by Rik Farrow <rik@spirit.com>
The recent acts of terrorism in the US have had several side effects. One of these has been the passing of legislation that increases the ability of US Federal agencies to intercept Internet traffic. It also appeared that one of the other side-effects was the loss of the well known Web anonymity service hosted by ZeroKnowledge. This later turned out not to be related.
Web anonymizers allow people to visit Web sites without concern that their identity be disclosed to the owner of the Web site, or even a local administrator who can log the URLs that a user visits. These tools will work just as well to allow a terrorist to use the Web with anonymity, if he or she chose to do so.
Anonymity does have it place in a society of free people, and personal rights and freedoms should not be collateral victims of terrorist attacks. Government agencies may also be important users of anonymizers. This column explains how anonymization works on the Internet and why this is important.
In the May 2000 column,
I explained how attackers can spoof
source addresses. A source address is an IP address embedded
in the header of an IP packet. When the packet is received,
the source address becomes the destination address in the
reply packet. If you chose to spoof your source address,
reply packets wind up going to the address that you have
spoofed, and don't get to see the results. Worse, spoofing
your source address by itself is a
lousy technique for anonymity, as most application
protocols require a completed TCP connection before any
information gets exchanged.
Of course, something similar to source address spoofing happens whenever there is a firewall between you and the destination network. Most firewalls translate internal addresses into external address, most commonly through the use of NAT (Network Address Translation). Another way of rewriting the source address is to connect to a proxy, and ask it to connect to the server you want to visit. This capability is actually built into Web browsers, which permit you to specific the IP address and port of a proxy to use. If you have configured your Web browser to use a proxy, the source address the Web server sees is the address of the proxy. And the proxy handles the relaying for you transparently.
Of course, who ever maintains the proxy, or the firewall, has logs of your activity. And the owner of the Web server still has some information about, for example, the type of Web browser you are using (see Figure 1). This log may also include the source IP address, the URL requested, any referring page, as well as the identity of the browser used, and often the source operating system (and sometimes type of PC) as well.
The information acquired by the operator of a Web site can go farther still. A Web designer can include Javascript that can collect more information about your browser and operating system, and include that with any form data that you return. This information may include the real source IP address for your system, as Javascript programs can access that information.
There has been research into the area of network anonymity, some of it done by a group that might surprise you--the US Navy. This research formed the basis for the Freedom Network, and may show up in other systems for anonymity as well.
Suppose you decide to proxy your Web requests through a third party that promises to maintain its logs in secret. You use SSL to connect to this server, so someone who is sniffing the connection can only see that you are visiting an anonymizer, and cannot tell the site that is your final destination, because that is encrypted. Sounds like a reasonable solution, but it hasn't worked in the past.
In the early nineties, a site in Finland, anon.penet.fi, provided an anonymous remailer. Anonymous remailers strip away revealing information in the email headers, and then resend the email to your intended destination. That all works really well as long as the software does manage to remove all headers, and you don't screw up and include revealing information in the email you send (for example, including an automatic signature file at the end of your email that identifies you).
But Penet also supported the use of aliases, so that the person receiving your email could reply to you without learning your identity. This meant that Penet had to keep track of the mapping between your anonymous email address and your real one. Penet worked well until authorities stepped in and demanded the mapping between for a particular anonymous email address. Johann Helsingius, operator of Penet, was forced to disclose the mapping because of disclosure of information copyrighted by the Church of Scientology.
If you cannot let even the proxy know your real source address, how can the proxy successful relay for you? There have been several approaches to this problem, and one of the most recent has been Onion Routing.
In Onion Routing, instead of there being only a single proxy for relaying, there is a network of proxies. Each of these proxies runs the same software, which not only relays your packets, but also encrypts it. Now, if there were only one system doing this, you would be in the same position as before, but Onion Routing handles this as well. The first Onion Router chooses a route for your connection, then encrypts your data several times, each time using the public key for one of the routers.
This is where the onion comes in, as each layer of encryption is like the skins of an onion. The Onion Router you have connected to first encrypts your data using the key of the last router in its list of routers. This will be the innermost layer of the "onion", and once this layer of encryption has been removed, the packet will be sent to its real destination.
