Keeping Secrets

Government surveillance, attacks by criminals, and tracking by the advertising industry are raising concerns about the security and anonymity of user data. These concerns are amplified in professions where the user is legally responsible for securing communication. Several free projects have addressed these concerns by offering innovative technical approaches to anonymizing data. We decided to take a look at a few of the leading solutions.

Anonymized networks establish tunneled and encrypted connections between individual nodes, ruling out typical attack vectors, such as man-in-the-middle attacks. In the process, these anonymization solutions build a two-way point-fixed overlay network through which the participants exchange data. These solutions support common transport protocols, such as UDP or TCP, as well as the Internet layer protocols IPv4 and IPv6. In some cases, BitTorrent and blockchain technologies are also used to enable distribution of data blocks.

All solutions for anonymized Internet are based on decentralized structures. Many of the solutions, with the exception of the Tor network and those based on VPNs, depend on peer-to-peer connections that do not require centralized servers, which makes it far more difficult for attackers and authorities to access user data.

hide.me

The hide.me [1] VPN solution originates from Malaysia. The provider, eVenture Ltd., offers several subscription models for using the service and makes clients available for download across platforms. For Linux, there is currently only a CLI client. On top of this, hide.me can also be used as a browser extension for Firefox and Chrome-based web browsers. The VPN network consists of more than 2,000 servers in over 75 international locations. To use the service, you first need to register. All you need is a valid email address, which you can use to create and activate an account. You can define the username and password individually.

Hide.me attaches great importance to security features. For example, eVenture operates its own DNS servers, avoiding the kind of DNS leaks that you otherwise occasionally encounter. eVenture also adheres to a strict no-log policy and, according to its own statement, does not log any user data. In addition, eVenture has had security audits performed by independent third-party vendors [2]. On Linux, hide.me uses the modern WireGuard protocol by default in combination with fast ChaCha20-Poly1305 encryption. In addition, you can download the hide.me source code for free on GitHub.

The free hide.me variant offers limited functionality. For example, your choice is limited to five server locations, and the data volume is limited to 10GB per month. In addition, the free account only allows you one VPN connection. The commercial offering eliminates these restrictions, offers a static IP address option, and also supports streaming services like Netflix. A kill switch and split tunneling are available on Linux. (Split tunneling allows access to the Internet beyond the VPN tunnel.)

To install the Linux app, go to hide.me's GitHub page and download the TAR.XZ archive intended for your hardware architecture. Hide-me supports 32- and 64-bit PCs, as well as ARM-based systems. Unpack the downloaded archive, and install the client in a terminal window with root privileges using the ./install.sh command (Figure 1).

Figure 1: The hide.me client for Linux is currently only available as a command line program.

During the install, the routine prompts you for your registration data, so you need to register with the provider up front. After the install, start the VPN manually by setting it up as a systemd service using the commands in Listing 1. Replace the Server placeholder with a location such as amsterdam-1 or a country suffix such as nl. After that, hide.me will create the tunnel, and you will be able to use the Internet through the VPN.

# systemctl enable hide.me@<I>Server<I>
# systemctl start hide.me@<I>Server<I>

Because hide.me is integrated with systemd, the VPN is automatically enabled whenever you reboot your computer. You can use the stop and disable systemctl parameters to disable the VPN tunnel at any time.

Although a graphical desktop client is available for other operating systems, Linux has so far had to make do with the command-line client. This unnecessarily complicates operation, because the convenient server change feature in the graphical front end is not available. Other convenient features are also missing from the Linux client, which is still in beta. The hide.me installation script additionally generates private and public keys and manages the key exchange using HTTPS. Only the client offered by the manufacturer can be used with the hide.me VPN.

However, hide.me does at least support use in web browsers like Firefox, Chrome, and their derivatives. The disadvantage of this solution is that, although all activities in the web browser are then secured by the VPN tunnel, data transfers originating from other applications, such as email clients or messengers, are not.

I2P

The Invisible Internet Project (I2P) [3] network uses a peer-to-peer approach to connect computers. This method involves establishing one-way, tunneled overlay connections over the Internet. Data packets are transported between client computers via routers (known as nodes), with each client having its own cryptographic identifier. The I2P network uses its own DNS server to distribute content on the network. The individual connections are end-to-end encrypted, which prevents third parties from viewing the data.

Traffic to the regular Internet is handled by proxy servers operated by volunteers. These proxies are the only centralized components on the I2P network. All routers have their own cryptographic identity. Routing and contact information is maintained with the help of a network database, which special routers called floodfill routers distribute on the network. The I2P network is self-contained and is not used to pass data packets to and from public servers.

For operation within the network, you will find applications like the i2psnark BitTorrent client and the I2P messenger, which also do without a server. With the help of an embedded application, traditional TCP/IP applications such as SSH or IRC can be tunneled via I2P.

To integrate a client into the I2P network, install the I2P router, which acts as a proxy between applications and the I2P network. The Java application requires an appropriate runtime environment on the system, although it also works with the free OpenJDK Java implementation.

