|
Main Index Search Register Login Who's Online FAQ Links | |
||
|
|
|||
|
||||
| 2 Online, 0 Active | You are not logged in | |||
|
|
The Server Room | |
|
|
|
|
All 2 posts | Subject: I2P is the New Freenet | Please login to post | Down | |
|||
|
|
|
|
|
|||||||
|
MargaretThatcher (Hive Bee) 09-10-04 00:01 No 530559 
|
|
I2P is the New Freenet | ||||||
|
After mucho messing with Freenet, I have come to the conclusion that it is dead in the water. Progress is slow, hindered by the egomaniacal and self-promotional behaviour of project leader Ian Clarke. However, I2p, a generic anonymising layer over IP is developing rapidly. You can use it to anonymously surf and also host web services such as web servers and mail servers and IRC (all anonymously). http://www.i2p.net/ For example: http://brittanyworld.i2p/daily_slander/ New Bush Agenda Receives Goose-stepping Ovation at RNC New York City,USA - President George W. Bush unveiled a new campaign platform Thursday at the Republican National Convention. Dubbed the "Final Solution", the highlights include an unlimited commitment to expansionism, mandatory radio-frequency ID nipple tags for all American citizens, and the cultural eradication of anything remotely French--starting with pantomimes. Also outlined was a more immediate plan to seize the world's oilfields and golf courses by drafting minorities and poor unwed mothers into military duty. "Das ist mein kampf!" bellowed the President, throwing a stiff-armed salute.  Bush whips republicans into a freenzy at rousing rally In his speech, Bush assuaged any concerns that this new direction departed from traditional conservative values. "Make no mistake about it; we still oppose homosexuality and human cloning. And we still oppose abortion, but we will gladly enforce the abortion of cloned gay fetuses," he said to a rabid cacophony of sieg heils from the crowd. The Kerry-Edwards campaign was quick to respond. "We won't be upstaged by this blatant appeal to nationalism. Expect a surprise announcement from Senator Kerry in the next few days," said newly-recruited campaign manager Joe Stalin. etcetera, etcetera Edit: I can't work out whether the Daily Slander is American or not. S/he has generally good speeling and punctuation, but makes unforgivable grammatical errors. I suspect a yank. Are you, or have you ever been a Liberal? YES / NO |
||||||||
|
|
|||||||
|
|
|
|||||||
|
MargaretThatcher (Hive Bee) 09-11-04 12:34 No 530841
|
|
Securing Your Browser | ||||||
|
Taken from the I2P network (http://brittanyworld.i2p/browsing/) This is for browsers using the i2p proxy, but much of it applies to other proxies such as Tor and the compromised JAP. ***************************************************** If you want a 100% guarantee that I2P(or any other 'anonymous' net) is absolutely anonymous, that there aren't any hackers who know how to exploit it, that the code is sound, and that the developers can be trusted and will remain free from outside pressure, Don't use I2P or any other 'anonymous' net, the developers can only do their best. Be wary of any project that says something like "it's 100% guaranteed anonymous' and/or 'trust us it's anonymous' , real anonymity developers will tell you it can't be 100%, there are too many variables and outside forces, and they will say 'don't trust us, go in with your eyes wide open'. Having said that , the resources it would take to compromise an anonymous net like I2P is substantial, you might have to basically 'control' the network to find out where data is originating and ending up, in fact the well known compromisation of the 'JAP' proxy was done by targeting the developers and forcing them to compromise their own system and expose users, this would be far harder with I2P because it is decentralized. As the size of the I2P network grows(hopefully) being able to compromise the network will become even less of a possibility (barring any fundamental mistakes in it's design). So if you try to keep things ok on your end(like the tips here) you can be somewhat confident in the whole network. Browsers The one thing you'll need for browsing I2P anonymously & securely right now is a dedicated browser, that is a browser setup just for I2P, trying to use a browser for I2P and the web will be a security compromise. Do Not use Internet Explorer to browse I2P if you want to be anonymous, it is full of security exploits and you can't even do a basic security measure like getting it to