Hacker
Professional
- Messages
- 1,044
- Reaction score
- 834
- Points
- 113
The content of the article
Proxy servers
Proxies are the most affordable way to anonymize traffic: they are cheap and widespread. Their principle of operation is very simple: a proxy is a postman who delivers envelopes with letters instead of you, carefully erasing the sender's name, and returns the answer to you personally.
Initially, this technology was designed to protect internal corporate networks from the rest of the Internet (employees received access from the internal network to the Internet through a gateway), but has historically become the first way to anonymize traffic.
Working through a proxy, the computer redirects all its requests through an intermediary (proxy server), and the intermediary, posing as your computer, requests data from sites. Proxies are highly specialized, so each type of Internet connection has its own type of proxy. For example, for FTP (File Transfer Protocol) there is an FTP proxy. We will analyze in detail three types of proxy servers.
HTTP and HTTPS can only work with HTTP requests, and the difference between them is that HTTPS encrypts the transmitted data, but HTTP does not. Therefore, HTTP proxies are not recommended for use, they can only change the IP address, and they are unable to protect the data. Also, be careful with the choice of the proxy server itself, as some not only will not protect your data, but may also reveal your identity.
INFO
Pay attention to the type of server - transparent proxy or anonymous proxy. The first ones will not hide your identity!
It is not difficult to use such a proxy: find it on the Internet or create a server that you can trust, and, opening the browser settings (network access), enter the data.
The SOCKS type is used in applications that either do not use HTTP and HTTPS, or do not have built-in support for proxy servers. Unlike the previous type, this one will not publish your IP a priori, so you don't have to worry about anonymity. However, SOCKS itself does not provide any encryption, it is just a transport protocol. To use it, there is, for example, the Shadowsocks utility.
SOCKS4 and SOCKS5 are different server versions. I strongly recommend using the fifth version, as it has many features and is more secure. For example, it supports the use of username and password, DNS queries. Better even use Shadowsocks - it's SOCKS5 on steroids. There is powerful encryption, traffic hiding, and the ability to bypass various locks. There are clients for both a computer and a smartphone, allowing you to stay protected at all times.
You don't need anything special to start using SOCKS in your familiar programs. Firefox and µTorrent have this feature built in and available in preferences. There is a Proxy Helper extension for Google Chrome . You can use universal programs like SocksCap or ProxyCap.
A list of the many free HTTP, HTTPS and SOCKS proxies can be found either through a search or on Wikipedia.
VPN
VPN (Virtual Private Network) was also not originally conceived as a means of protecting and anonymizing traffic. Its task was to unite computers into a single network, even if they are many kilometers from each other. A key feature was that VPN connections were always protected by encryption, as they were used in corporations and allowed multiple branches to be connected to the head office.
VPN has two modes: combining two local networks with each other via the Internet and connecting a separate computer to a remote local network (remote access). The latter served as the basis for a non-commercial, personal version. VPN connection security is provided by two techniques that are often used together:
Due to the fact that this protocol was invented back in 1999, its security leaves much to be desired. None of the encryption methods that work with PPTP are robust. Some of them are subject to decryption even in automatic mode. Therefore, I do not recommend using PPTP. This protocol has serious vulnerabilities in both authentication and encryption and allows an attacker to very quickly open a channel and gain access to data.
A newer way to create a connection is another protocol built on top of PPP, L2TP (Layer 2 Tunneling Protocol) . The purpose of this protocol is not so much to protect the connection as to completely regulate the process of communicating computers on the network. This protocol, in addition to creating VPN connections, is also used, for example, to connect ATMs to bank offices, which serves as some kind of guarantee. Although it is worth considering that L2TP does not have its own encryption.
L2TP does not protect the data itself. This is usually done using the IPsec protocol (IP security) . It is designed to protect the contents of IP packets and, thanks to this, can encrypt any kind of connection. For VPN, of the two possible modes, only tunneling is used, which protects not only the data of the transmitted packet in the network, but also its headers. Thanks to this, it will not be visible from the outside who the sender of the data is.
IKE and IKEv2 (Internet Key Exchange) are strong algorithms for encryption and protection of data transmitted over the information channel. It is used exclusively with IPsec, since it is its protective layer - it is thanks to IKE that the data in the connection remains under lock and key. In general, these algorithms served as the basis for the development of all modern tools and utilities for creating VPN connections, but it's time to talk about what and from what to choose.
