Questions about HTTPS

Discussion in 'privacy technology' started by DarkPhoenix, Sep 19, 2012.

Thread Status:
Not open for further replies.
  1. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    Having recently studied info on privacy technology and deciding to use a VPN in conjunction with HTTPS Everywhere I have some questions.

    I notice with HTTPS Everywhere many popular websites that should have Https encryption - doesn't, or doesn't appear to. Like this Wilders page. Https Everywhere should have made sure this website had a secure connection, but it doesn't use an http or https prefix at all. It only has a www. in front of it. -> [noparse]www.wilderssecurity.com[/noparse].

    Does this mean Wilders is not secure?

    My goal is to be totally invisible on the internet or so encrypted that if anyone does get any amount of data, ( including mundane things like browsing Wilders) it will not be something they would likely spend time trying to decrypt. I don't want the government, my ISP, hackers ect able to view anything I'm doing at all to the best extent this is possible.

    With this goal in mind, and mind you, I'm looking for free tools and services, what else can I do to this end? ( I already have the VPN)

    Thanks.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
  3. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I know the VPN allows the use of Https Everywhere because I keep about 100 tabs open at all times and notice most of them have now reloaded as Https url's.

    I guess the others just need rules added. Thanks.

    Still looking of suggestions on how I can be totally invisible or heavily encrypted.
    I'm not worried about encryption for things in my PC with this thread.. just everything going in and out.
     
  4. The question I would ask is why? Why do you want to be invisible?
     
  5. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    The answer would be, because I believe it is my right to have the utmost privacy and anonymity afforded.

    We live in an age where everything one says or does is used against them. Miranda rights for example. Did you know the 5th amendment is not for criminals to squirm out of hot water but is for solid stand up citizens to protect themselves from the police? That's right. Even if your 100% innocent and tell them your story, and Tell The Truth this still can and will be used against you. Listen to what this Professor of Law, Dr. James Duane from the Regent Law School has to say on the subject : https://www.youtube.com/watch?v=i8z7NC5sgik

    We live in an age where a silly 14 minute film showing how silly some extremist factions are (Freedom of Speech in the USA) can lead to world wide riots and murders.

    We live in an age where law abiding legal citizen gun owners are being striped of their right to defend themselves by those in power taking away their guns.

    We live in an age where when someone gets copies of documents that prove our leaders and government acted in bad taste or have done illegal things against it's own people and others and tries to share this with the world the person becomes branded as a terrorists and is hunted down like a criminal.

    I could go on but I assume you get the point.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Being totally invisible isn't possible. It is possible to route your activities through VPNs and Tor so that your ISP can't see where you're connecting to. That said, they will be able to see that you are using a VPN or that you're connecting through Tor.

    When it comes to governments, things get more difficult. They can require ISPs, VPNs, etc to keep logs of the traffic through them. They have access to the major traffic hubs that your internet activities eventually have to pass through. HTTPS is not an obstacle to them thanks to the certificate authorities providing them with certificates that enable them to decrypt most HTTPS traffic. Fortunately those "master certificates" don't work with self signed certificates like the one used here. Some believe that HTTPS was designed broken. It's not clear which methods of encryption, if any, can't be read or deciphered by government agencies. I for one do not believe that AES is as unbreakable as it's made out to be.

    While you can't be "invisible" on the web, you can get close to being anonymous. By using VPNs in combination with Tor using exit nodes in non-allied countries, you can get pretty close. You just need to make certain that none of your traffic leaks out or bypasses the VPN/Tor network. You also need to make sure that the traffic itself doesn't reveal your identity. Accomplishing this takes a lot of testing and a tight configuration. You can hide where you browse and what you see, but you can't hide the fact that you're using such anonymizing services. In some places, that in itself is enough to get you more trouble than you want.
    I understand that this is a subject for a separate thread, but don't rule out securing your end. Windows was designed to be a big babysitter. It stores records of everything you do, a behavior that has got worse with each new version. It won't matter how well you anonymize your internet activity if your PC has a complete record of it. They don't need a legitimate reason to seize one any more. Make certain that your own equipment can't testify against you, even if you aren't knowingly doing anything wrong. This itself can be a very detailed subject requiring a thread of its own.
     
  7. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I know but what they see is encrypted is it not (using https)? Thats good enough for me. I figure if tons of people are doing this, with a little bit of encrypted data thats virtually indistinguishable from all the others, they will have no reson to bug me.

    Interesting, thanks. Too bad there isn't anything better than https.