use MIME types. I'd suggest something like FireFox, Opera or Mozilla(same engine as FireFox) if you're using windows be careful because there are several browsers that use the Internet Explorer engine, these have the same vulnerabilitites as IE. Once you have chosen a browser to use for I2P , get it and install it, if you are using a browser you already have installed go get the latest version. Now to setting up the browser, I can't go through all the browsers out there so I'll try to do Opera and FireFox Caution: Don't use Windows Notepad to edit Firefox's configuration file , it could corrupt it, use a better text editor such as Metapad http://www.liquidninja.com/metapad/ Warning: There is a vulnerability in Konqeror(the KDE webbrowser) where even if you set it to I2P proxy, it is sending DNS lookup requests to the ISP's DNS server(s), what this means is there is a trail of you I2P browsing on the DNS server and possibly logged, I'd label this problem as 'moderate' since it doesn't compromise you on the I2P network, but if your net connection should come under scrutiny, it would provide those interested with a easy trail of your I2P browsing. I have tested Firefox 0.9.3 on Windows myself and it does not exhibit this behaviour when setup as below, so: Konqeror on Linux: caution, does DNS lookup with I2P webproxy Firefox 0.9.3 on Windows: does not do DNS lookup with I2P webproxy Different browser/OS/version combinations may produce different results, here's how to test your setup(if you do test, please announce it on #i2p on the I2P/IIP irc or leave a feedback on SCUMCO , it would be really helpful) WINDOWS: get and install Roadblock ( http://www.sandsol.com/RoadBlock/index.shtml ), it will act as a proxy for your machine's DNS requests and show/log the requests being made LINUX: Run tcpdump udp port 53 , this will allow you to monitor DNS lookup traffic, if you see any lookups for xxx.i2p the browser is making DNS requests for I2P browsing(where xxx.i2p is a site you visited on the I2P net) thanks to ugha for the Linux information and mule for the heads up on this problem Security Issues: 1. Turn off Java, java is a powerful language, turn it off for I2P Opera: press 'F12' , uncheck 'enable Java' Firefox: 'Tools / Options / Web Features' uncheck 'enable Java' 2. Turn off Javascript, javascript is a powerful script language, turn it off for I2P Opera: press 'F12' , uncheck 'enable Javascript' Firefox: 'Tools / Options / Web Features' uncheck 'enable Javascript' 3. Turn off plug-ins , these can be anything, from Flash to Toolbar addons, they could exhibit any kind of insecure behaviour, they must go. Opera: press 'F12' , uncheck 'enable Plug-ins', delete anything in \Operaxx\Plugins\ Firefox: 'Tools / Options / Downloads' click the 'Plug-ins...' button, uncheck all plug-ins, delete anything in \Mozilla Firefox\plugins\ WARNING: Firefox is fucked up, even when you disable plug-ins they are still active, to really disable them(hopefully), browse to the file 'Mozilla Firefox\greprefs\all.js' , open it in a text editor and find this line: //pref("plugin.scan.4xPluginFolder", false); remove the comment marks "//" so it looks like this pref("plugin.scan.4xPluginFolder", false); now go to the 'Mozilla Firefox\plugins' folder and delete the file 'npnul32.dll' on Windows or 'libnullplugin.so' on *nix 4. MIME types, you should control how your I2P browser handles files, so that it doesn't automatically launch unsafe applications when you click on a file link while browsing I2P(see also Programs & paths below) Opera: choose 'Tools / Preferences... / File Types' click on 'Determine action by filetype', go throught the list of mime types in the preferences and set everything to 'save to disk' as the defaut action except for basic stuff like .html .txt .jpg .gif .png etc. Firefox: 'Tools / Options / Downloads' in the 'File Types' list, double click each item and choose 'Save to disk', if you want to use audio streaming and it doesn't work , find the appropriate item on the list and re-enable it so a stream will automatically open in your player thanks to ugha for the MIME info corrections 5. Cookies are a security risk because at default setting a third party site could get information about your I2P browsing or even potentially your IP if you use your I2P browser on the web(see here) , to counter this you must disable cookies, or disable third party cookies and set cookies for the current session only, this