Keeping Secrets

Government surveillance, attacks by criminals, and tracking by the advertising industry are raising concerns about the security and anonymity of user data. These concerns are amplified in professions where the user is legally responsible for securing communication. Several free projects have addressed these concerns by offering innovative technical approaches to anonymizing data. We decided to take a look at a few of the leading solutions.

Anonymized networks establish tunneled and encrypted connections between individual nodes, ruling out typical attack vectors, such as man-in-the-middle attacks. In the process, these anonymization solutions build a two-way point-fixed overlay network through which the participants exchange data. These solutions support common transport protocols, such as UDP or TCP, as well as the Internet layer protocols IPv4 and IPv6. In some cases, BitTorrent and blockchain technologies are also used to enable distribution of data blocks.

All solutions for anonymized Internet are based on decentralized structures. Many of the solutions, with the exception of the Tor network and those based on VPNs, depend on peer-to-peer connections that do not require centralized servers, which makes it far more difficult for attackers and authorities to access user data.

hide.me

The hide.me [1] VPN solution originates from Malaysia. The provider, eVenture Ltd., offers several subscription models for using the service and makes clients available for download across platforms. For Linux, there is currently only a CLI client. On top of this, hide.me can also be used as a browser extension for Firefox and Chrome-based web browsers. The VPN network consists of more than 2,000 servers in over 75 international locations. To use the service, you first need to register. All you need is a valid email address, which you can use to create and activate an account. You can define the username and password individually.

Hide.me attaches great importance to security features. For example, eVenture operates its own DNS servers, avoiding the kind of DNS leaks that you otherwise occasionally encounter. eVenture also adheres to a strict no-log policy and, according to its own statement, does not log any user data. In addition, eVenture has had security audits performed by independent third-party vendors [2]. On Linux, hide.me uses the modern WireGuard protocol by default in combination with fast ChaCha20-Poly1305 encryption. In addition, you can download the hide.me source code for free on GitHub.

The free hide.me variant offers limited functionality. For example, your choice is limited to five server locations, and the data volume is limited to 10GB per month. In addition, the free account only allows you one VPN connection. The commercial offering eliminates these restrictions, offers a static IP address option, and also supports streaming services like Netflix. A kill switch and split tunneling are available on Linux. (Split tunneling allows access to the Internet beyond the VPN tunnel.)

To install the Linux app, go to hide.me's GitHub page and download the TAR.XZ archive intended for your hardware architecture. Hide-me supports 32- and 64-bit PCs, as well as ARM-based systems. Unpack the downloaded archive, and install the client in a terminal window with root privileges using the ./install.sh command (Figure 1).

Figure 1: The hide.me client for Linux is currently only available as a command line program.

During the install, the routine prompts you for your registration data, so you need to register with the provider up front. After the install, start the VPN manually by setting it up as a systemd service using the commands in Listing 1. Replace the Server placeholder with a location such as amsterdam-1 or a country suffix such as nl. After that, hide.me will create the tunnel, and you will be able to use the Internet through the VPN.

# systemctl enable hide.me@<I>Server<I>
# systemctl start hide.me@<I>Server<I>

Because hide.me is integrated with systemd, the VPN is automatically enabled whenever you reboot your computer. You can use the stop and disable systemctl parameters to disable the VPN tunnel at any time.

Although a graphical desktop client is available for other operating systems, Linux has so far had to make do with the command-line client. This unnecessarily complicates operation, because the convenient server change feature in the graphical front end is not available. Other convenient features are also missing from the Linux client, which is still in beta. The hide.me installation script additionally generates private and public keys and manages the key exchange using HTTPS. Only the client offered by the manufacturer can be used with the hide.me VPN.

However, hide.me does at least support use in web browsers like Firefox, Chrome, and their derivatives. The disadvantage of this solution is that, although all activities in the web browser are then secured by the VPN tunnel, data transfers originating from other applications, such as email clients or messengers, are not.

I2P

The Invisible Internet Project (I2P) [3] network uses a peer-to-peer approach to connect computers. This method involves establishing one-way, tunneled overlay connections over the Internet. Data packets are transported between client computers via routers (known as nodes), with each client having its own cryptographic identifier. The I2P network uses its own DNS server to distribute content on the network. The individual connections are end-to-end encrypted, which prevents third parties from viewing the data.

Traffic to the regular Internet is handled by proxy servers operated by volunteers. These proxies are the only centralized components on the I2P network. All routers have their own cryptographic identity. Routing and contact information is maintained with the help of a network database, which special routers called floodfill routers distribute on the network. The I2P network is self-contained and is not used to pass data packets to and from public servers.

For operation within the network, you will find applications like the i2psnark BitTorrent client and the I2P messenger, which also do without a server. With the help of an embedded application, traditional TCP/IP applications such as SSH or IRC can be tunneled via I2P.

To integrate a client into the I2P network, install the I2P router, which acts as a proxy between applications and the I2P network. The Java application requires an appropriate runtime environment on the system, although it also works with the free OpenJDK Java implementation.

On Ubuntu, Debian, and their derivatives, you can install I2P directly from the repositories; this immediately enables a script to start I2P automatically at system boot time. In addition, you can integrate your own repository into the system; this will be used for automatic updates later. The developers explain the exact procedure on the project page.

I2P can also run in headless mode – without a graphical interface. This option is especially useful for servers. For container environments, a Docker package is available from Docker Hub. The I2P source code is available for download from the website.

To connect the computer to the I2P network, enter the i2prouter start command at the prompt after installation. You don't need administrative rights. The routine now launches a web browser and opens the I2P router's configuration interface in it. When you get to the interface, first change a couple of settings; the I2P Router Console then starts up (Figure 2).

Figure 2: The I2P Router Console allows for convenient graphical administration.

The I2P Router Console has three panes: On the far left, you will find some statistical data on the the network access status, the available bandwidth, and the established tunnel. Bottom right is a list of the various applications on the I2P network, as well as a list of various community sites, some of which also provide support. Top right, an info segment shows you the further steps for configuring the router. In the background, the system has already found some other I2P routers.

It is a good idea to adjust the existing bandwidth first, because it is very low by default. Click the configuration page link at the top of the Info section. You will now be taken to a page with numerous options; the Bandwidth dialog is already open. Click on the Bandwidth Test link to discover the bandwidth of the Internet connection, and then set the optimal bandwidth for I2P (Figure 3). Once you have adjusted the bandwidth and saved it by pressing Save Changes bottom right, the changes you have made will appear at the top of the window.

Figure 3: The I2P network lets you manually configure the bandwidth to use for your node.

More detailed links will now also appear in the bar on the far left; you can use them to customize various additional options. For example, shared clients in the Local Tunnels category gives you detailed information about the floodfill routers your system has contacted and the subscriber tunnels that the system has established. Bandwidth classes are also specified for each connection.

In the I2P services category, you can call the services handled directly by the I2P network. Apart from BitTorrent, this also includes the integrated web server, which you can use to create and distribute anonymized web pages.

There are two email clients in the form of Susimail and I2P messenger that let you send and receive anonymized emails on the I2P network. However, following the links on the router console – and the links that let you search for other available programs – only generates error messages. You need to install the I2P messenger client manually.

To harmonize your web browser with the I2P network, you need to change its proxy settings. To do this, adjust the HTTP proxy in Firefox's settings dialog (Figure 4). Then go to the advanced settings, which you can access by typing about:config in the URL bar, and change the value for media.peerconnection.ice.proxy_only from false to true.

Figure 4: You need to manually prepare the web browser for use with I2P.

IPFS

The InterPlanetary File System (IPFS) is primarily used for decentralized storage of files and web pages [4]. IPFS, established in 2015, relies on the peer-to-peer principle and is free software. Centralized services such as DNS or individual web servers do not exist, making distributed denial-of-service (DDoS) attacks on these services impossible on an IPFS network.

IPFS stores files and web pages in a decentralized way as blocks on numerous individual nodes, which protects the information against censorship and deletion attempts. The data is named using hashes that also change when a file is modified. You can use IPFS either by installing software packages that connect your computer to the IPFS network or opt for a web browser add-on that makes IPFS data available. The browser extension only acts as a gateway without providing the full functionality of the overlay network.

Some Linux distributions already have IPFS binary packages in their repositories. You can also obtain a precompiled binary package for the IPFS desktop from GitHub [5]. In addition to RPM and DEB packages, AppImage and Snap archives are also available. Development work on these packages is very active, so it makes sense to get the latest package.

