random neuron misfires

Wednesday, July 25th, 2007 at 10:37 pm | 20,966 views | trackback url

With the advent of the new illegal monitoring going on in the USA, and ISPs being actively forced to log and snoop on their own customer’s behaviors, I’ve been advocating the use of Privoxy + Tor to help anonymize some of your browsing behavior and characteristics.

Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk.

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol.

To configure them to work in concert, just install privoxy and tor using your standard package management tools. Open up Privoxy’s configuration file (normally /etc/privoxy/config) and add the following line:

forward-socks4a / localhost:9050 .

The ending dot is significant, don’t forget to include it. You can put this anywhere in the file you want, but the most-likely place is around line 1064 or so in the standard configuration. Restart privoxy using whatever scripts or service management tools your host operating system provides.

Now there’s an additional tweak you can do to use Squid to pool and cache the sites you visit locally. To do that, you’ll need to change a few things in Squid’s configuration (normally /etc/squid/squid.conf):

http_port 8888
cache_peer localhost parent 8118 7 no-query default

# Some basic ACLs to allow local traffic, forbid outside traffic
http_access allow purge localhost
http_access allow localhost
http_access deny all

# Make sure we're ALWAYS using Privoxy and Tor, and not bypassing the cache
never_direct allow all

# And let's remove some headers which can be used to divulge some of our personal info
header_access From deny all
header_access Server deny all
header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all

Restart Squid and you should be all set. In your application (for example, Firefox), you can set up your proxy server to be:

localhost:8888

Browsing will be slightly slower, but very clean and anonymized. If you want, you can also run pre-fetch pages with Squid to speed up access to lateral pages and links on sites you visit.

Using Firefox, I have an extension called SwitchProxy installed which lets me change my proxy configuration with a simple click, from “None” to “Squid (localhost)” to “Squid + Privoxy + Tor”, and so on. I highly recommend it.

In my personal configuration, I have a router which is configured to send every outbound request on port 80, and every incoming reply, to a Squid server running on FreeBSD. No client configuration is necessary at all.

With Squid on the BSD machine, I can set up Privoxy and Tor there, and transparently cache, secure, and anonymize that traffic without burdening the clients at all, no matter how many there are, or what OS they happen to run.

My router’s iptables configuration for that looks like this:

iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.3 -p tcp --dport 80 -j DNAT --to 10.0.1.3:8888
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.3 -j SNAT --to 10.0.1.1 
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.3 -i br0 -o br0 -p tcp --dport 8888 -j ACCEPT

10.0.1.1 is my router, and 10.0.1.3 happens to be the FreeBSD machine running a very large Squid cache.

It works great, and clients behind my LAN never know the difference.

If you’re afraid of The Oracle taking too much of your personal browsing history for their own purposes, you can install the CustomizeGoogle extension and filter some of that out.

CustomizeGoogle lets you anonymize your Google UserID, filter out spammy websites, block Google Analytics cookies, and much more.

Last Modified: Wednesday, July 25th, 2007 @ 22:37

This entry was posted on Wednesday, July 25th, 2007 at 10:37 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.