will still allow the original server to track you but you can safely make use of cookies for things like logins and there are other ways a server you are browsing could track your session anyway. Opera: Opera: press 'F12' , uncheck 'enable cookies' or Opera: choose 'Tools / Preferences... / Privacy' set 'Third party Cookies' to 'Accept only cookies set to the server itself' and check 'Delete new cookies when exiting Opera' and uncheck 'Accept cookies with incorrect paths' Firefox: 'Tools / Options / Privacy / Cookies' uncheck 'Enable cookies' or Firefox: 'Tools / Options / Privacy / Cookies' check 'for the originating website only' and choose 'accept for current session only' 6. Turn off Referrer Logging, your browser sends a string in the background to servers saying where you came from Opera: press 'F12' , uncheck 'Enable Referrer Logging' Firefox: type 'about:config' in the address bar, scroll down the settings list to 'network.http.sendRefererHeader' double-click it then change the value to '0' 7. Turn off Automatic Redirection, servers can automatically pop you to another site without you clicking on anything Opera: choose 'Tools / Preferences... / Privacy' uncheck 'Enable automatic redirection' Firefox: not totally sure, you can set 'network.http.redirection-limit', but it may interfere with browsing because it affects other types of redirections, like cookies and '302' responses type 'about:config' in the address bar, scroll down the settings list to 'network.http.redirection-limit' double-click it and change to '0' 8. Programs & Paths, besides setting the MIME type launching you need to watch out for other places a browser might automatically launce another possibly unsafe outside application Opera: choose'Tools / Preferences... / programs and paths' make sure 'source viewer' is a text editor not capable of scripting(don't set Word), under 'protocols' remove all entries. Firefox: besides those listed under MIME types I haven't found any place in the Firefox configuration that launces outside apps, that doesn't mean there aren't any though 9. If you insist on using Internet Explorer switch off all Active X Scripting settings in addition to the stuff above. Using ActiveX scripting will allow I2P sites to get your local IP address and MAC(network card address) Internet Explorer: choose 'Tools / Internet Options / Security / Custom Level' disable umm... just about everything ***thanks to all who have helped with these tips and to ugha for writing contributions Connecting to I2P Ok, if you're here you probably know how to set up I2P as the proxy server in a web browser, but here are the settings just in case Opera: 'Tools / Preferences... / Network' click on 'Proxy servers' and put 'localhost' in every address box, put 0 in every 'port' box and click every check box next to localhost. If you have a filter proxy set up (see below) put it's port instead of I2P's, for Privoxy it is default 8118 Firefox: 'Tools / Options / General' click on 'Connection Settings' click on 'Manual proxy configuration' and put 'localhost' in every address box, put 0 in every 'port' box. If you have a filter proxy set up (see below) put it's port instead of I2P's, for Privoxy it is default 8118 Firewalls Although the browser settings will tell the browser what to do, they will not control it's behaviour, you still have to trust the browser will work as set, not fall victim to exploits and be well behaved itself. A Firewall will prevent your I2P browser from accesing the internet. You'll need a software firewall that can control indiviual applications access to networking, there are tons of good soft firewalls out there for various OS's, there's no way I could collect all the configuration settings for them(the settings for Linux IPTables are here at the bottom of this section), so here is what you generally need to do: 1. Block all access to the internet for your I2P browser, the I2P browser only needs to connect to the internal 'localhost' (aka http://127.0.0.1) 2. Allow the browser access to 'localhost' port :4444 and/or the port for your filtering proxy (8118 in the case of Privoxy), try to restrict all other access to localhost if you can 3. administration ports. For I2P that is localhost port: 7655 currently. I2P will eventually have a web interface(s) that will require other port(s) (localhost:7657 as of the date this was written) This is all the access it needs, everything will be going through the I2P and/or content filtering proxy Setting up Linux IPTables(thanks to anonymous contributor): Blocking your I2P browser's internet access (for Linux iptables) -- Create user (i.e. 