Wednesday

Anonymous Surfing and Plaintext Data Transmission

A bit of a geeky title today, but I just wanted to make a point - anonymous surfing is simply not possible when your data is being transmitted in plain text. It sounds obvious but many people wishing to protect their anonymity and privacy fail to realise this. The vast majority of your web browsing is in clear text so is easily monitored, if you see HTTP in the url line of your screen, you have no privacy.

There is an all too common misconception that security related devices and software like firewalls, anonymous proxies, virus programs provide some sort of all encompassing security and allow people to surf anonymously and securely.

Anonymous Surfing procedure



Well it doesn't !

Anonymous Surfing and Plain Text Protocols



Some of the most common protocols that we all use on the internet today are plain text protocols, that is everything you transmit is completely readable by anyone with the inclination to intercept it.

Look at this list of common protocols - POP, IMAP, FTP, HTTP, IRC, SNMP and a host of instant messenger programs. Each one offers you no protection from snoopers, hackers or just plain nosy people.

If you think nobody is going to actually see your content - let me explain about a very real situation. Quite a few years ago I worked temporarily in a large manufacturing firm mainly doing some security work. In the IT department was the usual mix of the clever, disinterested, helpful, ignorant and professional staff. One techie was cleverer than most of his colleagues and was able to get his job done in 10% of the time.

He looked after the networks mainly and as such spent some of his time troubleshooting, sniffing the network and sorting out problems. Of course he would always see his workmates browsing habits, all the URLS and web sites flying across the wires.

He actually found all the browsing quite interesting, but of course it was a pain to view all the web sites urls in a packet sniffer so he found an easier way. The fun thing he discovered was that if you use a program called Webspy from the dsniff suite, then he could select the computer of a host and watch as every web site they visited appeared on his own computer. Synchronised browsing, and actually quite fascinating to watch what your CEO, or finance department is browsing in real time.

You can also point the tool at a range of hosts, although it can get quite confusing watching your browser fire up lots of different web pages. But the very dangerous situation was that in the IT department on a single computer, every web page you browsed would instantly appear.

Can you think of the security problems that might cause? This was actually pretty simple to do, involved no great technical skill but represented a huge invasion of privacy. This is also achieved easily on any network or wireless LAN like a hotel, cafe or anywhere else where you share a network. Your neighbour, that guy next to in the cafe or anyone of the techies at work could be doing this. Anonymous Surfing, you won't get close using HTTP unless you employ some sort of encryption.

So next time you think you have a solution for anonymous surfing, think twice, if you're using a protocol like HTTP which most of us do, then you are browsing in clear text.

0 comments: