Circumvention and Safety
The type of security you need depends on your activities and their consequences. There are some security measures that everyone should practice whether they feel threatened or not. Some ways to be cautious online require more effort, but are necessary because of severe restrictions on Internet access. You may be facing threats from technology that is being researched and deployed rapidly, old technology, use of human intelligence instead, or a combination of all three. All of these factors may change often.
Some security best-practices
There are steps that everyone with a computer should take to keep it secure. This may involve protecting information about your network of activists or it could be your credit card number, but some of the tools you need are the same.
Beware of programs that promise perfect security: online safety is a combination of good software and human behavior. Knowing what should be kept offline, who to trust, and other security questions cannot be answered by technology alone. Look for programs that list risks on their Web sites or have been peer reviewed.
Keep your operating system up-to-date: the developers of operating systems provide updates that you should install from time to time. These may be automatic or you may have to request them by entering a command or adjusting your system settings. Some of these updates make your computer more efficient and easier to use, and others fix security holes. Attackers learn about these security holes rapidly, sometimes even before they're fixed, so fixing them promptly is crucial.
If you're still using Microsoft Windows, use anti-virus software and keep it updated. Malware is software written in order to steal information or to use your computer for other purposes. Viruses and malware can gain access to your system, make changes and hide themselves. They could be sent to you in an e-mail, be on a Web page you visit, or be part of a file that does not appear to be suspicious. Anti-virus software providers constantly research emerging threats and add them to lists of things that your computer will block. In order to allow the software to recognize new threats, you must install updates as they are released.
Use good passwords: no password selection system can guard against being threatened with violence, but you can improve your security by making it harder to guess. Use combinations of letters, punctuation, and numbers. Combine lower and upper case letters. Do not use birthdates, telephone numbers, or words that can be guessed by going through public information about you.
Use Free and Open Source Software (FOSS). Open source software is made available both as a working product and as a work in progress to users and software engineers. This offers several security advantages over closed source, for-profit software that may only be available in your country through illegal channels due to export restrictions or expense. You may not be able to download official updates for pirated software. With Open Source software there is no need to search through several suspicious sites for a copy free of spyware and security glitches. Any legitimate copy will be free and is available from the creators. If security flaws emerge, they can be spotted by volunteers or interested users. A community of software engineers will then work on a solution, often very quickly.
Use software that separates who you are from where you are. Every computer connected to the Internet has an IP address. An IP address can be used to find your physical location as easily as typing it into a public "whois" site. Proxies, VPNs and Tor route your traffic through one to three computers around the world. If you are going through only one server, be aware that just like an ISP, the proxy provider can see all of your traffic. You may trust the proxy provider more than your ISP, but the same warnings apply to any single source of connectivity. See the sections that cover proxies, Tor, and VPNs for more on risks.
Use live CDs and bootable USB drives. If you are using a public computer or another computer on which you do not want to leave data, use a version of Linux that you can run from portable media. A Live CD or bootable USB drive can be plugged into a computer and used without installing anything.
Use "portable" programs: there are also portable versions of circumvention software that can be run under Windows from a USB drive.
Keep yourself updated: the effort put into finding you may change. The technology that works one day may stop working or be insecure the next day. Even if you don't need it now, know where to find information. If the software providers you use have ways to get support, make sure you know about them before their Web sites are blocked.
Safer access to social networking sites
In the context of closed societies and repressive countries, monitoring becomes a major threat for users of social networking sites, especially if they use the service to coordinate civil society activity or engage in online activism or citizen journalism.
One central issue with social networking platforms is the amount of private data that you share about yourself, your activities and your contacts, and who has access to it. As the technology evolves and social networking platforms are more and more accessed through smart phones, the disclosure of the locations of the users of a social networking platform at any given moment is also becoming a significant menace.
In that context, some precautions become even more crucial; for example, you should:
- edit your default privacy settings in the social networking platform
- know precisely what information you are sharing with whom
- make sure that you understand the default geolocation settings, and edit them if needed
- only accept into your network people who you really know and trust
- only accept into your network people who will be savvy enough to also protect the private information that you share with them, or train them to do so
- be aware that even the most savvy people in your network might give up information if they are threatened by your adversary, so consider limiting who has access to which information
- be aware that accessing your social networking platform via a circumvention tool will not automatically protect you from most of the threats to your privacy.
Read more in this article from Privacy Rights Clearinghouse: "Social Networking Privacy: How to be Safe, Secure and Social": http://www.privacyrights.org/social-networking-privacy/#general-tips
How can you access your social networking platform when it is filtered?
As described below, using HTTPS to access Web sites is important. If your social networking platform allows HTTPS access, you should use it exclusively, and, if possible, make it the default. For example, on Facebook, you can edit Account Settings > Account Security > Secure Browsing (https) to make HTTPS the default way to connect to your Facebook account. In some places, using HTTPS may also allow you to access to an otherwise blocked service; for example, http://twitter.com/ has been blocked in Burma while https://twitter.com/ remained accessible.If you want to protect your anonymity and privacy while circumventing the filtering imposed on your social networking service, an SSH tunnel or VPN will give you stronger privacy guarantees than a Web proxy, including against the risk of revealing your IP address. Even using an anonymity network like Tor can be insufficient because social networking platforms make it so easy to reveal identifying information and expose details about your contacts and social relationships.
