Why Anonymous Secure Surfing is Difficult to Achieve

Nowadays people are becoming increasingly aware of the lack of privacy in modern day life, CCTV cameras, electronic commerce and the internet have obvious advantages but at a price. It might not matter to most people that thanks to a store loyalty card, there's a computer file sitting somewhere which will tell someone exactly what my family's favorite breakfast cereal is, what brand of beer I drink and indeed how much. Ok not exactly that important or critical but it kinda bugs me.

However the amount of privacy lost by normal offline functions is dwarfed by the intrusions that happen online, here you have virtually no privacy at all. The main problem is the language or protocol that we use to conduct the majority of our browsing, which goes by the name of HTTP (HyperText Transfer Protocol). It is the primary medium for transporting all our web requests and documents, however most people have no idea how it works and why anonymous secure surfing just doesn't happen using HTTP.

An Overview of HTTP

HTTP is a request/response protocol, basically the client (thats our browser) sends a request to the server (the website) and the server sends back a response. There are no complicated handshakes like you get with many other protocols.

So what's in this request then, a HTTP Request consists of a method, the target (the URL), an identifier for the version of the protocol and a set of headers. The method actually specifies what really happens - here's some example methods that are commonly used.

  • GET - used to retrieve documents, images and files stored on the web server.
  • POST - used to perform form submissions, messages etc into HTML documents
  • PUT - this is used to modify existing resources or creating new ones such as uploading a file
  • DELETE - used to delete a resource or a file
  • HEAD - similar to the GET method except that it returns only attributes of an item not the resource itself
The vast majority of web traffic through HTTP uses the above methods making it by far the simplest protocol used to communicate on the web.  This was part of it's design criteria, simplicity and speed, furthermore this allowed the protocol to be widely compatible which is vital to it's role as the language of a global information system like the internet.

However these very design objectives which made HTTP so successful, make it inherently insecure.  HTTP is just a basic text protocol, this makes it very easy to debug unlike all those confusing binary protocols.  In fact you can communicate quite easily using HTTP manually with the series of commands.  Using a program called telnet which sits on all our computers you can connect to any webserver, simply connect on the right port and start communicating via HTTP manually.

It's all actually very simple, all the commands, requests and headers are in plain ascii text which is easily readable, this is where the problem lies with anonymous surfing, it just can't happen when you simply use HTTP requests.   

Anonymous Secure Surfing Problem with HTTP

Information Divulged in HTTP Headers

HTTP Request headers reveal a wealth of information about every request that is sent or received.  Here's just some of the information;
  • IP Addresses - the clients (that's you and me) IP address is included in the headers, unless this is protected or filtered by a proxy server.
  • Internal Hostnames - the host names of the client or proxy server is revealed in the header.
  • Internal Network structure - there are various headers such as Via and Forwarded which can reveal network topologies.
  • Operating Systems - what OS you are running and what version, especially useful information for hackers 
  • Software/Browser Versions
  • Email Addresses
So a quick summary the HTTP headers are going to reveal your IP address, what OS you're using, the type of browser pretty much at a minimum - and that's just  the headers!  Then everything you're actually requesting and sending is also in clear text - so the web site you're visiting, the files, pictures or videos you request, information supplied on forms or any other communication.   This is the default situation which is why anonymous secure surfing is such a pipe dream when only using HTTP to browse on the internet.

A huge information trail on everything you do, see or download online which is distributed everywhere from your ISP who log everything (mostly due to legislation so the agencies and government can access), routers, proxies and gateways and of course the web server you're visiting.  It's not the information stored on your PC you should be worried about it's the huge amount of data online!

I hope this information has been of some interest to you, you can learn more about the issues and what you can do about it online here on my blog.