    Thats what I want, as close as I can get thats possible. I have read many people shy away from Tor because hackers and governments ( or whoever) can set up exit nodes and thus steal your data. Https is the way I understand to guard against this but like you say, governments can get the certs for those if they had reason to. Plus, I have tried Tor and found it pretty slow - slower than my VPN. It was the Tor Browser Bundle version of the tor apps I tried. I'm only using a 3.000 kbps DSL, I would have expected the Tor network to be at least that fast. Perhaps the app itself has issues and another version of Tor like Advanced Tor would be faster? If you can recommend a better Tor app to use with my VPN, I'll try it.

    How would I test for traffic leaks? After it leaves my system I really have no control over that.. I suppose you mean do the testing to see if your VPN or VPN Tor combo passes muster?

    Yeah, I mentioned that because I didn't want too many different things discussed in the same thread, to make it easier for all. I do understand the importance of protecting my PC's data.


    Thank you for the info. I look forward to your replies.
     
    Last edited: Sep 19, 2012
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That depends on many things, starting with where you live. In some places, your earlier post (number 5 in this thread) would be sufficient reason for them to monitor or even arrest you.
    To a point, that's true. That said, what prevents the same thing from happening with a VPN? If you start basing decisions on what could be or might be, you might as well unplug from the web. I don't doubt that there are malicious exit nodes, but I'm also sure that there are as many or more that are legitimate. The last time I looked, there was about 1000 exit nodes scattered the world over. Yes, Tor is slow. There's many more factors involved than just the speed of your connection, including:
    The speed of each relay in the path.
    The amount of bandwidth each node makes available to Tor.
    The traffic load on each node.
    The load on the individual networks that each node connects to.
    Using Tor, your traffic could end up hopping completely around the world just to go a short distance.
    This can include enough material to be its own thread too. I wasn't referring to leaks in the traffic after it leaves your system, but what is being leaked by your system, your browser, its plugins and extensions, etc. Your browser has to route its DNS requests through Tor. You have to prevent it from making any connections that bypass the VPN or Tor. Separate outbound firewalls are ideally suited for this task, as long as the user knows how to configure it properly. Java, javascript, flash, etc can all be used to determine your real IP. They need to be controlled or disabled. Completely disabling flash or javascript will make a lot of websites unusable. Extensions like NoScript can restrict what javscript can and can't do, as can separate filtering apps like Privoxy and Proxomitron. Configuring them to filter the traffic properly requires a fair amount of knowledge and skill. Flash can be blocked by default, allowed by exception as needed, routed to a freestanding player, opened in a virtual environment, etc.
     
  9. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I'm in the USA so i'm not too worried about thread #5 coming back to byte me in the arse. LOL

    Understood about Tor, thanks.

    I'll do some research on separate outbound firewalls, NoScript, Privoxy and Proxomitron and how to use them. Thank you !
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ DarkPhoenix

    For a clear constant visual of HTTPS or not in your browser, for FF anyway, Calomel is GREAT :thumb:

    Also RequestPolicy is a good addition :thumb:

    I've been using both, along with NoScript etc, for ages with NO problems :)
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Just to avoid confusion, when I referred to separate outbound firewalls I meant 3rd party firewalls, Kerio 2.1.5 for example.
    I wouldn't make such an assumption, especially in the US. Unless your activities create enemies in other nations, the snooping that should concern you the most is domestic in origin. Just for something to think about, consider this. The last figures I heard claim that there's better than a million names on government "watch lists". If I read it right, this list is domestic names, not foreigners. There is absolutely no way I'll believe that there's a million potential terrorists in this country. This begs the question, "What gets a person put on these lists?" With a quantity that high, it's not hard to guess. If taking part in "occupy wall street" is sufficient to get one labelled as a low level terrorist, what does being vocal about this transition to a surveillance state rate?

    One more thought. HTTPS doesn't do much to protect your activities from official prying eyes when the sites/companies that you're connecting to willingly give /share that data with the government and each other. Even when the site itself doesn't, there's links to Google, Facebook, Twitter, etc on most of them, most of which use nosy javascripts.
     
  12. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I'll check them out, Thanks.

    noone_particular said,
    Since many people here are American I thought I should point that this does indeed apply to the U.S. ISP's are required to keep logs up to a year.
    https://swordattheready.wordpress.c...-and-log-your-internet-activities-for-a-year/

    My aim is for all the data the ISP's get to be encrypted, if possible.

    I'll be using this site to test my progress http://www.stayinvisible.com/
     
  13. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    This site is public, your ISP would know you're here even if the connection to the site would be encrypted. They could profile you very quick using date of your posts & the logs they have.
     
