Anonymous proxy questions

Very good point ClassicQ

 

Oh, ok. I configured the browser not to accept cookies and scripts. With FF w/ Noscript and CookieSafe, it's done i think.

Would anything be missing? Does Proxomitron offer additional advantages, like being able to accept the content or properly view the pages, and still offer the added anonymity?

 

In 2003 i belive JAP was forced by German law to put backdoor and a new court order has suspended the original request but people still distrust JAP.You can read some story about it
http://www.securityfocus.com/news/6779
http://bmonday.com/archive/2003/08/23/256.aspx

But i personally trust more TOR networks. Only disadvantage of this excellent free project are slow servers but what to except from something what is free.
If you have a money then consider to use Ghostsurf, Steganos Internet Anonym VPN or SecurSurf.
All 3 products provide encrypted virtual tunnel between your computer and one of their high bandwidth security proxy servers. If you care about your privacy, would like to hide your ip address and surf fast enough then use some of programs posted above.

 

Are you sure JAP will hide our IP when we post?

 

(Opps! I forgot this!)

I think that I read somewhere in Jap's official website saying that it won't because they don't have time dealing with complaints about abusing posters.

 

Don't ask, test for yourself.

 

Sorry, I didn't know this site.
But, I am not sure if it tells whether JAP hides my IP when I post.

 

Test your ip address on IP Address Location
If the site show JAP ip address then you can be sure that they can not see your real ip address.
I do not understand why you are unsure if you pass ip address test on both site

 

Because some proxes don't allow users to use thier IP when they post in forums.
Please read this.
I think I read the similar statement on JAP's official website.

 

Webwarper talk about HTTP_X_FORWARDED_FOR and make people scary without any explanation about servers that contain such a header variable.

If proxy server contain HTTP header variable X_FORWARDED_FOR it means that he use transparent (non anonymous proxy server) and such a kind of servers are nothing from point of privacy and anonymity.
You must never use transparent proxy if you would like to remain anonymous for web owner.

If visitor use real anonymous proxy server then the your ip address can not be determined because anonymous proxy server lack the X_FORWARDED_FOR.

However anonymous proxy can be identify because usually anonymous proxy server have HTTP_VIA or PROXY_CONNECTION variable (thus no way to identify your real ip address.They could know only that you are behind proxy server).
.
If visitor use so called High anonymous proxy (elite server or Level 1 and Level 2) they will not be able to identify proxy because it does not send any of proxy variables and it looks as visitor does not use proxy at all.

Also some proxy server may change they status in theory from non anonymous to anonymous and vice versa but in practice it rarely happen.

 

No, No.

I wanted you to read the other paragraph.

Also, please read this.
I am not sure about about anonymous posting. But, they repeat things like "We do not support such service because the potential for abuse is too high and we don't want to tie up our limited resources with dealing with complaints."

 

It is simple.Do not use webwarper. They are owner of server and they restrict use of post method by server and probably some other method.
If you do not trust JAP do not use it (JAP will be never same after first decision where they was forced by German law to put backdoor into program) .
I personally do not use any of them.
Stick with free TOR or try to find some public proxy servers or give away some money for GhostSurf, Steganos Internet Anonym VPN or SecurSurf

 

It was just an example.
I've never used it. It's rated yellow by Siteadvisor.

I just thoght that some forum owner might know it.

That's what I always do.

 

Pardon me but it seems a little inconsistent to distrust JAP (who went out of their way to make the "backdoor" obvious to anyone reviewing the source code) while suggesting a commercial option - if the likes of Steganos, GhostSurf, etc had received a similar court order, they would have complied without anyone knowing since their client software is not open source.

The issue of a "legal compromise" can affect any anonymising system but those with open source clients (Tor and JAP) make it very likely that such measures will be discovered somehow. If you really feel that your privacy is likely to be threatened in this fashion (the German court order served on JAP was limited to revealing accesses to a single IP address only, not web activities in general) then you should download the source code, use diff to check the changes and, if satisfied, compile it yourself.

As for revealing IPs with HTTP POSTs, while this can be done via the X-Forwarded header, it would seem easier for sites just to block posting altogether (like TheCloak did when I tried it a while back). Where the X-Forwarded header is present, sites like ShowMyIP and Leader Network Tools will display the forwarded address so this is one way of checking. However a web forum may ignore this and use the connection address instead (which would be that of the proxy).

 

Sure but the fact is that it happened once and only to JAP and not to other programs. Also in first instance they did not mentioned anything about changing in the code on their site and thats way they did lose all credibility.
Thats way many people distrust JAP. It is because of past.



Looking at the source code, there's no ambiguity at all: the system has been fatally compromised, intentionally and by design. There is a back-channel from the last mix (at which point all the data is unencrypted, but the source IP it arrived from is unknown) to the first mix (at which point the data is encrypted, but the incoming IP address is known).

The entire security of mix-systems, whether remailers or JAP, rests on an attacker being unable to link the encrypted activity at the entry point with the unencrypted activity at the exit point. If a mechanism is built into the system which breaches that condition, there is no real security in the system."

The news post link above states that the source code reveals the back-channel code now in the JAP software. For detail of the back-channel source code and how it works, see the news2web link above.

It appears that the JAP team have now admitted that the tracking code exists and confess as follows below. It is remarkable that the information they purportedly now reveal is NOT set forth on the JAP www site. It is also remarkable that the purported JAP team statements were not proactive and only made after someone troubled themselves to examine the JAP source code and post their findings.

 

Thank you. You beat me to it as I was going to write the same thing as I read through the latest posts in this thread. For anyone to suggest using Steganos, GhostSurf, SecurSurf, etc. because of past problems with JAP, has obviously not thought this through. These closed-source programs have nobody looking at their source-code and could be.....well...be imaginative. Thanks, P2k, for pointing out the obvious contradiction in trust.

