Online security: How to surf anonymously

Set Tor up correctly and the little green onion is a sign you are on the way to surfing anonymously. (Photo: Guy Degen)

Whether you are doing investigative journalism, communicating with a trusted source or traveling to a country where authorities are known for electronic eavesdropping, online security is increasingly becoming a must-know skill for journalists. 

Jens Kubieziel is security expert and author of the book Anonym im Netz (Anonymous on the web) which offers useful advice for keeping secure on the web, the must-have tools to anonymously surf the web and how proxies can protect your privacy.

DW Akademie’s Natalia Karbasova asked Kubiezel how journalists can surf the web safely, and when necessary, anonymously.

Is Internet security possible on a small budget?

A higher level of IT security usually comes at a price. You can compare it with the analogue world. When driving a car one uses a belt. When visiting a crisis zone one tries to obtain information about specific risks, takes certain precautions and even wears protective gear such as a bulletproof vest. If you want to have more IT security you also need to put more effort into it.

Many websites advise you to use tools such as Tor for anonymous web surfing on the web. However, the basics of online security are often left out. What should you start with?

First of all you should think about your risks. Are you sitting in an office in Germany with your desktop computer or are you doing some ground research in an dangerous zone? In the first case, it might be sufficient to use anti-virus software and be careful when opening email attachments. But in the latter case, all information is saved on your devices. An attacker might try to steal your devices and acquire important information. He could try to locate and harass you. So you need many more countermeasures. Encrypting your device is a must. (See our blog post on data encryption)

You mentioned Tor as a anonymisation software. This is one the most used and well researched software of its kind. But Tor alone does not make you anonymous. The Tor Project lists several warnings on its website. If you read the list and follow the instructions, this will increase your anonymity a lot.

Are there any differences in security across different browsers? And what should you look out for? 

If you use an updated browser, I’d say that all the major browsers are equally secure. It is older versions, especially those of Internet Explorer below version 7 and Mozilla Firefox, that are known to have security bugs.

Nowadays the risk lies more within plugins. Some of them introduce critical bugs and decrease the overall security. Others leak data and help attackers who want to find out your location. The Mozilla project has a blacklist of such extensions.

Which are the must-have tools to anonymously surf the web without disclosing your IP address?

I would suggest the Tor Browser Bundle. This is a software package with the Tor software itself plus a preconfigured Mozilla Firefox. You can just download the bundle, extract it to your hard drive or USB drive and start it without any installation. The browser is configured in a way that it doesn’t allow an attacker to find out anything about your location. So it offers good anonymity. A further solution I’d recommend is JonDonym.

Offering information in an anonymous way is much more difficult. At the moment, there are two basic approaches which seem fit. To the first category belong I2P eepsites [website’s that are hosted anonymously]. I2P is an anonymisation software which establishes its own network. Within that network one can have websites, blogs etc. The authors of the software claim that no third party can find out who put this information online. However, as far as I know there is no research on this software and therefore nobody really knows how secure it is.

The second category embraces Tor’s hidden services. You can setup a website and connect it with Tor. The software tries to protect your identity. At the moment there are some known attacks against hidden services. So if there is a strong attacker it might not be safe enough.

Both solutions have one thing in common: you need I2P or Tor to get access to the information such as a website or a blog. So they are hidden from the “public web”.

What are proxies and how to they help protect your privacy? Which tools would you recommend?

A proxy server is special software which is located between your local computer and the site you want to open. Such servers often cache websites which helps them download faster. Another purpose is to scan the contents, recognize viruses or other malware and sometimes also to block access to specific information.

If several users access the web through proxies they can help to blur their identities. So the website does not see the address of a specific computer, but only that of the proxy.

However, if a site wants to track you and your browsing habits it will install a cookie. This small text file is located on your computer and can be transferred to the remote site. It can contain information about your last visit or your username or any other type of information. Using a proxy doesn’t protect you from this and other track methods.

A proxy might be useful to hide your geographical location. Plugins like Stealthy or websites like xroxy.com help to find open proxies in different countries. So it might help to get access to information which is specific to a country.

How can you find out if an anonymizing service isn’t run by a secret service, which is apparently the case with Anonymizer?

This is quite hard, if not impossible. Any agency or private person can set up a proxy and offer it to the public. And if it attracts users it is possible to intercept the communication. Often you’ll find rumours that this or that service is run by some agency. But usually there is no proof. You should be cautious and keep in mind that any proxy provider can intercept your communication. If you need good anonymity you should use tools like Tor or JonDonym.

To get a better insight into the issues of online security, check out our previous posts best free tools to encrypt your data and how to create and manage secure passwords.

About the expert:

Jens Kubieziel is an IT security consultant and trainer. He advises companies and government agencies on securing their IT systems and networks. Kubieziel also trains activists and journalists on such issues as secure usage of Internet tools and censorship circumvention.