  14. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87

    I just want to minimize that as much as is possible. I'm no criminal but for instance I post a lot on forums like AboveTopSecret.com. Over the years I have been a supporter of free speech, our Republic way of life in the USA and taken part in thousands of discussions of conspiracy theories from the evils of the FDA, our government, ghosts, ufo's The evils of GMO foods from Monsanto, Illegal Immigration etc.. you name it, we discuss it even if it's not a main stream popular topic. I can see this country one day turning against it's citizens and coming after us.. it's already happening in some cities. Sure, they can profile me. They will see i'm for gun ownership even homemade guns which are legal here, for the U.S. Constitution and against big corrupt government. I'm not so different than millions of other Americans, but I don't want to leave anything behind that can be used against me except for the things I willingly say publicly which falls under protected free speech.
     
  15. I'm hesitant to give advice since I feel you don't really need to go down this path. Your protected by your constitution, so enjoy it responsibly.

    There is no magic trick that can help you, not 1 single piece of aadvice that I can give that will help you on your quest.

    But I will say this knowledge is power so read, read a lot. Once you have the knowledge you must get the resources, once you get the resources you can use the knowledge to get you to your final goal.

    And think outside the box, this is probably the most important thing you can do.
     
  16. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87

    Thank you for the advice you did give even though you weren't specific. I'm curious, why don't you feel I need to " go down this path" ? I think I have made a good case for everyone to protect themselves thus on principle. ( no, the Constitution isn't protecting us like it should that's why the need to do this in the first place.)

    Yes, I'm making small talk and not sticking to the details securing the system. I'll post more questions when I run into trouble as I struggle to make these technologies work. However I do think it's important to discuss these issues and understand the mind set of security professionals on the ins and outs of why you should secure yourself and who should be secured in this manner. Some might say going to these extents are not necessary for everyone but I disagree. I believe every internet user world wide should be thus protected, in fact that all browsers/apps Operating Systems should be by default geared toward this technology.

    Hey wouldn't that be something.. a PC with Operating System and apps with all these technologies already built in. I don't think anyone has done that. I'd like to learn this stuff so well so I could make one for the masses to bring this to them more easily. Now that we have some good Free VPN's all of this can be done with free tools or open source tools and operating systems.
     
  17. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    I've used this. It shows everything is alright. Except for it could gather my timezone from my browser Firefox.

    How can I solve this?
     
  18. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    O.k. this is Crazy. I just tried the SheldsUp ports test https://www.grc.com/x/ne.dll?bh0bkyd2 and my Non VPN Non Firewalled ( windows firewall is not turned on) computer and connection passed all the tests. It had a perfect score.

    With the VPN enabled the same test had two ports not stealthed - one open that was port 80 Web and one closed. It also said it failed the other tests below that it checked.

    The only browser plugins common to both as I used the same browser, would be No scripts, Ghostery and add block plus. I can understand the servers on the VPN may not be configured to pass these tests, but my local machine certainly wasn't.. how could I have passed all the tests when I tried without the VPN if I wasn't protecting it?
     
  19. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Javascript is pulling the timezone information directly from the system itself, so unfortunately the only way to avoid this is either to keep javascript turned off, or to fake your local timezone by manually changing the date/time of your system clock.

    If you were to do the latter, then you may also want to consider spoofing the Accept-Language header sent by Firefox by changing it in Tools > Options > Languages, preferably to one that is consistent with a language spoken in the time zone you are purporting to be from.
     
  20. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Edit: Are you connected to the internet via a router? If so, then you already have a fully-functional hardware firewall in place that is blocking ALL inbound ports by default, so it makes perfect sense that you passed the port probe tests when you ran them without the VPN.
     
    Last edited: Sep 21, 2012
  21. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Thanks a lot.:thumb: If my timezone is that easily readable then is there any reason to use a VPN. I mean my country could be determined.
     
  22. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I'm using a home Netgear modem/router. It was recently replaced because my old modem/router a 2 Wire died. I know in the past the 2 Wire didn't pass the test, so I wouldn't have thought of the router as being the strong point in the chain. Thanks. Good to know the router is so good.
     
  23. People are being put in jail and tortured for using these technologies, Civil wars are being fought using these technologies. Yes it's that serious. Are you in the same situation?

    As I said read and educate yourself before jumping in.
     
  24. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    6,039
    Location:
    Parallel Universe
    Good advice.:thumb: That's what I always try to do.;)
     
  25. DarkPhoenix

    DarkPhoenix Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    87
    I understand your point, Thanks.. in that case, if I ever do make my operating system with all these technologies installed and configured ( probably based on a Linux version unless ReactOS grows up) I'll only offer it to Americans or other western countries that aren't having those problems.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.