 

I have Ghost Surf & use it ocassionally. When I check my ip I get a forwarded address not my own. I don't know if there is a back door in Ghost surf but there could be. When I used to use Sygate firewall I would check my iinternet logs and I would observe 10 or 12 incursions arriving almost simultaneously from all over the place. Obviously JAP users are being targeted & watched by someone. Surprisingly this was not the case for GhostSurf. Am I correct in believing Tenebril is not located in Germany. So they may not be subject to German Law. No one really knows what would happen if a court ordered them to comply with a subpoena for information on a customer. Do they have any way to track traffic? Could they? Or would they? I am not going to assume that Tenebril is busy gathering info on their customers.

 

No, we only know of it happening once and that was solely due to JAP's client being open source. As I posted above, if a commercial proxy service had received such a request, they would most likely have inserted a backdoor without anyone knowing.

Well actually they did mention it. In a way that avoided risking imprisonment for not complying with the court action. By making the backdoor so obvious that even a novice could find it. And there's a pretty good likelihood that one of the JAP team then leaked this - anonymously of course.

And what exactly should they have done? Disobey a court order and risked imprisonment? The reality that any user has to face is that their provider is not going to risk jail on their behalf so the safest service to use is one where the client software is open to public view.

The Tor client can be compromised in a similar fashion should the developers receive a similar demand so to talk of the JAP developers "earning distrust" is quite ridiculous - they did the best that anyone can (or should) expect of them. And they appealed the judgement and subsequently won, at their own expense.

Firewall logs and reports indicate absolutely nothing about an anonymizer's security - any compromise (or surreptitous logging) would almost certainly occur on the server itself. As for Tenebril, they are located in Boston, United States - Home of the Patriot Act. Given the choice between German and US court juristiction and their past records on protecting individual privacy, I'd happily swallow sauerkraut and frankfurters with every network packet.

 

If we talk about being traced and what will happen if...
then is probably import to know about their policy and special about logs.Do they keep or not.Without logs of user activity nobody can do anything.

So GhostSurf, teenbril support say
http://www.tenebril.com/kb/showitem.php?faq_id=323&search=logs

Securstar say
http://www.securstar.com/products_ssurf.php

Code:

• We do not keep any logs!
Other 'competitors' DO LOG

The point of using anonymity program is to be and stay anonymous. If one of the anonymity programs failed in the past to fulfil sense of word anonymity i do not see any reason to trust him anymore.

 

Server logs are significant - but the issue with JAP (and the most likely risk with commercial services) are changes made to the client software to log traffic.

Note that Tenebril limit their disclaimer to server logs sidestepping this issue.

Securestar's main site is hosted in the United States so logs are most certainly kept - by their ISP if not Securestar themselves and similar provisions almost surely apply to their servers elsewhere. However saying "we do not log at all" just sounds like a bald-faced lie here - how can they maintain their servers and limit abuse (e.g. someone sending excessive traffic, slowing things down for everyone else) without logging? You at least need to keep a day's worth of logs to be able to respond to unusual usage patterns.

But then, the first point of their disclaimer covers that: "The author reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided." That's pretty much saying "The author reserves the right to lie through his teeth"!

The fact that JAP did reveal, fight and then overturn the court order should provide a far better picture of their willingness to protect their users than some unproven (and thoroughly disclaimed) statement on a commercial service's website. Of course, you are far from the only person to hold this view, which is why commercial anonymising services would likely go to great lengths to hide any public breaches of privacy - perhaps even co-operating unofficially with the 3-letter agency of your choice to avoid the need for a messy and expensive court case....

 

These companies saying, "We don't keep logs of..." are almost always lying or using language that tip toes around the fact that you CAN be identified. These same companies have abuse policies and warnings that you WILL be booted from the service if you download illegal this or that. Question: If they don't keep logs, how could this abuse ever be identified?

As for GhostSurf in the USA, all they need is a "National Security Letter" and they have to hand over the information; AND, this is key, are gagged from ever speaking of it. The days of needing a court order are over for simple information gathering. Just Google "National Security Letters"

As for SecureStar, they are in Germany. This is a company known for outrageous claims for their products ("1344 Bit Military Strength Encryption" for Drivecrypt) and I wouldn't trust them when they say they don't log. Of course they do! They aren't letting people onto their servers to do what they want and not know who is abusing the service. It's almost an insult to claim otherwise. Again, how can they kick you off for "abuse" if they claim to not log any use?

 

Good point.

Heh, reminds me of the Spur-M spammers whose order entry page boasts "134-bit encryption" but in reality has none at all. Why do they have to go for funky keysizes?

 

I know of at least one Book Store Owner who keeps no user logs. It is quite likely that Ghost Surf Doesn't either. Noone knows if they are lying about this but why would they. If you don't have the data you can't supply the logs.

 

Book store owner? If you mean he has computers for his customers ( or a wifi connection) in his bookstore, that doesn't mean a thing. The logs would be kept by his ISP, and YES, they do keep logs. An ISP without logs is an ISP that would be out of control within hours.

Ghostsurf most certainly has to have a way to enforce its abuse policy. Can you tell me how that's done without logs?

 

Well, I decided to find out about GhostSurf. They say they don't keep logs. Yet.....

From GhostSurf's Terms of Service:

Log Files

From: http://www.tenebril.com/corporate/privacy-policy.php

That's a word game they're playing. No, your account details may not be displayed next to the sites you surf, BUT, your IP address is! If they have your IP address, that's what is important. From your IP address to your name and home address is one "National Security Letter" away. As long as they log YOUR IP with the SITES YOU VISIT (and they admit they do this in their TOS statement above), it is simply not anonymous. "No logs" is a semantic game they are playing and that's all.