Then, the first Onion Router adds another layer of encryption. This layer includes the address of the last router in the list, and gets encrypted with the second to last router's key. The next layer gets added, with the address of the second to last router's address, but using the third to last router's key, and so on. In Onion Routing, there should be at least six routers to assure confidentiality.
Even better, you should also run one of the Onion Routers. Your Onion Router must also be a full participant in the network, that other Onion Routers will use. Otherwise, packets coming from your Onion Router will only contain packets from your network, revealing the approximate source, although the content will still be encrypted.
Onion Routers have another potential problem. An aggressive attacker could be monitoring the network traffic of every participating Onion Router. This attacker (or perhaps I should say snoop) can than track traffic patterns. For example, you send off a request to www.fbi.gov via your Onion Router. The snoop sees traffic leaving your Onion Router, bound for another Onion Router, with a certain size. The next router sends off a slightly smaller packet, and so on, until the final router sends the plaintext packet directly to the real destination. Then the snoop can deduce that this packet came from your network, based on the sizes and the timing of the packets between routers.
Onion Routing defeats this by delaying packets slightly, as well as batching data from several packets. Thus, a snoop cannot make simple deductions about the sizes of packets or the timing of packets. The end user does experience greater latency (delay), but this is the price paid for more security.
Onion Routing is only one approach to the problem to network anonymity. AT&T Research tried a different approach, called Crowds. The concept behind Crowds is that "Anonymity Loves Company", so the more participants the better. Each Crowd proxy is called a "jondo" (think of John Doe). And unlike Onion Routing, instead of layers of encryption, jondos employ secret key encryption with one key per each route, somewhat speeding up processing by reducing the amount of time required to handle encryption. Like Onion Routing, there is some state information required, so that the entry and exit point of a route know where to send packets. This information is discarded at the end of each connection, but potentially could be used to track users.
The Freedom Network used an approach similar to Onion Routing. You either added a plug-in to Internet Explorer or patched your Linux kernel so that your system actually becomes an entry point in the network, and sites other than the one run by ZeroKnowledge participated as routers. The Freedom Network claims that they had decided in the Spring to discontinue their service because it was not paying for itself. The Anonymizer (www.anonymizer.com) is still up and running today, but functions as a proxy (as well as stripping identifying information from your requests). While you can use this service for free, your request will be delayed so you can read advertising suggesting that you try paying for the service.
The Onion Routing project was closed down in January 2000, after over 20 million requests. Its home page contains a very interesting disclaimer, essentially, that anyone using the Navy's network should expect that their traffic will be monitored--a very chilling statement when one considers the alleged intent of Onion Routing.
Still, one of the largest users of anonymizers would be government agencies. Anonymizers allow law enforcement to visit Web sites without giving away their identity, or military analysts to collect data without revealing their areas of interest. Such uses of anonymizers are legitimate, and actually of value to national security. If only the military and law enforcement used a particular anonymizer, any visits from that anonymizer would immediately be of interest to someone worried about being investigated.
Anonymizers also have a place for non-governmental users. While an anonymizer has the potential for misuse, for example, by hiding the identity of visitors to a pornographic site with illegal content, anonymizers have historically had more important legitimate uses. For example, someone with AIDS could feel free to search the Web without revealing his or her identity. A person on the verge of committing suicide could ask for help while remaining anonymous, one of the actual uses of the original Penet remailer.
We can only hope that the rush to embrace national security in the US doesn't have additional casualties--especially ones that actually have positive uses.
Page of links to various Web anonymizer tools or services: http://www.vanish.org/anonymity/rewebbers.htm
A commercial Web anonymizer that includes an Internet Explorer plugin with their service: http://www.anonymizer.com/
The Onion Router home page: http://www.onion-router.net/
A short list of email anonymizers (remailers): http://www.csua.berkeley.edu/cypherpunks/remailer/
News article about the end of the original remailer: http://www.kkc.net/eyenet/1996/net0905.htm
Figure 1: Web servers can (optionally) collect information about the browsers that site visitors are using. Each Web request includes a USER-AGENT line in the request header with this information, unless software is used to remover this header line. Note that the OS version is often included in this information.
Mozilla/4.0 (compatible; MSIE 4.01; AOL 5.0; Mac_PPC)"
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)"
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)"
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AtHome021SI)"
Mozilla/4.76 [en]C-AIT (Win98; U)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
Mozilla/3.01 (Win95; U)