After completing the install, you will find a launcher for the IPFS desktop in the menu of your desktop environment. Clicking on the launcher opens a native graphical front end for managing your own IPFS instance and, at the same time, establishes access to the IPFS network. The graphical interface (Figure 5), with its state-of-art design, displays statistics for your own IPFS node in the main area of the window.

Figure 5: IPFS offers an up-to-date management interface.

Once the Status window confirms the connection to IPFS, you can check out the world map (Figure 6) to see the other IPFS peers across the globe that your node is connected to in the Peers group. The client updates the numbers, the table, and the bandwidth indicators on the Status page more or less in real time.

Figure 6: You can monitor existing IPFS connections on a world map.

To post your own files on the IPFS network, click on Files in the sidebar on the left. In the dialog that opens, click Import and select one of the options listed in the drop-down menu.

To add data from the IPFS network, you need to know and specify the Content Identifier (CID). To keep data permanently available by mirroring it to other network nodes, you additionally need to pin the data. To pin the data, press the button with the three dots. In the context menu, select the Set pinning option.

To pin the data to your local mass storage, check the box to the left of the Local node option and then press Apply. The file is now on your local mass storage and can be retrieved via the known CID after shutting down and restarting the daemon. Alternatively, you can keep data available at all times using a pinning service like Eternum or Pinata.

There are special search engines to help you find data on the IPFS network. They are still under construction, but they already provide useful results. The most popular search engines for the IPFS network include Almonit, [6] IPFS-Search [7], and IPSE [8].

Retroshare

Retroshare [9], which has been in development for more than 15 years, is primarily used for decentralized file sharing and encrypted communication. Besides file sharing, the program focuses on services such as email, instant messaging, and feed readers.

All of these services do without central servers and use OpenSSL and asymmetric encryption based on OpenPGP. This end-to-end encryption keeps the contents of the transferred data completely hidden from third parties. You can also use Retroshare over the Tor or I2P network, so even neighboring nodes will not see your IP address.

Retroshare relies on friend lists. The local node with a user's account can connect to another node only if the remote node is entered in the friend list.

Arch Linux, Slackware, Solus, and Void Linux come with Retroshare in their package sources. On Retroshare's website, you will find additional instructions for installation on many other Linux derivatives, as well as a cross-distribution AppImage package. You can also pick up a Flatpak from Flathub. In addition, Retroshare runs on the Raspberry Pi. Provided you install with a binary package customized for your choice of distribution, the routine will create a starter in the menu of the desktop environment.

Retroshare comes with a sophisticated graphical interface and an initial setup wizard. For the setup wizard, you first need to specify whether the machine will act as a default node or as a hidden node within the Retroshare network on the Tor network. You also create a user account in the start-up screen. The bar in the lower part of the window shows the progress (Figure 7).

Figure 7: When Retroshare launches for the first time, a profile is generated.

Press the Go! button to start Retroshare. Two separate windows then open. In addition to the application window, Retroshare displays an information window telling you how to get started. At the same time, an icon with a white envelope on a blue background appears in the system tray, which gives you quick access to the Retroshare window at the push of a button.

At first glance, Retroshare's interface resembles a conventional email program: A small pane contains various folders and below that is a quick view with different attributes for labeling the inputs. Messages received appear in two large window segments on the right, and a buttonbar below contains controls and a view field for the messages. A status bar at the very bottom provides information about the received and uploaded data.

The buttonbar located horizontally at the top of the screen opens up the full functionality of the application. You can use it to access the various communication modules such as chat, email, data transfer, forums, and contacts.

To use Retroshare, you need to invite friends who are also part of the Retroshare network by exchanging Retroshare IDs.

Pressing Home in the user interface reveals your own identifier; below that you can add a friend to your installation by clicking on Add friend. The friend must have sent you their Retroshare ID (by email, for example).

Please note that participating nodes must use the latest version 0.6.6 Retroshare, which is the first release in which the Retroshare ID replaces the conventional certificates used up to now. Mixing old certificates and new retroshare IDs will not work and will result in an error message.

After adding your friends to your Retroshare instance, there are unlimited possibilities for communicating through the system. Retroshare automatically transfers any registered friends to the respective contact lists. One specific advantage of Retroshare is that, unlike centralized, web-based forums, the forum function lets you compose your posts offline. They are automatically displayed in the forum after logging in again.

