Insights For Success

Strategy, Innovation, Leadership and Security

Alternative ways to get the TOR browser

GeneralEdward Kiledjian

Tor is an incredible power privacy enhancing tool that every security-conscious netizen should have in their arsenal. It doesn't replace a VPN service, since TOR isn't optimized for high bandwidth usage (like streaming music/videos) but it definitely has a place in my internet usage portfolio. 

To use TOR, you need access to a small kit of software that includes the TOR router and the TOR browser (a locked down customized version of the Mozilla Firefox browser). 

The Great Firewall of China site test tool confirms that the TOR Project website is blocked.

Luckily I live in Canada where we enjoy incredible internet freedom but what if you don't? What if you need TOR (because you live in a zone where the internet is tightly controlled or monitored) but you can't access the website to download the installer kit? The TOR project has create the GETTOR strategy to help those people gain access to its power network.

You can:

The system will then share with you a secret list of links to download the installer from GitHub, Dropbox or Google Drive.

Once you install the TOR package (after checking the validity to ensure it hasn't been tampered with), you can also use a TOR Bridge if your country, school, company or ISP performs deep packet inspection to block TOR. A TOR bridge is a relay to help circumvent censorship. 

You are now ready to enjoy private, anonymous and secure web browsing. Once installed, all future updates to the TOR software will be delivered via the TOR browser itself so you don't have to worry about performing these steps again.

The New York Times now available on TOR

GeneralEdward Kiledjian
I do not agree with what you have to say, but I’ll defend to the death your right to say it.
— Voltaire

When the average consumer thinks about TOR (which isn't very often), they imagine that it is the ugly, damp & rancid underbelly of the internet. 

Reality is that TOR is a US government-funded project to create anonymity on the internet. It is a platform that allows everyone to have a voice without fear of punishment or even death (think political activists).

No technology is perfect, but TOR is a very powerful tool for human rights activists and other dissidents. 

In a 2015 The Intercept article, Edward Snowden goes as far as saying "I think Tor is the most important privacy-enhancing technology project being used today. " & " What Tor does is it provides a measure of security and allows you to disassociate your physical location."

Proof that TOR isn't just for drugs and counterfeit goods is the fact many reputable organizations have started to create their own TOR presence. 

The New York times launched it's TOR Onion Service website (in late October) as a secure way of making its content available to people around the world that may otherwise not have access to its content (China, Iran, etc.)

When companies moved to the web 15-20 years ago, sites were less reliable as companies tried to figure out how this "web thing" worked. TOR is the same today. Sites Like the New York Times are still trying to figure out how to efficiently use TOR, and therefore you should assume these sites are all in beta status. 

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
— The New York Times

You can access The New York Times TOR ONION Service site here : https://www.nytimes3xbfgragh.onion/ [remember this doesn't work via the "normal web". 

Karma releases an anonymizing hotspot

GeneralEdward Kiledjian

Open a magazine, newspaper, your local nightly news or almost internet blog, and you will be confronted with news about another security breach. Breaches, breaches everywhere. 

Concerned netizens are trying to find ways to protect themselves when online and to protect their privacy. In response, I have written a bunch of articles (such as):

The above reviews were VPN services, but what if you wanted a piece of hardware that was portable and could be used with any WIFI enabled device?

A new player in the hardware category is LTE WIFI Hotspot service provider Karma. 
Karma is releasing a new LTE hotspot (for the US market) called Karma Black LTE hotspot. This device costs $149 now (will go up to $249 after the January 15 pre-order closes). In addition to the initial cost, you will have to plunk down $20 a month for its security services. Karma promises to encrypt your internet traffic and to hide other privacy-invading markers like location, browser identifiers, etc. 

It looks like you will be able to use this service with your own WIFI networks (home, office, hotel, etc.) Karma is also promising to add additional features in the future like TOR, network antivirus, ad blocking and parental control. 

In addition to the monthly security service fee, you will have to spend more money if you want to use the device's LTE connectivity feature ($3/month + $10/GB on the "drift" plan). 

Is it worth it?

I have not had a chance to test the device so everything written here is based on the documentation. 
 

We wanted to create a product that allows consumers to feel protected while surfing the web. Karma Black is that product. Our users can freely consume internet content while knowing that no one is looking over their shoulders. Consumers do not want strangers listening to their phone calls… they deserve the same security from intrusion when going online.
— Todd Wallace, Karma Mobility CEO

I believe the goal is noble but the question is "should you spend $20 a month for this level of security?".

A technical user knows that sites, threat actors, and government intelligence agencies have multiple ways to identify and track users. Even with all of the security measures deployed by Karma in its Karma Black hotspot, there are fairly easy ways to identify and its track users [here is an article that talks about TOR deanonymization].

As an example, a site that uses TLS encryption (aka most sites these days) is able to set up a secure connection between your browser and its site. They can drop a supercookie in your browser then track you as you browse the web. Facebook and Twitter did this.

There is an easy to implement technique called browser fingerprinting that would allow an online actor to create a unique fingerprint for your machine using nothing more than the information your browser willingly hands over to any site that asks. You can test this yourself here

Using a secure tunnel (aka a VPN), Karma can mask your internet traffic from your local ISP but they can see where you are going. We know very little about what they log. VPN providers like TunnelBear have clear & easy to understand privacy policies. Tunnelbear has had independent audits to confirm that they are living up to their policies. ProtonVPN has a technology that they call SecureCore to prevent privacy breaches if any of their VPN termination endpoints are compromised. 

Unfortunately, there is insufficient information about how Karma Black is actually (technically) delivering these security services, and therefore I have to take every claim with a grain of salt. You can probably buy similar protection from the Invizbox for $190 (hardware plus 12 months of IP Vanish VPN service). You then use the Chrome browser with the uBlock Origin plug-in and you should have equivalent or better protection. 

Most security professionals will tell you tech is easy and that the biggest security weakness is the user. Users normally don't have good security hygiene and even the best security tools can easily be broken why careless users.

My professional recommendation would be to hold off buying one of these devices until a "real" security professional has a chance to test one in a lab and determine how good the security controls actually are. It is easy to mess it up and unintentionally leak metadata. So caveat emptor.

The start of the end for Symantec cert trust on Google's Chrome

GeneralEdward Kiledjian

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here

Chrome to distrust Symantec TLS Certs

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

  1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
  2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
  3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

Google Chrome to block "bad" ads in February

GeneralEdward Kiledjian

The Sultan of Search, Google, announced in June that it would introduce ad blocking tech in an upcoming version of the Google Chrome browser (and Chromebook). 

We can now confirm that this feature will make it into our browser on February 15 (2018). Chrome 64 will be delivered on January 23 and Chrome 65 on March 6. Either this feature will be part of Chrome 64 and turned on with a remote trigger, or it will be a server-side function. We will have to wait and see how Google implements this feature. 

Google will deliver this functionality simultaneously to desktop and mobile clients.

Why would an advertising company block ads?

To be clear, the blocked will only prevent ads that don't meet the standards set by the Coalition for Better Ads

  • What kinds of ads will get blocked? 
  • Ads that pop-up when you open a website
  • Ads that fill the entire screen
  • Ads that automatically play a video
  • Ads that trick you into clicking on them by pretending to be a close button
  • and many more

A single violation won't move a site into the blocked list. There are thresholds Google will be looking for and a site can come off the "bad" list if it removes the offending ads.

Google probably realized that these ads are forcing users to install aggressive ad blocking add-ons which are having an impact on its revenue. 
 

Link: Google blog post