Using the web securely in a repressive regime

Two nights ago I got an email from a friend in a country not so far from Egypt. He/she was considering trying to help document and raise awareness of brutal government repression and was worried about being tracked down (and possibly much worse) when using the web.

I spoke to Tav, who knows a great deal about decentralised systems and web anonymity. He explained things to me, which I shared with my friend and summarised in a tweet:

I thought I’d follow up with a blog post to explain to anyone who is using the web in a repressive regime what the risks are and what they can do to avoid being identified and having their communications hacked. This post is not the final word on the topic: I’m far too badly informed to write that. Instead, it tries to explain things relatively simply for a non-technical reader.

When you use the web, there are three things you must bear in mind:

  1. encrypt your information
  2. use a secure network
  3. you’re still taking a huge risk

The rest of this post explains these three points in more detail. You can also skip to the Summary of recommended actions.

Encrypting your information

When you send something across the Internet, it’s simple to intercept and read it without you knowing. This applies to everything: email, instant messaging, videos, documents, you name it, if you send it across the Internet, someone can sit in between you and your intended recipient and read it.

You can stop this happening by using a secure connection that’s encrypted, turning the information sent through it into gobbledygook until it gets to the intended recipient. When you’re using the web, this means connecting to websites using an address that starts with https://. If you’re uploading or downloading files using FTP, you need to use sftp://.


For example, you can use a secure version of Google at https://encrypted.google.com/ and you can secure your email using https://mail.google.com and / or by configuring your email client to use SSL when sending and receiving mail.

However, there are a whole range of gotchas. First up, with email, just because you’re securing your mail doesn’t mean your recipient is. If you’re relying on secure email, make 100% sure all recipients are setup securely. Or use https://www.hushmail.com/

Secondly, with the web, it’s very easy to send some requests using unsecured connections. If you’re serious about this, you should browse the web using Firefox, following these steps:

  • either install a new version of Firefox or, if you already have one, reset your existing version
  • either disable or simply never install any third party plugins like Flash or Java
  • install and enable the https-everywhere and noscript Firefox extensions
  • disable cookies
  • enable private browsing by default (and always browse in private browsing mode)
  • when visiting a website, always check for the “lock” icon on the status bar that shows that you are on a secured web site (unless you’re using Firefox 4, in which it has disappeared, sigh) plus if the lock icon has a little “i” symbol which says “Warning: Contains unauthenticated content” then close the site immediately and don’t go back
  • use another browser for your “normal” web use

Thirdly, normal instant messaging is just not secure. Stop using Skype or MSN or whatever you’re using and get everyone you’re talking to to install and use SILC. It’s secure. Your existing chat software isn’t.

Using a secure network

As we’ve seen above, you need to use a secure connection to protect your information from being intercepted. However, whilst you can encrypt (i.e.: turn into gobbledygook) the information you send, you can’t encrypt your Internet address or the Internet address you are sending the information to. This means that you are vulnerable to tracking and traffic analysis.

For example, if you post a video to YouTube or a message to Twitter, you could be identified as its author, even if you published using an anonymous account through a secure connection. Equally, if you regularly communicate with other people, sophisticated traffic analysis can identify you as being part of a network of activists.

Fortunately, there is a tool, called Tor, that you can use to make it very hard for people to see where you are connecting to or to trace you as the source of something. Tor routes all of your traffic through a network of secure tunnels. This means that someone watching your traffic and the traffic coming into, say, YouTube, will have a very very hard job to match them up.

Read the documentation on how to install it here. Follow all the steps, including configuring Firefox to use Tor. Then when you browse the web using Firefox (as discussed above) enable Tor using the Torbutton.

If you’re really serious about this stuff, it’s probably worth getting stuck into the hard core documentation about using Tor with other applications. This includes using Tor with SILC. As it says, “Combining Tor and SILC might be one of the safest ways to communicate with someone over the Internet”. You might also find http://janusvm.com/ and http://www.privoxy.org/ useful.

If it’s too complicated, find someone who can help you. Worst case, you might find someone on #esp who will be willing to give you a few pointers.

You’re still taking a huge risk

So, you’re encrypting your information and using a secure network. Leaving aside the risks that you get the configuration wrong or the snoopers are way more sophisticated that I can even comprehend, you’re still wide open.

For example, there’s the information on your hard drives. One remedy is to delete using a permanent erase tool that overwrites the data lots of times (for Windows, Mac or Unix). However, at some point you’ll actually need the files and you can’t delete what you’re currently working on.

More fundamentally, there’s the information in the content you distribute. Like your email, so carefully encrypted and routed through Tor, just sat there, all plain text and decrypted in your friend’s inbox. Your friend who just got arrested. Who just got tortured to reveal their password. To reveal your name.

When it comes down to it, there’s only so far you can go through a network of secure tunnels. At some point, you’re going to need your content to surface and at that point, you’re as vulnerable as ever.

Summary of recommended actions

Encrypt your information:

Use a secure network:

You’re still taking a huge risk:

  • don’t leave files lying around (securely erase them)
  • limit the size of your network

Good luck.

19 Notes/ Hide

  1. thruflo posted this

Recent comments

Blog comments powered by Disqus