With the spread of SSL and TLS, the PPP protocol was extended to SSTP (Secure Socket Tunneling Protocol) and in this form it works not over an open connection, but over SSL. This ensures strong encryption and protection against packet loss. But it should be borne in mind that SSTP was developed by Microsoft, and Microsoft cooperates with governments, so you can only trust SSTP with this in mind.
OpenVPN is the most popular solution for creating secure connections. This protocol is open and provides the strongest protection so you can trust it. Setting up a connection is unlikely to take more than a couple of minutes.
SoftEther is a multi-client for working both with the protocols described above, including OpenVPN, and with its own, no less secure than OpenVPN.
The table below provides a short summary of these solutions.
Tor
Tor (The Onion Router) is one of the best tools for providing anonymity on the Web. The scheme of work implies threefold data protection and traffic anonymization.
As the name suggests, Tor uses what is called onion routing: your data is the core of the onion, and its protection is the layers around it. So, each of the intermediate Tor servers removes its own layer of protection, and only the third, the last of them, takes out the core and sends a request to the Internet.
The entire system is powered by thousands of human rights and privacy enthusiasts around the world. Thanks to this, for each individual site, its own chain of Tor intermediate servers is built, which gives complete protection: each site is a new personality.
A big plus of Tor is stability and great concern for anonymity: thanks to the diligence of many specialists, it works even in China, a country widely known for its strictest approach to blocking and punishments for bypassing them.
To make life easier for users, the developers created the Tor Browser based on Firefox, and improved it with add-ons that prevent sites from following you. For example, HTTPS Everywhere forces websites to use encryption, and NoScript disables execution of scripts on the page, effectively preventing any user data from being collected.
You can download Tor, like the browser that comes with it, on the official website of the Tor Project.
DPI
Unfortunately, all these tools can be useless if your provider has started blocking using DPI (Deep Packet Inspection) - a system for deep analysis of network traffic. The purpose of DPI is to discard everything that does not look like the work of an ordinary person at a regular computer, that is, to block any suspicious activity. And all methods of anonymizing traffic are a priori suspicious, so programs often fail or, in principle, refuse to work.
But even this can be fought. For almost each of the described options to protect the communication channel, there are add-ons that help bypass the sharp eye of DPI analyzers. For example, Shadowsocks has DPI protection built in and pretends to make a normal connection to a remote server.
OpenVPN itself is easily distinguishable, but stunnel also allows you to bypass packet sniffing. Stunnel disguises the VPN channel as an SSL connection, which is seemingly harmless: it could be a simple browser that accesses a site over HTTPS. This makes it difficult to block such a tunnel. If you overdo it, you can block everything.
INFO
Read more about setting up OpenVPN and stunnel in the article “Your secret tunnel. A detailed guide on configuring OpenVPN and stunnel to create a secure channel".
DPI is also bypassed by tls-crypt, a mode introduced in OpenVPN 2.4 that encrypts VPN traffic.
The creators of the Tor Browser are specifically working on bypassing DPI analysis tools. When connecting to the Tor network, you can use a transport layer that provides a seamless connection to the first server on the secured network. This transport can either be selected from a list (these are public servers), or get a personal one on the official Tor Bridges website .
Obfs4 shows itself best of all - it is an obfuscator that mixes the transmitted data so that it cannot be determined on the Web. DPI usually skips such packets because it cannot guess what is inside.
There are also several programs that try to trick packet analysis in one way or another, for example, breaking them into small parts or changing the headers. Among them are GoodbyeDPI or Green Tunnel with a simple graphical interface - they do not hide IP or data, but bypass blocking.
The Streisand project can be considered a cardinal solution , its Russian description is available on GitHub. It is the go-to in the data security world. In just a few minutes, this utility deploys and configures several data protection services on a remote server, and also provides detailed instructions on them.
Outcome
To preserve our internet security and anonymity, many technologies of various levels have been invented. Some of them are time-tested, others help against the latest censorship methods. Thanks to this, we can still remain invisible, we just need to remember to use this opportunity.
