What's the Best Way to Browse the Web Anonymously? Note: Read the comments at the above webpage in order to understand various suggested ways to go about browsing the Web anonymously, and of course, don't hesitate to add any new ideas you have to the discussion in this thread! Personally, I prefer the Qubes, Whonix way as a more secure foundation method mixed in with some of the suggestions that can be incorporated into the overall scheme regarding anonymity especially in the areas of DNS and VPN. -- Tom
Rigorously follow good opsec practices, compartmentalise. Qubes is one approach with Whonix, VMs more generally. Host has to be inviolate as possible (e.g. Qubes). As well as Whonix, I'd also add LiveCD, on a system with no hdd. Also, 3rd party network access as well as VPN.
Hi deBoetie, I normally boot up my Linux system from a LiveUSB everyday with my own scripts, etc. I do not think it is necessary to require that the system have no hdd at all, as the hdds will not be mounted unless the user mounts them, and they can do that without engaging the network connection while booting up the system, and then control the hdd mounting and network connection as required. -- Tom
The worry I have with the nominally dormant hdd is that if malware attacking your LiveUSB session is able to escalate privilege, then they can in theory mount and write whatever they like to that hdd. It's a kind of side-channel for persistence, even if the liveUsb never connected. When the hdd system boots, it could exfiltrate the data from your LiveUSB session for instance. Depending on the OS protection, the malware could also subvert the hdd boot process in a very nasty way, so that you'd have a rootkit on the "normal" OS. As I say, this is theoretical, but not impossible.
This is one of the reasons that I have posts/threads around here where I auto monitor (via sha256 sums) even the MBR's on my systems during mount. A great prevention method is to always have your drive sectors encrypted. In addition to privacy, its exponentially more difficult for an adversary to write data to adequately encrypted space because there is no filesystem depicted ---- referring to drive space outside the "scope" of connected workspace. When users toughen up their stance by using workspace VM's it becomes virtually impenetrable. Only in the "classroom" have breakouts to the host happened. As a post script let me also add that employing the TOR browser within the workspace VM makes a breakout from there beyond a reasonable chance. Its just not going to happen. Finally, it takes a few seconds to snapshot the VM to perfectly clean every single day. These are my OPsec prescriptions. Like all meds, its your decision whether or not to follow the advice. LOL!
Even against TAO? They probably have tools for VirtualBox breakouts. Maybe Qubes too. But maybe combine with hardware and network isolation. Make it very hard to leapfrog. Even maybe use optoisolators to block exploits.
There has been 1 known breakout demonstration of Qubes (I dont think in the wild), and one that theoretically could have been pulled off. Both were vulnerabilities in Xen. To address that issue, Qubes 4 will be doing the following: I will admit I'm not smart enough to understand all of what that means yet, but it contains big words and fancy acronyms so its probably better for security (I'm only partially kidding...). Pretty sure they wouldnt be going this route without good reason... Specifically on topic, I use Whonix in KVM on a grsecurity patched Arch kernel for now. Qubes is probably the best from a security standpoint, and does offer amazing anonymity with a whonix appvm Torbrowser. If Qubes v.4 works well on my hardware, I might well switch over.
Right, no more paravirtualized devices. That's also doable in VirtualBox etc. But OTOH, using paravirtualized devices does hide host hardware details, which helps avoid fingerprinting. Win some, lose some, I guess
Host hardware ID scares me far worse than these "hero" breakouts, which I have never encountered (to my knowledge). If your host hardware can be identified within the "scope" of your workspace its over for your anonymity! Configured in that way jumping among VM's (or apps) means nothing because the host hardware is the same. Therefore YOU are the same if detected. Not rocket science. Plus users (like me) can quickly swap virtual hardware id's out anytime we want. With an actual hardware ID you are the same guy/gal two months from now, etc.... I am considering a project where I will be using multiple computers "chained" for actual separation. It would be the real deal instead of Whonix, which gets close virtually, but nothing is as secure as the real deal. I got a deal from a corporation that upgraded their gear and gave me a price I couldn't resist on some ThinkCentre stuff. 3 ghz multi core chips with 4 gig of Ram. I threw up a Linux system and these little puppies really hum on Debian and Ubuntu, even using VirtualBox with only 4 Gig of Ram. Back in the day running Linux with 4 Gig of Ram would of been like Boeing or something, LOL! This is not for 24/7 operation because the power supplies would cost too much to run in that fashion. But for a couple of hours a day when you really need to drop off the radar it would be a fun project. They could all be FDE with a kill switch so its safe too.
