Questions Regarding Online Anonymity And Privacy

Here are a few general questions I have about online Anonymity. Curious if anyone has any answers to these. Thanks for the help in advance.

1. Is it possible for websites to see my browsing history,favorites or cookies placed on my computer by OTHER websites? Im aware of websites like http://startpanic.com/ but none of them seem to work. They can not view my browsing history even with java enabled.

2. Is ALL of Tors hidden services encrypted even if they are not https?

3. Is it safe to login to email,banking etc over a VPN service without worry of passwords being stolen as long as the logins are sent over SSL?

4. Does anyone have any idea of how long ISPs keep logs of what IP a customer has used? (specifically USA ISPs)

5. For the best anonymity with Tor is TAILS the best solution that is available?

6. If using Tor or a VPN is it necessary to change the browser User Agent? Does it really increase anonymity that much?

7. If I am using a VPN and have java and flash enabled is it possible for a website to see my real IP? I am unaware of any tests that show how this is possible. I understand Tor is a different story because it is a proxy and doesn't encrypt all traffic from your computer. That is unless you use JanusVM.

 

hi there!

1) tracking cookies + dom store should be removed regularly - best u use mozilla firefox + extensions: better privacy, cookie monster + cookie whitelist with buttons - also set in firefox clear history by shutdown + not to store cookies

2) tor question: don't think so, but you should check your tor configuration with: ip-check.info - and see if you've config. your browser right... if any of them are red, you didn't can be tracked down easily!

3) i'm using vpn as well... it's depending on your vpn provider, but i would suggest not to use vpn when doing internet banking or something which has to do with private data, because you're connected to a tunnel who can easily get hold on your data... mainly depending on service, privacy policies, etc...

4) read the privacy policies of your isp! there you'll normally find the info you're looking for!

5) tor - uses pre-configuration, you don't need to change the user agent!
other browser for example firefox use: mozilla/5.0 (windows nt 6.1; rv:6.0) gecko/20100101 firefox/6.0)

6) yeah, it's possible, but it will take some time if you're running behind vpn... check on: ip-check.info

regards,
digizik

 

1. yes, some are more sophisticated then others, but using configured firefox (assuming you are playing with firefox) and noscript + disabling cookies, you are safe. Check ip-check.info
2. read -https://www.torproject.org/docs/hidden-services.html-
3. when you are log-in then you have id yourself and therefore you are no longer anony, so why bother, login without vpn (with ssl) and not over open wifi
4. depends on ISP. In USA is veeery long. Perhaps only longer logs are in China, South Korea and similar.
5. the best solution would be your own OS, if you know how to make it. Since most of us don't, tails is pretty good. If you want to just surf with FF for a couple of minutes (even on a public pc), then tor browser is enough.
6. not with tor bundle browser.
7. even folks at torproject.com are struggling with that, so avoid java and flash if you can, just to be sure.

 

Cookies = Yes (that's why you should disable 3rd party cookies).
Favorites/history = No (well, there was that one exploit in which a rogue site could "see" a previously visited URL, but only if it happened to showed up on a predefined list of URLs).

Safe from whom? A rogue VPN operator?

Could be anywhere from 15 days to 15 years. When in doubt, always assume the worst.

Not since Firefox 4.x+, no. Prior to FF4, the user agent included the locale information (country code) of the browser... thereby revealing the user's most likely country of origin. Now, as long as you have a generic-looking UA without any proprietary/unusual brandings, you'll just blend in with everybody else.

No, absolutely not. With a properly-configured VPN, it is impossible to see your real IP via Java, Flash, or any other conceivable browser-based exploit, because ALL NETWORK TRAFFIC goes through the VPN, not just HTTP.

 

There is no such thing as Online Anonymity And Privacy

Once any device connects to the Provider that device is Identified, Logged, and Tracked.

Does anyone actually believe that their device can actually connect to the Cloud Transpersonal?

SERVER


HKEY1952

 

That's debatable.

Yes, all providers (ISPs, VPN providers, Tor relays, etc) could do those things. To be safe, one must assume that they do. But, what information each provider can access may be limited by the type of connection between you and it. It's rather like secret sharing. Your ISP can see that you're connecting to some VPN provider, but not much else except for some traffic shape and timing information. Your VPN provider knows what you're connecting to, and sees your traffic unless it's end-to-end encrypted. But you can run Tor through the VPN tunnel. For hidden services, that's probably OK, but you need to worry about evil exit nodes for accessing the Internet. Or you can run a second VPN through the first, so now the two VPN providers must collude in order to know both your identity and your website activity. You could run Tor through nested VPN tunnels. At some point, traffic analysis will be the best approach. But then you add latency.

I could go on for a while with more steps to obfuscate, but I won't. My point is that one can make it arbitrarily hard to trace one's online activity. But there are costs, in increased complexity and longer latency.

What's that?

 

OK, I am seeing this comment a lot exactly how you just said it. What "exactly" do you mean by "properly?" You don't need to re-invent the wheel here, but if you can point me to a thread or two that will send me on my way that would be great. I keep hearing folks make this comment "properly configured" but they don't say anything more than that. Is there something I am missing about configuring outside the scope of how a VPN tells you to put the configuration and keys on? Just confused as to exactly what this comment means that I may be missing is all.

Thanks

 

When I write that, I'm usually referring to providers. Looking at the VPN connection log, you should see that the server pushed redirect-gateway (which routes all traffic through the VPN tunnel) and a DNS server (dhcp-option DNS x.x.x.x). You should also see hourly TLS key renegotiation. If you're using OpenVPN instead of your provider's client, you also need to make sure that you haven't broken anything. Start with one of the "what's my IP" sites. Then use -grc.com/dns to see what DNS servers you're using. Finally, use -decloak.net to test for leaks.

 

Browsing History Can Be Stolen Despite Current Defenses - PCWorld
PoC Developer's Blog - lcamtuf's blog

 

Thanks for posting this. I have discussed before here: https://www.wilderssecurity.com/showthread.php?t=313498
While it can be an issue it is very limited. It requires java script to run (Noscript can help in blocking this) and it only reads the cache. If you have Firefox set to clear the cache after every session it an only see what websites you have visited that particular session. It also can only look for a set list of sites in your cache. In current form I have not seem that it is able to just pull all the sites visited from you cache.

 

For most people Tor is enough, I recommend getting the Tor Bundle, which includes Tor, TorCP and Privoxy. All you need to do is set your applications to use a proxy, host is localhost and port is 8118. Then you’re done, it works for most applications. Just remember though it’s encrypted from your machine to the end point, not from the end point to wherever it’s going, so that Tor node can see whatever traffic you are sending through Tor.. So make sure you encrypt (POPS, SMTP with TLS etc).

 

Newer versions of Tor Browser Bundle don't have Privoxy or Polipo any more. Are you talking about a different bundle?

 

True. But TAILS is currently the best option. It's basically TBB implemented in a controlled environment. But neither will readily torify other apps. And if you force it, you may "suicide" (as Fabio has so amusingly observed on tor-talk). Transparent Tor proxies aka gateways are probably safest overall, but none of them (as far as I know) use the latest version of Tor. For OpenWRT based gateways, the package repository needs a new Tor package.