- Proxies
- VPN
- Tor
- DPI
- Summary
Proxy servers
Proxies are the most affordable way to anonymize traffic: they are cheap and widespread. Their principle of operation is very simple: a proxy is a postman who delivers envelopes with letters instead of you, carefully erasing the sender's name, and returns the answer to you personally.
Initially, this technology was designed to protect internal corporate networks from the rest of the Internet (employees received access from the internal network to the Internet through a gateway), but has historically become the first way to anonymize traffic.
Working through a proxy, the computer redirects all its requests through an intermediary (proxy server), and the intermediary, posing as your computer, requests data from sites. Proxies are highly specialized, so each type of Internet connection has its own type of proxy. For example, for FTP (File Transfer Protocol) there is an FTP proxy. We will analyze in detail three types of proxy servers.
HTTP and HTTPS can only work with HTTP requests, and the difference between them is that HTTPS encrypts the transmitted data, but HTTP does not. Therefore, HTTP proxies are not recommended for use, they can only change the IP address, and they are unable to protect the data. Also, be careful with the choice of the proxy server itself, as some not only will not protect your data, but may also reveal your identity.
INFO
Pay attention to the type of server - transparent proxy or anonymous proxy. The first ones will not hide your identity!
It is not difficult to use such a proxy: find it on the Internet or create a server that you can trust, and, opening the browser settings (network access), enter the data.
The SOCKS type is used in applications that either do not use HTTP and HTTPS, or do not have built-in support for proxy servers. Unlike the previous type, this one will not publish your IP a priori, so you don't have to worry about anonymity. However, SOCKS itself does not provide any encryption, it is just a transport protocol. To use it, there is, for example, the Shadowsocks utility.
SOCKS4 and SOCKS5 are different server versions. I strongly recommend using the fifth version, as it has many features and is more secure. For example, it supports the use of username and password, DNS queries. Better even use Shadowsocks - it's SOCKS5 on steroids. There is powerful encryption, traffic hiding, and the ability to bypass various locks. There are clients for both a computer and a smartphone, allowing you to stay protected at all times.
You don't need anything special to start using SOCKS in your familiar programs. Firefox and µTorrent have this feature built in and available in preferences. There is a Proxy Helper extension for Google Chrome . You can use universal programs like SocksCap or ProxyCap.
A list of the many free HTTP, HTTPS and SOCKS proxies can be found either through a search or on Wikipedia.
VPN
VPN (Virtual Private Network) was also not originally conceived as a means of protecting and anonymizing traffic. Its task was to unite computers into a single network, even if they are many kilometers from each other. A key feature was that VPN connections were always protected by encryption, as they were used in corporations and allowed multiple branches to be connected to the head office.
VPN has two modes: combining two local networks with each other via the Internet and connecting a separate computer to a remote local network (remote access). The latter served as the basis for a non-commercial, personal version. VPN connection security is provided by two techniques that are often used together:
- PPP (Point-to-Point Protocol) is used for protection at the data link layer, that is, at the lowest possible level. Its task is to provide a stable connection between two points on the Internet, as well as provide encryption and authentication.
- PPTP (Point-to-Point Tunneling Protocol) is an extension and addition to PPP. For the operation of this protocol, two connections are established - the main one and the control one.
Due to the fact that this protocol was invented back in 1999, its security leaves much to be desired. None of the encryption methods that work with PPTP are robust. Some of them are subject to decryption even in automatic mode. Therefore, I do not recommend using PPTP. This protocol has serious vulnerabilities in both authentication and encryption and allows an attacker to very quickly open a channel and gain access to data.
A newer way to create a connection is another protocol built on top of PPP, L2TP (Layer 2 Tunneling Protocol) . The purpose of this protocol is not so much to protect the connection as to completely regulate the process of communicating computers on the network. This protocol, in addition to creating VPN connections, is also used, for example, to connect ATMs to bank offices, which serves as some kind of guarantee. Although it is worth considering that L2TP does not have its own encryption.
L2TP does not protect the data itself. This is usually done using the IPsec protocol (IP security) . It is designed to protect the contents of IP packets and, thanks to this, can encrypt any kind of connection. For VPN, of the two possible modes, only tunneling is used, which protects not only the data of the transmitted packet in the network, but also its headers. Thanks to this, it will not be visible from the outside who the sender of the data is.