I am also aware that Qubes as discussed above is not really stressing the privacy I target. I interpret Qubes, and its a great thing, to be saying I don't care if you know who I am you are not going to compromise my system! That Qubes project is maturing. My fears, especially a few years ago, are that not enough eyes are on it to know its vulnerabilities.
The best way to go is always hardware isolation. With inexpensive microcomputers, that's now readily affordable, and setups don't use much energy. One could implement each Qubes component, for example, as a separate device. And some low-end microcomputers are inexpensive enough to be essentially disposable. For extreme isolation, one can do one-way "sneakernet" with small SD chips. One could even build a modular laptop
Things like the Raspberry Pi are very apt for that kind of proliferation, and in line with any operational security you might want to adopt, could be stashed elsewhere not associated with you, as well as the sd OS card being separable. It's a crazy world that a person should even have to be considering this kind of stuff.
I've recovered an old Q6600 with 8G RAM, which is now running Qubes 3.2 very satisfactorily indeed (with SSD), including Vt-x and d. As you note, power consumption is somewhat higher, but sweating old assets makes quite a lot of sense because Intel are milking their cash cow so mercilessly without adding extra desktop cores for sensible money. Certainly a stand-off as far as I'm concerned, and I go for "cheap" Xeon server pulls if I want more cores (I do for all this virtualisation stuff). Meanwhile, you can get octacore low power cpus on smartphones for not very much money.... I agree with you that Qubes is more focused on security rather than privacy; and I often have to remind myself that - as with general VM operation - the VMs are real systems and need care, hardening and attention just like real ones. They're not toys, though the template isolation Qubes gives you is great, eliminating a whole raft of persistent attacks. I like your idea of doing sha256 checksums on mbr, and indeed, not having a regular filesystem available for inspection and modification raises the bar. On the other hand, I find it simpler to have a sata-diskless system which I boot various Usb3 ssds or sticks from - I like the enforced physical isolation between the systems. On LiveUsb systems with persistence, I also sometimes normally run user sessions on it from ram, having removed the usb stick. I can, if I want, update the system with persistence without browsing or anything else, kind of the best of both worlds.
You and I need to get a life!! Actually this is pure enjoyment hobby stuff for me, and it appears the same with you. Sure, we use what we build. At least in my case I must admit I don't really need to be bouncing off 5 servers to post in Wilder's. Doesn't stop me though. LOL!!
Definitely that, but it's also an element of cussedness, being obstinate and ornery; and on top to that, I am absolutely livid with what the internet has become - I was involved in a small way with building it in the early days, and I'm disgusted with the corporate and government snooping - it's the nastiest from of rent-seeking, and will lead to decay. It would be interesting to see what were the motivation and character traits of people who frequent Wilders and take the trouble to do the difficult and involved steps to get even a modicum of privacy, like bounce off 5 servers. But, clearly, most "normal" people do have a life and can't be bothered or think it's too difficult.
Best way to browse the web anonymously starts from picking the "right" browser because your browser is also your worst enemy when it comes to privacy. If I wanted to make sure that there is absolutely *no* way that my browser is tracking me via WebRTC, Canvas fingerprinting, Battery API, WebAudio API , hyperlink ping attribute, eTag tracking or god knows how many other tracking methods available each time w3c.org spits out "usefull" and "needed" feature that every browser "needs", I would use lynx. No, seriously. Lynx. Or if I wanted to be more adventurous I would use elinks with -g switch from Linux framebuffer so that I could see pretty images instead of plain text in console. When it comes to network privacy and browsers then old saying "Less is More" is very true. So: 1. Either use very antique and outdated browser like lynx or elinks that only support basic surfing and forget all the Web 2.0 wonderland. 2. Try to choose a privacy respecting flavor of your favorite browser like CyberFox, Iridium, TorBrowser etc... and do additional tweaking if necessary (and it probably *will* be necessary). 3. Build your own browser with only the stuff you need. Now that QtWebKit is getting update Im seriously thinking of digging my old browser project back from dust.
Ahh yes.. this appears to reveal their focus on security as opposed to privacy. If they dont develop some method of defense around this, I'll have to pass on Qubes 4 (sadly). For me, anonymity and privacy is the most important- so long as my security exceeds my threat model I am content with Linux. Heres hoping Subgraph pulls through...
Using the computer of someone else (will not say how, because it is opposed to the forum main purpose )
