Security

From IndyMedia
Jump to: navigation, search

IMC UK Security Information

Browse using an encrypted connection

Indymedia UK values the principles behind open-publishing and is working towards completely anonymous publishing of media upon the website. One of the things that you can do to help this is browse the web site using an encrypted connection: this helps disguise who is posting to the site at any given time.

Why is this important?

We have tried to minimise what information can be found out about posters. Currently, Indymedia UK does not log ip addresses. However, it is possible for someone to monitor individuals who are using the site and check which time they visited Indymedia UK. If this corresponds to the time a certain article was posted, then whoever is doing the surveillance may get useful information. One way of diminishing this is to ensure that lots of people are connecting at the same time - hence, any one of them could be making a post or merely viewing the site.

What is an "encrypted connection"?

An encrypted connection between computers is used to hide the details of the information that is being transferred. For example, many organisations use encrypted connections when making or discussing financial transactions: you have probably used one if you've ever booked a ticket or used the bank online.

During the exchange, a third-party is used to verify that the website is who they say they are. There are many big corporate companies who sell identification-certificates - and procedures for acquiring them may be variable; such organisations are known as Certificate Authorities (CAs). Thus, it can be difficult to know whether to trust them or not (although often, one does not have a choice).

Indymedia UK, instead of using a commercial Certificate Authority, has decided to use the non-profit organisation CACert (cacert.org). All our certificates are certified by the 'root' certificate of the CACert Certificate Authority.

What are certificates?

Certificates are used to verify the identity of people or computers. In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! What is a certificate authority?

Certificates are the digital equivalent of a government issued identification card. Certificates, however, are usually issued by private corporations called certificate authorities (CA). Indymedia UK has, instead, chosen to use CA Cert (cacert.org), a free and non-profit certificate authority.

Unfortunately, you need to do a little work to get your software to recognize CA Cert as a certificate authority. Every CA has a 'root certificate' which identifies a particular organization as a certificate authority. Corporate CAs have their root certificates distributed with most of the major computer programs and operating systems, and are preconfigured in most web browsers. For CAcert, however, you need to manually install the cacert.org root certificate.

How do I install the cacert.org root certificate?

  • IE users can use the Internet Explorer cert install page.
  • Mozilla users can follow this link to the root cert and follow the instructions that pop up.
  • Internet Explorer on the Mac is messed up, and requires that you use this link (provided by Riseup) instead: install root certificate using IE on the Mac.

Alternatively, you may wish to visit the CAcert root cert page.

Here are a few installation tutorials:

  • Internet Explorer (windows)
  • Internet Explorer (mac)

What happens if I don't install the root certificate?

Without the root certificate, you will receive a security warning each time you attempt to establish a secure connection to indymedia.org.uk. You can usually choose to ignore this warning and accept the server's certificate on a temporary or permanent basis.

"That doesn't sound so bad", you might say. In the past, this is exactly what many users have done in order to use secure connections. But there are major problems with this:

  1. If people get in the habit of approving new server certificates every time they get a security warning, it completely defeats the purpose of having certificates in the first place.
  2. indymedia.org.uk has several different servers and a different certificate for each one. It is easier for users to install CA Cert as a certificate authority once, rather than approving each certificate one at a time.
  3. indymedia.org.uk actively wants to spread the adoption of CA Cert as a certificate authority, because it is also being used (or will be) by other parts of the indymedia network as well as other activist collectives and groups around the world.

I thought you were against authority?

We are, but the internet is designed to require certificate authorities and there is not much we can do about it. There are other models for encrypted communication, such as the decentralized notion of a "web of trust" found in PGP. Unfortunately, no one has written any web browsers or mail clients to use PGP for establishing secure connections, so we are forced to rely on certificate authorities. Some day, we hope to collaborate with other tech collectives to create a certificate (anti) authority.

What are the fingerprints of indymedia.org.uk's certificates?

Some programs cannot use certificate authorities to confirm the validity of a certificate. In that case, you may need to manually confirm the fingerprint of the certificate. Here are some fingerprints for various certificates:

www4.indymedia.org.uk 4F:46:8E:78:07:6E:A3:33:5C:DA:47:2C:9C:EA:91:90:7C:9C

Anonymous browsing: Tor

Indymedia has in the past attracted the attention of authorities, that have occasionally tried to request logs of whom is accessing the web site and have in one occasion seized without any explanation our server. We believe in the right to anonymous political speech and therefore we do not keep logs that could provide any such information. Still, we advise indymedia readers that are concerned about the privacy of their reading and posting habits to hide them by using anonymizing services, like Tor or using SSL encrypted connections. Tor - Anonymous browsing

Download Tor

Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 30,000 Tor users currently, routing their traffic through about 200 volunteer Tor servers on five continents. Tor solves three important privacy problems: it prevents websites and other services from learning your location; it prevents eavesdroppers from learning what information you're fetching and where you're fetching it from; and it routes your connection through multiple Tor servers so no single server can learn what you're up to. Tor also enables hidden services, letting you run a website without revealing its location to users.

Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. The Electronic Frontier Foundation (EFF) is backing Tor's development as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis. A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East. This diversity of users helps to provide Tor's security.

Tor is free/open source software and unencumbered by patents. That means anyone can use it, anyone can improve it, and anyone can examine its workings to determine its soundness. It runs on all common platforms: Windows, OS X, Linux, BSD, Solaris, and more. Further, Tor has extensive protocol documentation, including a network-level specification that tells how to build a compatible Tor client and server; Dresden University in Germany has built a compatible client, and the European Union's PRIME project has chosen Tor to provide privacy at the network layer.

Of course, Tor isn't a silver bullet for anonymity. First, Tor only provides transport anonymity: it will hide your location, but what you say (or what your applications leak) can still give you away. Scrubbing proxies like Privoxy can help here by dealing with cookies, etc. Second, it doesn't hide the fact that you're *using* Tor: an eavesdropper won't know where you're going or what you're doing there, but she or he will know that you've taken steps to disguise this information, which might get you into trouble -- for example, Chinese dissidents hiding from their government might worry that the very act of anonymizing their communications will target them for investigation. Third, Tor is still under active development and still has bugs. And, since the Tor network is still relatively small, it's possible that a powerful attacker could trace users. Even in its current state, though, we believe Tor is much safer than direct connections.

Please help spread the word about Tor, and give the Tor developers feedback about how they can do more to get this tool into the hands of people who need it, and what changes will make it more useful. Also, consider donating your time and/or bandwidth to help make the Tor network more diverse and thus more secure. Wide distribution and use will give us all something to point to in the upcoming legal arguments as to whether anonymity tools should be allowed on the Internet.

See Also

  • http://www.activistsecurity.org/
  • Participating With Safety -- how to use the Internet politically and safely.
  • Choose good passwords and passphrases because if you don't your encryption will be easy to crack.

IMCUK, 02.01.2005 00:42