The file-sharing feature works in a similar way to the BitTorrent service, with Retroshare transferring files across multiple nodes in blocks. This makes it easy to share even very large files, and the individual nodes do not have to be directly connected to each other. But when a transfer relies on multiple nodes, all of the nodes need to be running or the file transfer will fail.

However, you can also use the chat or the email function for file transfer – as long as the files are not too large. In both chat and email, you will find a paper clip icon, which opens a file manager from which you can select the files you want to attach. Retroshare then attaches the files to the content for dispatch.

Tor Network

The Tor network is the best known network for anonymized communication [10], dating back to the 1990s. At the end of 2002, the Tor network was released for general use for the first time. Its now very high profile due in no small part to the Tor Browser, which is based on Mozilla Firefox and uses the Tor network for Internet access. In addition, the Tor network provides access to the Deep Web and also to the Dark Web.

The Tor network operates with thousands of servers through which it routes all traffic. Data packets pass through three servers, known as relays. The relays work in a similar way to proxies, with the data path constantly changing. Instead of fixed cascades, variable paths are used. In addition, the data is fully encrypted.

Due to the encryption mechanism, which cryptographically processes the data multiple times, this type of data transfer is also called onion routing. Step-by-step encryption prevents tracking of data packets, because each node only performs one encryption step. Unless additional end-to-end encryption of the data is enabled, only the last node sees the transported data packets in the clear [11].

The Tor Browser further increases the user's anonymity by providing different levels of security. By default, the HTTPS Everywhere and NoScript add-ons are also enabled. Moreover, the Tor Browser isolates every web page visited and also blocks the Flash video format, which is a security risk. Besides this, the Tor Browser lets you switch data transfer routes at the push of a button to provide additional security. Although the Tor Browser is based on and compatible with Firefox ESR, the developers advise against integrating other plugins into the browser, as they may contain security vulnerabilities.

The Tor Browser comes with the client infrastructure required to connect to the Tor network. You will find countless language variants of it on the project's website. For all the individual variants, 32- and 64-bit versions are available.

Unpack the downloaded tarball in any folder. You will then find the Tor Browser launcher in the newly created folder tor-browser_en/ (for the English language variant). Double-clicking on it opens the browser and displays a connection dialog. In the dialog, press the Connect button to connect to the Tor network. Checking the Always connect automatically option lets you automate the process of opening the connection for future use of the browser.

The browser opens the DuckDuckGo search engine as the home page. You can now work with the Tor Browser as you would with any regular web browser. You can see the specific route taken by the web pages opened in the browser by clicking the icon with the padlock on the left in the URL bar. In an overlapping small window, you will then see the three nodes through which the data is routed (Figure 8), with the entry server highlighted as the guard. This server remains the same for a few months, while the other two relays change for each new web page you access. However, if necessary, you can switch the last two relays for each open web page on the fly by clicking the New Circuit for this Site button.

Figure 8: You can view and modify the routes your data takes in the Tor Browser.

The Tor Browser also gives you access to content hosted on the Tor network. This content available on the Deep Web [12] is not accessible for conventional Firefox variants or other web browsers. The Deep Web contains only non-indexed web pages that conventional search engines do not list.

The often-cited Dark Web forms just a small part of the Deep Web, which is distinguished from it by special additional cryptographic mechanisms. In this case, the transmission of hosted data is encrypted, and the channels involved for communication are established through various servers on the Tor network using hashes. This means that the computers involved in the communication remain completely anonymous.

There are various search engines such as Torch [13] or Candle [14] to help you find Deep Web pages on the Tor network. By default, however, the Tor Browser uses DuckDuckGo, which is also Deep Web-enabled.

Conclusions

Overlay networks on the Internet contribute significantly to anonymous communication. They target different audiences here. While some P2P networks are simply about transferring individual files with the greatest possible anonymity, others focus on anonymous browsing on the conventional Internet. Others have embraced truly anonymous communication using conventional technologies such as email, chat, or IRC.

What all overlay networks have in common is that they actually make it more difficult to inject malicious or spy code into the individual applications thanks to free licenses and the resulting free availability of the source code. As a user, however, you need to investigate in detail each overlay network in advance, especially if you are using the Dark Web, in order to be sure of obtaining a communications solution that is truly hardened against a wide variety of attack scenarios through a combination of different security mechanisms.