IKE and IKEv2 (Internet Key Exchange) are strong algorithms for encryption and protection of data transmitted over the information channel. It is used exclusively with IPsec, since it is its protective layer - it is thanks to IKE that the data in the connection remains under lock and key. In general, these algorithms served as the basis for the development of all modern tools and utilities for creating VPN connections, but it's time to talk about what and from what to choose.
With the spread of SSL and TLS, the PPP protocol was extended to SSTP (Secure Socket Tunneling Protocol) and in this form it works not over an open connection, but over SSL. This ensures strong encryption and protection against packet loss. But it should be borne in mind that SSTP was developed by Microsoft, and Microsoft cooperates with governments, so you can only trust SSTP with this in mind.
OpenVPN is the most popular solution for creating secure connections. This protocol is open and provides the strongest protection so you can trust it. Setting up a connection is unlikely to take more than a couple of minutes.
SoftEther is a multi-client for working both with the protocols described above, including OpenVPN, and with its own, no less secure than OpenVPN.
The table below provides a short summary of these solutions.
Tor
Tor (The Onion Router) is one of the best tools for providing anonymity on the Web. The scheme of work implies threefold data protection and traffic anonymization.
As the name suggests, Tor uses what is called onion routing: your data is the core of the onion, and its protection is the layers around it. So, each of the intermediate Tor servers removes its own layer of protection, and only the third, the last of them, takes out the core and sends a request to the Internet.
The entire system is powered by thousands of human rights and privacy enthusiasts around the world. Thanks to this, for each individual site, its own chain of Tor intermediate servers is built, which gives complete protection: each site is a new personality.
A big plus of Tor is stability and great concern for anonymity: thanks to the diligence of many specialists, it works even in China, a country widely known for its strictest approach to blocking and punishments for bypassing them.
To make life easier for users, the developers created the Tor Browser based on Firefox, and improved it with add-ons that prevent sites from following you. For example, HTTPS Everywhere forces websites to use encryption, and NoScript disables execution of scripts on the page, effectively preventing any user data from being collected.
You can download Tor, like the browser that comes with it, on the official website of the Tor Project.
DPI
Unfortunately, all these tools can be useless if your provider has started blocking using DPI (Deep Packet Inspection) - a system for deep analysis of network traffic. The purpose of DPI is to discard everything that does not look like the work of an ordinary person at a regular computer, that is, to block any suspicious activity. And all methods of anonymizing traffic are a priori suspicious, so programs often fail or, in principle, refuse to work.
But even this can be fought. For almost each of the described options to protect the communication channel, there are add-ons that help bypass the sharp eye of DPI analyzers. For example, Shadowsocks has DPI protection built in and pretends to make a normal connection to a remote server.
OpenVPN itself is easily distinguishable, but stunnel also allows you to bypass packet sniffing. Stunnel disguises the VPN channel as an SSL connection, which is seemingly harmless: it could be a simple browser that accesses a site over HTTPS. This makes it difficult to block such a tunnel. If you overdo it, you can block everything.
INFO
Read more about setting up OpenVPN and stunnel in the article “Your secret tunnel. A detailed guide on configuring OpenVPN and stunnel to create a secure channel".
DPI is also bypassed by tls-crypt, a mode introduced in OpenVPN 2.4 that encrypts VPN traffic.
The creators of the Tor Browser are specifically working on bypassing DPI analysis tools. When connecting to the Tor network, you can use a transport layer that provides a seamless connection to the first server on the secured network. This transport can either be selected from a list (these are public servers), or get a personal one on the official Tor Bridges website .
Obfs4 shows itself best of all - it is an obfuscator that mixes the transmitted data so that it cannot be determined on the Web. DPI usually skips such packets because it cannot guess what is inside.
There are also several programs that try to trick packet analysis in one way or another, for example, breaking them into small parts or changing the headers. Among them are GoodbyeDPI or Green Tunnel with a simple graphical interface - they do not hide IP or data, but bypass blocking.
The Streisand project can be considered a cardinal solution , its Russian description is available on GitHub. It is the go-to in the data security world. In just a few minutes, this utility deploys and configures several data protection services on a remote server, and also provides detailed instructions on them.
Outcome
To preserve our internet security and anonymity, many technologies of various levels have been invented. Some of them are time-tested, others help against the latest censorship methods. Thanks to this, we can still remain invisible, we just need to remember to use this opportunity.