'i2p') just for I2P browsing. Substitute for '[user]' in below. Substitute command name of I2P browser (i.e. 'firefox') for '[cmd]' in below. Use these iptables rules: # allow access to local I2P-HTTP proxy and I2P router console -A OUTPUT -d 127.0.0.1 -p tcp -m multiport --dports 4444,7655 -m owner --uid-owner [user] --cmd-owner [cmd] -j ACCEPT # log evil access attempts -A OUTPUT -m owner --uid-owner [user] --cmd-owner [cmd] -j LOG --log-prefix "Blocked [user] [cmd] " # reject evil access attempts -A OUTPUT -m owner --uid-owner [user] --cmd-owner [cmd] -j REJECT --reject-with icmp-host-prohibited NOTE: If you are using FireFox, make sure what the browser process really is and use that as [cmd] because 'firefox' is just a startup script. On Gentoo Linux, for both net-www/mozilla-firefox (compile it yourself) and net-www/mozilla-firefox-bin (pre-compiled), it is 'firefox-bin'. Content Filtering UPDATE: as of I2P build 0.4 the user-agent and referrer strings are now filtered by I2P(yay!) the information below is likely not nessesary now but if you want a backup filtering you may follow the instructions below Content filtering in this case means intercepting data between I2P and your I2P browser and filtering it to be more anonymous, this is done by using a filtering app. I2P is based on servers and browsers send information strings to servers in the background when you visit them, this can be a an innocuous bit of info or rather more information than you'd like to pass over I2P, here is a sample of a browser string logged by this server: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040707 Firefox/0.8" That's the OS and OS version, cpu type, language, browser version and browser build. That doesn't mean much to other i2p users, it's just some anonymous information, but damn, there is so much information there it's practically a fingerprint of the requesting node, that may be useful to black hats doing traffic analysis and is evidence Here is Your current User Agent string as seen by this server: MYOB/6.66 (AN/ON) There are two ways to block this, configure your browser to change it's user agent string or filter it out, Mozilla type browers can be configured to change their user agent string(see instruction below), IE cannot and Opera's can be changed a bit but not entirely, the most effective way of controlling background info is with a filter Privoxy http://www.privoxy.org/ is small, fast, open source and cross platform content filter. Here's the steps I used to get Privoxy working on Windows: 1. Download Privoxy--> http://sourceforge.net/project/showfiles.php?group_id=11118 install with Windows intaller, Linux RPM, source etc. 2. To config.txt add forward / localhost:4444 this will tell Privoxy to forward to the I2P proxy, if you changed I2P's default port , alter this. 3. Change your browser proxy setting to localhost port:8118 this will make the browser connect to Privoxy 4. In default.action change -hide-user-agent to +hide-user-agent{whatever(whatever)} change 'whatever' to anything, you can spoof a generic browser with something like Mozilla/4(Windows NT) 5. Change -downgrade-http-version to +downgrade-http-version as privoxy says: # Downgrade HTTP/1.1 client requests to HTTP/1.0 and downgrade the # responses as well. Use this action for servers that use HTTP/1.1 # protocol features that Privoxy currently can't handle yet. if I change the user-agent header to Brittanyzilla(Brittanyserver 1.0) and surf to Brittanyserver I now show up as "Brittanyzilla(Brittanyserver 1.0)" Privoxy is also default configured to block other headers like Referrer Besides headers Privoxy can filter any traffic passing through it, so it can provide an extra layer of protection from stuff like javascript, flash, cookies, whatever. Privoxy's filters are a bit complex, so I haven't wrapped my head around them yet, but filtering user-agent and other strings is easy. Changing user agent in Mozilla/Firefox type about:config in the address bar, right-click anywhere in the settings list and choose 'New / String' , enter general.useragent.override , click 'OK' a second box will appear, enter your new user agent string here, a generic one would be something like Mozilla/4(Windows NT) Are you, or have you ever been a Liberal? YES / NO |
||||||||
|
|
|||||||