both your computer and smartphone that allow you to stay protected all the time.
To start using SOCKS in your usual programs, you don't need anything special. In Firefox and uTorrent, this feature is built-in and available in the settings. There is
a Proxy Helper extension for Google Chrome. You can use universal programs like
SocksCap or
ProxyCap.
A list of many free HTTP, HTTPS, and SOCKS proxy servers can be found either by searching or on Wikipedia.
VPN
VPN (Virtual Private Network) was also not originally conceived as a means of protecting and anonymizing traffic. Its goal was to connect computers to a single network, even if they are located many kilometers from each other. The key feature was that VPN connections were always protected by encryption, as they were used in corporations and allowed connecting several branches to the head office.
VPN has two modes: connecting two local networks to each other via the Internet and connecting a separate computer to a remote local network (remote access). The latter served as the basis for a non-commercial, personal version. Data protection in a VPN connection is provided by two techniques that are often used together:
- PPP (Point-to-Point Protocol) is used for protection at the data link level, i.e. at the lowest possible level. Its task is to provide a stable connection between two points on the Internet, as well as provide encryption and authentication.
- PPTP (Point-to-Point Tunneling Protocol) is an extension and extension of PPP. For this Protocol to work, two connections are established — the main one and the control one.
Due to the fact that this Protocol was invented back in 1999, its security leaves much to be desired. None of the encryption methods that work with PPTP are stable. Some of them are subject to decryption even in automatic mode. That's why I don't recommend using PPTP. This Protocol has serious vulnerabilities in both authentication and encryption and allows an attacker to quickly open the channel and gain access to data.
A newer way to create a connection is another Protocol built on top of PPP —
L2TP (Layer 2 Tunneling Protocol). The purpose of this Protocol is not so much to protect the connection, but to completely regulate the communication process of computers on the network. This Protocol, in addition to creating VPN connections, is also used, for example, to connect ATMs to Bank offices, which serves as a certain guarantee. Although it is worth considering that L2TP does not have its own encryption.
L2TP does not protect the data itself transmitted within it. For this
purpose, the IPsec (IP security) Protocol is usually used. It is designed to protect the contents of IP packets and thus can encrypt any type of connection. For a VPN, of the two possible modes, only tunnel mode is used, which protects not only the data of the transmitted packet on the network, but also its headers. This means that the sender of the data will not be visible from the outside.
IKE и IKEv2 (Internet Key Exchange) - strong encryption algorithms and protection of data transmitted over the information channel. It is used exclusively with IPsec, as It is its protective layer - it is thanks to IKE that data in the connection remains under lock and key. In General, these algorithms served as the basis for the development of all modern tools and utilities for creating VPN connections, but it's time to talk about what to choose from.
With the spread of SSL and TLS, the PPP Protocol was extended to
SSTP (Secure Socket Tunneling Protocol) and in this form, it works not via an open connection, but via SSL. This ensures strong encryption and packet loss protection. But keep in mind that SSTP was developed at Microsoft, and Microsoft cooperates with governments, so you can only trust SSTP with this in mind.
OpenVPN is the most popular solution for creating a secure connection. This Protocol is open and provides the most serious protection, so you can trust it. Setting up a connection is unlikely to take more than a couple of minutes.
SoftEther is a multi-client for working with both the protocols described above, including OpenVPN, and with its own, no less secure than OpenVPN.
Comparison of VPN protocols.
Tor
Tor (the Onion Router) is one of the best tools for ensuring anonymity on the Web. The scheme of operation implies three-fold data protection and anonymization of traffic.
As described in the name itself, Tor uses so-called onion routing: your data is the core of the onion, and its protection is the layers around it. So, each of the intermediate Tor servers removes its own layer of protection, and only the third, last of them, takes out the core and sends a request to the Internet.
How your computer works on the Tor network.
The entire system is supported by thousands of enthusiasts around the world who fight for human rights and privacy. Thanks to this, each individual site builds its own chain of intermediate Tor servers, which provides complete protection: each site is a new identity.
A big plus of Tor is the stability of its work and a great concern for anonymity: thanks to the diligence of many specialists, it works even in China, a country that is widely known for its strict approach to blocking and punishments for circumventing them.
To make life easier for users, the developers created
Tor Browser, based on Firefox, and improved it with add-ons that prohibit sites from following you. For example,
HTTPS Everywhere forces websites to use encryption, and
NoScript disables the execution of scripts on the page, effectively prohibiting the collection of any user data.
You can download Tor, as well as the browser that comes with it, on the official website
of the Tor Project.
DPI
Unfortunately, all these tools may be useless if your provider started blocking with the use
of DPI (Deep Packet Inspection) - a system for deep analysis of network traffic. The purpose of DPI is to discard anything that does not look like an ordinary person working on a regular computer, that is, to block any suspicious activity. And all methods of anonymizing traffic are a priori suspicious, so programs often crash or refuse to work in principle.
But you can also fight this. There are add-ons for almost every feature described to protect the communication channel that helps you bypass the vigilant eye of DPI analyzers. For example, Shadowsocks has built-in DPI protection and pretends to perform a normal connection to a remote server.
OpenVPN itself is easily distinguishable, but
stunnel also allows you to bypass packet analysis. Stunnel disguises the VPN channel as an SSL connection, which looks harmless: it can also be a simple browser that accesses the site via HTTPS. This makes it difficult to block such a tunnel. If you overdo it, you can block everything altogether.
TLS-crypt, a mode introduced in OpenVPN version 2.4 that encrypts VPN traffic, also helps bypass DPI.
The creators of Tor Browser are specifically working on bypassing DPI analysis tools. When connecting to the Tor network, you can use transport-a layer that provides an unobstructed connection to the first server of a secure network. This transport can either be selected from the list (these are public servers), or you can get a personal one on the official
Tor Bridges website.
Best of all
, obfs4 shows itself - it is an obfuscator that mixes the transmitted data so that it cannot be detected on the network. DPI usually skips such packets because IT can't guess what's inside.
There are also several programs that try to cheat packet analysis in one way or another, for example, by breaking them into small parts or changing the headers. These include
GoodbyeDPI or
Green Tunnel with a simple graphical interface - they do not hide either IP or data, but bypass blocking.
The Streisand project can be considered a cardinal solution . its Russian description is available on
GitHub. This is a lifesaver in the world of data security. This utility takes just a few minutes to deploy and configure several data protection services on a remote server at once, as well as provide detailed instructions on them.
Result
To preserve our Internet security and anonymity, many technologies of various levels have been invented. Some of them are time-tested, while others help against the latest methods of censorship. Thanks to this, we can still remain invisible, we just need to remember to use this opportunity.
xakep.ru