How-to: Improve your online privacy – level 1 – Tor

[easyreview title=”Complexity rating” icon=”geek” cat1title=”Level of experience required, to follow this how-to.” cat1detail=”Your granny could do it. :-)” cat1rating=”1″ overall=”false”]

Introduction to Tor

It seems that not a day goes by now without reading some news about this or that government’s ability to scrutinise your internet activity. Our very own Dummy blogged about PRISM not so long ago. He concluded that at some level, we probably already suspected our every online move was being tracked. It’s just that we’re now sure of it. The worst that’s happened is we’ve sacrificed the illusion of privacy for the illusion of security, right?

The thing that’s making me distinctly uncomfortable though is that my data seems to be available to foreign powers. I am not a citizen of the U.S., but with vast quantities of my email sat on Google or Microsoft’s servers, it seems that for U.S. intelligence agencies, it’s open season on Geek’s mailbox. Now I can probably wrap my head around that, but what about other governments – governments with poor track records when it comes to human rights and civil liberties? If the U.S. can see my data, why not them too? It’s worrying because I have absolutely no doubt that some of my views would be viewed as offensive and immoral by those states. No names no pack drill, but the feeling is mutual.

Tor logoSo is there anything we can do to reclaim some of our privacy? Turns out that there is. There are a few options in fact. Today I’m going to look at just one such option: boosting your online privacy through the anonymising network, Tor.

Say what now?

Tor used to stand for “The Onion Ring [network]”. Like an onion, Tor provides layers between you and the web sites you’re visiting. Within those layers, your activity is scrambled, redirected and encrypted.

To explain this in simple terms: your web browser sits within the Tor network. All communication within the network is secured. When you browse to a web site, your web traffic is sent to an exit point from the Tor network – any one of several thousand relays – which talks to the internet on your behalf.

Think of it like a middleman who never reveals who he’s working for, but hands messages to and fro. That’s oversimplified, because what actually happens is more like several middlemen between you and the final web site, none of whom know quite who the original “client” is, nor what the message is that the middleman is relaying on behalf of the client. It’s these layers of security and encryption that led to the onion metaphor.

Tor Quick Start

By far the easiest way to get going with Tor is to download the “Browser Bundle”. This includes a specially configured web browser that will send all traffic via the Tor network. Yes, that’s right: Tor cannot magically make all your internet activity private. You have to use tools that know how to make use of the network. The Tor Browser is a version of Firefox that has been configured to use the Tor network. I’m going to assume that you’re using Windows, for the purposes of this tutorial, but there are bundles available for Mac and Linux too.

Download and run the Tor Browser Bundle. Tor isn’t installed as such – you won’t find a link in your Start Menu after this. It extracts all its files wherever you direct and you run it from there. This means that you can put the files (less than 100MB) on a USB thumb drive and take it with you from computer to computer.

Within the “Tor Browser” folder, you’ll find a program called “Start Tor Browser”. When you run that, your system will be initialised to run Tor:

Tor loading

Once you’re connected, the Tor Browser will load:

Tor Browser 1

After that, you can browse the web almost as normal. Web browsing will inevitably be slower than you’re used to; privacy in this case comes with a price. Traversing all those layers of encryption and randomisation takes time, but while you’re waiting for your page to load during that brief delay enjoy the warm sense of anonymised well-being.

Tor Browser 2

Note: web sites will not always function as they do outside the Tor network. This is a by-product of anonymity and safety. See the FAQ to understand some of the issues you may encounter.

Caveats

You need to be aware that Tor is not a panacea. If you wish to prioritise privacy, you may need to change some of your browsing habits. From the Tor’s download page:

Want Tor to really work?

  1. Use the Tor Browser
    Tor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
  2. Don’t enable or install browser plugins
    The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.
  3. Use HTTPS versions of websites
    Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser Bundle includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.
  4. Don’t open documents downloaded through Tor while online
    The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
  5. Use bridges and/or find company
    Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!

Additional point: there’s some anecdotal evidence that using Tor can cause issues for PayPal and eBay.

Bonus: Use Tor with mobile devices

That’s all well and good for desktops and laptops, but what about my phone and my tablet? Good news: you can also use Tor on Android and iOS. For Android, you have the free Orbot, which you can couple with the browser Orweb (also free). You do not need to have rooted your phone to use these, though there are some advantages if you do.

For iOS folks, there’s Onion Browser, which is cheap, but not free.

At the moment, I’m not aware of any Tor packages for BlackBerry or Windows Phone.

Safe browsing

Please remember that no amount of encryption or obfuscation can guarantee your privacy or safety. Nor does it absolve you of moral accountability. Stay safe and keep your nose clean.

How-to: Laravel 4 tutorial; part 1 – installation

[easyreview title=”Complexity rating” icon=”geek” cat1title=”Level of experience required, to follow this how-to.” cat1detail=”A good level of familiarity with web hosting will come in handy here, especially if your hosting environment is different from mine. It will also help if you’re comfortable at the command line.” cat1rating=”4″ overall=”false”]

Laravel Tutorials

Introduction

If, like me, you spend much time coding for the web – for pleasure or profit – sooner or later you’re going to find that you benefit from using a development framework. A framework is a collection of scripts that help you create an application much more quickly. Frameworks typically include a lot of the “nuts and bolts” components – scripts that assist with database connections for example, plus components that impose some structure on your programming.

For a long time, my framework of choice was CodeIgniter. CodeIgniter has stagnated of late and concerns have arisen over licensing. Partly as a consequence, many PHP developers like me have searched for an alternative. In the search, I came across a framework that many programmers are turning to: Laravel. My early experiences with Laravel have been extremely positive and I have found many things I prefer about it. In this series of tutorials, I’ll show you how to get up and running with Laravel and begin creating an application. The application will involve some web-scraping, so you may wish to stay tuned for that reason alone.

Before we dive in though, one word of caution: Laravel is a young open source project. Like many such projects, its documentation is less complete than you might wish, particularly when compared to CodeIgniter. In fact CodeIgniter’s great documentation was one of the reasons why I initially chose it as a development framework. Documentation is a core commitment of the Laravel team, but at the time of writing, with the recent release of Laravel 4, I’m finding the documentation is not quite up to scratch. Possibly you’ve found that too, which is why you’ve made it here to this tutorial. In fact one of the worst parts of the documentation at the time of writing is the installation procedure! With that caveat in place, let’s move on – it’s still well worthwhile.

Prerequisites

All my web coding is done within a Linux environment, usually CentOS or Ubuntu Server. For the easiest experience following these tutorials, you may wish to create a similar environment. (I’ve written about that elsewhere.) Alternatively, you should be able to follow the tutorials with some tweaking – but you’re on your own there. At the very least, I recommend you have in place:

  • Apache web server
  • Shell access to the server (preferably SSH)
  • Root access to install Composer globally (not essential)
  • Git must be installed in your environment.

Installing Composer

With the latest release (4) Laravel has taken a leap forward in several areas. One such area is the management of third party libraries and packages. Laravel previously made use of an external project called “Composer“, to install dependent packages. With Laravel 4, you now use Composer to install Laravel itself. To install Composer, from a root login shell, do the following:

cd /usr/local/bin
curl -sS https://getcomposer.org/installer | php
mv composer.phar composer

Provided /usr/local/bin is in your $PATH environment variable, you will now be able to call Composer with “composer [options] command [arguments]“.

Installing Laravel



The beauty of Composer is the simplicity it brings to library/application installation. There is an overwhelming range of tutorials on how to install Laravel with Composer. Please bear in mind that many of these were written while Laravel 4 was in beta or even alpha. Now it has been released, the installation is quite straightforward. Having prepared a new environment for a web site (a virtual host or whatever), navigate to the directory above the default web root directory. Then install using Composer. Eg:

cd /home/geek/domains/test.geekanddummy.com/
composer create-project laravel/laravel

You should see a fair bit of output indicating that Composer is creating a directory “laravel” and pulling in all the dependencies for a basic installation. The laravel directory contains a folder entitled “public“, intended to be your web root. Your easiest way to complete the configuration is to point your web site at that directory. For example, using Virtualmin, you would go to Server Configuration –> Website Options and change “Website documents sub-directory” from “public_html” to “laravel/public”.

Having done that, when I browse to my test web site, I see:

Laravel landing page

Installing other frameworks

Now would be a good time put to put Twitter’s Bootstrap and jQuery in place, if you’re planning to use them. Naturally, we’ll use Composer for this. You might use other frameworks in your web applications – check out Packagist to see if anyone has made a Composer package available.

Composer demands a tutorial all of its own, but I’ll keep it simple here. I’m going to make my new Laravel application depend on the latest compatible branches of Bootstrap and jQuery. This will potentially allow us to upgrade these two frameworks with a simple Composer command at a later date.

In the root of your Laravel application you’ll find the main Composer configuration file, composer.json. You don’t need to get your hands dirty editing the file, just from a shell in that root directory, issue the following commands:

composer require "components/jquery":"*"
composer require "twitter/bootstrap":"*"

This updates the composer.json file to include these dependencies and goes ahead and downloads them. It can take a while – be patient.

You’ll end up with jQuery files under ./components/jquery and Bootstrap files under ./vendor/twitter/bootstrap. These are locations not visible to your web server (the root is at ./public, you’ll recall). This is a particular problem in the case of Bootstrap. For now, here’s a quick-and-dirty way of accessing these files. I’m on the lookout for a more elegant solution, but this will get you up and running rapidly. Navigate to the “public” folder in a login shell and issue the following commands:

mkdir -p assets/css
mkdir assets/img
mkdir assets/js
ln -s ../../../vendor/twitter/bootstrap/img/glyphicons-halflings.png ./assets/img
ln -s ../../../vendor/twitter/bootstrap/docs/assets/css/bootstrap.css ./assets/css
ln -s ../../../vendor/twitter/bootstrap/docs/assets/css/bootstrap-responsive.css ./assets/css
ln -s ../../../components/jquery/jquery.min.js ./assets/js

And so on, for whichever bits you’ll use. This will only work if your web server allows following symbolic links. The .htaccess directive “Options +SymLinksIfOwnerMatch” may help here, but that’s outside the scope of this tutorial.

Configure your development environment

I use NetBeans for development. If you don’t already have a preferred IDE (integrated development environment), I recommend you check it out. Another favourite is Eclipse. You could use an ordinary text editor, but then you’d be missing out on a lot of things that can make your coding more comfortable and efficient.

Having installed Laravel and the other frameworks on my web server, next I use NetBeans to pull the code across to my development environment. In the NetBeans “New Project” wizard, select the option “PHP Application from Remote Server”. In the remote configuration, ensure that you choose as your “upload directory”, the laravel. From there, you’ll want to download the app and public directories.

Conclusion

That’s it for today’s tutorial. Next time, we’ll look at orientating ourself within the framework (“what goes where?”).