zirias@
Developer
Sometimes, there's a need to browse the web anonymously. It doesn't have to be for illegal purposes, it could just be you want to talk about your medical or even mental problems, sexual orientation, or maybe you want to "pentest" websites you don't own, just to make the web a better (more secure) place, by (anonymously!) communicating your findings to the owner ... I don't care – you just don't want to be identified. Here's what I found so far, investigating possibilities. Feel free to add additional info (I'd appreciate!)
1. Hiding your IP address
This is the most essential thing to do. You could always be identified by your IP address, at least your ISP will have logs making that possible. The canonical solution to this is Tor. Start with installing security/tor. If you install it on the same machine you will use for browsing the web, you won't need any configuration. In the default configuration, it will provide a SOCKS proxy listening only on the local loopback interface on port 9050.
2. Cleaning up HTTP
Unfortunately, HTTP (and other web standards like HTML/CSS/ECMAScript) have lots of "features" that allow server operators to recognize you. Without your IP address, it will be harder to actually know who you are, but correlating your activities, once one of them can be attributed to you, all others can as well. There's no perfect solution to this, but I recommend you install www/privoxy to make this less likely. Once installed, copy config and match-all.action from /usr/local/share/examples/privoxy to /usr/local/etc/privoxy.
In /usr/local/etc/privoxy/config, in the section about
This will make sure, privoxy routes all traffic through Tor.
Privoxy comes with a somewhat sane default configuration. There's probably room for improvement (please add tips), but for now, there's ONE important thing: privoxy rewrites request and response content, and as most sites use encryption (
Then, edit /usr/local/etc/privoxy/config again, and uncomment
Finally, you must edit /usr/local/etc/privoxy/match-all.action. To enable HTTPS tampering, add
3. Configure your browser
I used www/chromium for my tests. I know, this certainly isn't the best choice for privacy. But, OTOH, considering fingerprinting, a rarely used minimal browser might "stick out" more easily. First thing to do, create a new profile, e.g.
Then, create a startup script to run chromium in "anonymous" mode:
The host-resolver-rules is a precaution, it makes sure any DNS request chromium tries to do itself (not using the proxy) will just fail.
If you run your privoxy on a different host, you could use this instead:
allowing chromium to resolve the name of your privoxy host itself, but nothing else.
Then, you have to import your privoxy fake CA's certificate, located in /usr/local/etc/privoxy/CA/cacert.crt, as a trusted CA, so chromium accepts the "tampered" responses. Open Settings, somewhere in the "security" area, I guess you will find it.
Finally, just disable any feature chromium offers. Especially disable Javascript. The possibilities to fingerprint your browser with Javascript are endless… it also makes sense to select a different default search engine (e.g. select duckduckgo).
4. Open issues, further thoughts
As an added benefit, you will get access to the "Darknet". Just look for the
1. Hiding your IP address
This is the most essential thing to do. You could always be identified by your IP address, at least your ISP will have logs making that possible. The canonical solution to this is Tor. Start with installing security/tor. If you install it on the same machine you will use for browsing the web, you won't need any configuration. In the default configuration, it will provide a SOCKS proxy listening only on the local loopback interface on port 9050.
2. Cleaning up HTTP
Unfortunately, HTTP (and other web standards like HTML/CSS/ECMAScript) have lots of "features" that allow server operators to recognize you. Without your IP address, it will be harder to actually know who you are, but correlating your activities, once one of them can be attributed to you, all others can as well. There's no perfect solution to this, but I recommend you install www/privoxy to make this less likely. Once installed, copy config and match-all.action from /usr/local/share/examples/privoxy to /usr/local/etc/privoxy.
In /usr/local/etc/privoxy/config, in the section about
forward-socks*
, add the following:
Code:
forward-socks5t / 127.0.0.1:9050 .
Privoxy comes with a somewhat sane default configuration. There's probably room for improvement (please add tips), but for now, there's ONE important thing: privoxy rewrites request and response content, and as most sites use encryption (
https
) nowadays (which is a good thing!), it has to "break" it to be able to access the clear text and rewrite anything. For this to work, it has to issue "fake" certificates on the fly, so it needs its own CA. Prepare it like this:
Code:
mkdir /usr/local/etc/privoxy/CA
cd /usr/local/etc/privoxy/CA
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
# type whatever values you like here... take a note of the password you choose
ln -s /etc/ssl/cert.pem trustedCAs.pem
chown -R privoxy /usr/local/etc/privoxy/CA
chgrp -R privoxy /usr/local/etc/privoxy/CA
mkdir -p /usr/local/var/privoxy/certs
chown privoxy /usr/local/var/privoxy/certs
chgrp privoxy /usr/local/var/privoxy/certs
chmod 700 /usr/local/var/privoxy/certs
ca-directory
, ca-cert-file
, ca-key-file
, ca-password
, certificate-directory
and trusted-cas-file
. The default values are all correct except for ca-password
, you have to put your CA password you chose above there.Finally, you must edit /usr/local/etc/privoxy/match-all.action. To enable HTTPS tampering, add
+https-inspection \
. I'd also recommend to rewrite the User-Agent header here to something common, using +hide-user-agent{<value>} \
. E.g. I used the latest stable Chrome for Windows for now, so my whole config looks like this:
Code:
{ \
+change-x-forwarded-for{block} \
+client-header-tagger{css-requests} \
+client-header-tagger{image-requests} \
+client-header-tagger{range-requests} \
+hide-from-header{block} \
+set-image-blocker{pattern} \
+https-inspection \
+hide-user-agent{Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36} \
}
3. Configure your browser
I used www/chromium for my tests. I know, this certainly isn't the best choice for privacy. But, OTOH, considering fingerprinting, a rarely used minimal browser might "stick out" more easily. First thing to do, create a new profile, e.g.
mkdir ~/.config/torium
(got this idea from somewhere else: chromium using tor → torium. Yep, silly, but well…)Then, create a startup script to run chromium in "anonymous" mode:
Code:
#!/bin/sh
exec chrome \
--proxy-server="http://127.0.0.1:8118" \
--host-resolver-rules="MAP * -NOTFOUND" \
--user-data-dir="$HOME/.config/torium"
The host-resolver-rules is a precaution, it makes sure any DNS request chromium tries to do itself (not using the proxy) will just fail.
If you run your privoxy on a different host, you could use this instead:
Code:
#!/bin/sh
exec chrome \
--proxy-server="http://<yourprivoxyhost>:8118" \
--host-resolver-rules="MAP * -NOTFOUND , EXCLUDE <yourprivoxyhost>" \
--user-data-dir="$HOME/.config/torium"
Then, you have to import your privoxy fake CA's certificate, located in /usr/local/etc/privoxy/CA/cacert.crt, as a trusted CA, so chromium accepts the "tampered" responses. Open Settings, somewhere in the "security" area, I guess you will find it.
Finally, just disable any feature chromium offers. Especially disable Javascript. The possibilities to fingerprint your browser with Javascript are endless… it also makes sense to select a different default search engine (e.g. select duckduckgo).
4. Open issues, further thoughts
As an added benefit, you will get access to the "Darknet". Just look for the
.onion
virtual TLD. But browser fingerprinting remains an issue. I don't know any good solutions. Have a look here: https://noscriptfingerprint.com/ – I have no idea how to prevent that (short of using a text browser knowing nothing about CSS). Just hoping site operators don't bother to do such stuff, cause almost any user on the web can be tracked/fingerprinted MUCH easier.