On Ubuntu, Debian, and their derivatives, you can install I2P directly from the repositories; this immediately enables a script to start I2P automatically at system boot time. In addition, you can integrate your own repository into the system; this will be used for automatic updates later. The developers explain the exact procedure on the project page.

I2P can also run in headless mode – without a graphical interface. This option is especially useful for servers. For container environments, a Docker package is available from Docker Hub. The I2P source code is available for download from the website.

To connect the computer to the I2P network, enter the i2prouter start command at the prompt after installation. You don't need administrative rights. The routine now launches a web browser and opens the I2P router's configuration interface in it. When you get to the interface, first change a couple of settings; the I2P Router Console then starts up (Figure 2).

Figure 2: The I2P Router Console allows for convenient graphical administration.

The I2P Router Console has three panes: On the far left, you will find some statistical data on the the network access status, the available bandwidth, and the established tunnel. Bottom right is a list of the various applications on the I2P network, as well as a list of various community sites, some of which also provide support. Top right, an info segment shows you the further steps for configuring the router. In the background, the system has already found some other I2P routers.

It is a good idea to adjust the existing bandwidth first, because it is very low by default. Click the configuration page link at the top of the Info section. You will now be taken to a page with numerous options; the Bandwidth dialog is already open. Click on the Bandwidth Test link to discover the bandwidth of the Internet connection, and then set the optimal bandwidth for I2P (Figure 3). Once you have adjusted the bandwidth and saved it by pressing Save Changes bottom right, the changes you have made will appear at the top of the window.

Figure 3: The I2P network lets you manually configure the bandwidth to use for your node.

More detailed links will now also appear in the bar on the far left; you can use them to customize various additional options. For example, shared clients in the Local Tunnels category gives you detailed information about the floodfill routers your system has contacted and the subscriber tunnels that the system has established. Bandwidth classes are also specified for each connection.

In the I2P services category, you can call the services handled directly by the I2P network. Apart from BitTorrent, this also includes the integrated web server, which you can use to create and distribute anonymized web pages.

There are two email clients in the form of Susimail and I2P messenger that let you send and receive anonymized emails on the I2P network. However, following the links on the router console – and the links that let you search for other available programs – only generates error messages. You need to install the I2P messenger client manually.

To harmonize your web browser with the I2P network, you need to change its proxy settings. To do this, adjust the HTTP proxy in Firefox's settings dialog (Figure 4). Then go to the advanced settings, which you can access by typing about:config in the URL bar, and change the value for media.peerconnection.ice.proxy_only from false to true.

Figure 4: You need to manually prepare the web browser for use with I2P.

IPFS

The InterPlanetary File System (IPFS) is primarily used for decentralized storage of files and web pages [4]. IPFS, established in 2015, relies on the peer-to-peer principle and is free software. Centralized services such as DNS or individual web servers do not exist, making distributed denial-of-service (DDoS) attacks on these services impossible on an IPFS network.

IPFS stores files and web pages in a decentralized way as blocks on numerous individual nodes, which protects the information against censorship and deletion attempts. The data is named using hashes that also change when a file is modified. You can use IPFS either by installing software packages that connect your computer to the IPFS network or opt for a web browser add-on that makes IPFS data available. The browser extension only acts as a gateway without providing the full functionality of the overlay network.

Some Linux distributions already have IPFS binary packages in their repositories. You can also obtain a precompiled binary package for the IPFS desktop from GitHub [5]. In addition to RPM and DEB packages, AppImage and Snap archives are also available. Development work on these packages is very active, so it makes sense to get the latest package.

After completing the install, you will find a launcher for the IPFS desktop in the menu of your desktop environment. Clicking on the launcher opens a native graphical front end for managing your own IPFS instance and, at the same time, establishes access to the IPFS network. The graphical interface (Figure 5), with its state-of-art design, displays statistics for your own IPFS node in the main area of the window.

Figure 5: IPFS offers an up-to-date management interface.

Once the Status window confirms the connection to IPFS, you can check out the world map (Figure 6) to see the other IPFS peers across the globe that your node is connected to in the Peers group. The client updates the numbers, the table, and the bandwidth indicators on the Status page more or less in real time.

Figure 6: You can monitor existing IPFS connections on a world map.

To post your own files on the IPFS network, click on Files in the sidebar on the left. In the dialog that opens, click Import and select one of the options listed in the drop-down menu.

To add data from the IPFS network, you need to know and specify the Content Identifier (CID). To keep data permanently available by mirroring it to other network nodes, you additionally need to pin the data. To pin the data, press the button with the three dots. In the context menu, select the Set pinning option.

To pin the data to your local mass storage, check the box to the left of the Local node option and then press Apply. The file is now on your local mass storage and can be retrieved via the known CID after shutting down and restarting the daemon. Alternatively, you can keep data available at all times using a pinning service like Eternum or Pinata.

There are special search engines to help you find data on the IPFS network. They are still under construction, but they already provide useful results. The most popular search engines for the IPFS network include Almonit, [6] IPFS-Search [7], and IPSE [8].