Safer use of shared computers
A significant proportion of the world's population, especially in developing countries, does not have personal access to the Internet at their homes. This can be because of the costs of having private Internet connection at their homes, the lack of personal computer equipment, or problems in the telecommunication or electrical network infrastructures.
For this portion of the population the only existing, convenient or affordable mean to access the Internet is to use places where the computers are shared with several different individuals. This includes Internet cafs, Telecenters, work stations, schools or libraries.
Potential advantages of shared computers
There are advantages to accessing the Internet on shared computers:
- You may receive technical advice and assistance from other users or facility staff on how to circumvent filtering.
- Circumvention tools may already be installed and pre-configured.
- Other users may share uncensored information with you through alternative, offline means.
- If you aren't a regular user of a particular computing facility, you didn't provide identity documents to the facility's operator, and you don't sign in online using your real name or account information, it would be hard for anyone to track you down personally based on your online activity.
General risks of shared computers
The fact that you access the Internet in a public space does not make it anonymous or safe for you. It is quite often the very opposite. Some of the main threats are:
- The owner of the computer, or even a person who used the computer before you, could easily program the computer to spy on everything you do, including recording all of your passwords. The computer can also be programmed to circumvent or nullify the protections of any privacy and security software you use on it.
- In some countries, such as Burma and Cuba, Internet caf clients are required to show their ID or passport before using the service. This ID information can be stored and filed together with the clients' Web browsing history.
- Any data you leave on the computer you have used may be logged (browsing history, cookies, downloaded files, etc).
- Software or hardware keyloggers installed in the client's computer may record every keystroke during your session, including your passwords, even before this information is sent over the Internet. In Vietnam, an apparently innocuous virtual keyboard for typing Vietnamese characters was being used by the government to monitor user activity at Internet cafs and other public access spots.
- Your screen activity may be recorded by special software that takes screenshots at frequent intervals, monitored through CCTV cameras, or simply observed by a person (e.g. the Internet caf manager) looking over your shoulder.
Shared computers and censorship
Besides the surveillance, users of shared computers are often offered access to a limited Internet and have to face additional hurdles to use their favorite circumvention solution:
- In some countries, such as Burma, Internet caf owners have to display posters about banned Web content and are responsible for the enforcement censorship law inside their business.
- Extra filtering might be implemented by Internet caf managers (client side control and filtering), to complement filtering implemented at the ISP or national level.
- Users might be pushed by the environmental restrictions to avoid visiting specific Web sites for fear of punishment, thus enforcing self-censorship.
- Computers are often configured so that users are prevented from installing any software, including circumvention tools, or connecting any kind of devices to the USB port (such as USB flash drives). In Cuba, authorities have begun deploying a controlling software for Internet cafs named AvilaLink that prevents users from installing or executing specific software or running applications from a USB flash drive.
- Users may be prevented from using any other browser but Internet Explorer, to prevent the use of privacy or circumvention Add-ons or settings for browsers such as Mozilla Firefox or Google Chrome.
Best practices for security and circumvention
Depending on the environment in which you use your shared computer, you can try the following:
- Identify the surveillance measures implemented based on the list mentioned above (CCTV, human surveillance, keyloggers, etc.) and behave accordingly.
- Run portable circumvention software from a USB flash drive.
- Use an operating system on which you have control through the use of a Live CD.
- Change Internet cafs often if you fear recurring surveillance, or stick to one where you trust it is safe to connect.
- Take your own laptop to the Internet caf and use it instead of the public computers.
Confidentiality and HTTPS
Some filtered networks use mainly (or exclusively) keyword filtering, rather than blocking particular sites. For example, networks might block any communication mentioning keywords that are considered politically, religiously, or culturally sensitive. This blocking can be overt or disguised as a technical error. For example, some networks make it look like a technical error occurred whenever you search for something that the network operator thinks you shouldn't be looking for. This way, users are less likely to blame the problem on censorship.
If the content of Internet communications is unencrypted, it will be visible to ISPs' network equipment such as routers and firewalls, where keyword-based monitoring and censorship can be implemented. Hiding the content of communications with encryption makes the task of censorship much more difficult, because network equipment can no longer distinguish the communications that contain forbidden keywords from those that don't.
Using encryption to keep communications confidential also prevents network equipment from logging communications in order to analyze them and target individuals after the fact for what they read or write.
What is HTTPS?
HTTPS is the secure version of the HTTP protocol used to access Web sites. It provides a security upgrade for accessing Web sites by using encryption to stop eavesdropping and tampering with the contents of your communications. Using HTTPS to access a site can prevent network operators from knowing which part of the site you're using or what information you sent to and received from the site. HTTPS support is already included in every popular Web browser, so you don't need to install or add any software in order to use HTTPS.
Usually, if a site is available through HTTPS, you can access the site's secure version by entering its address (URL) beginning with https:// instead of http://. You can also tell if you are using the secure version of a site by looking at the address displayed in your Web browser's navigation bar, and seeing whether it begins with https://.
Not every Web site has an HTTPS version. Indeed, perhaps less than 10% of sites do though the sites with HTTPS versions include several of the largest and most popular sites. A Web site is only available through HTTPS if the Web site operator deliberately configures its HTTPS version. Internet security experts have been urging Web site operators to do this routinely, and the number of sites with HTTPS support has been growing steadily.
If you try to access a site through HTTPS and receive an error, this doesn't always mean that your network is blocking access to the site. It might mean that the site is simply not available in HTTPS (to anyone). However, certain kinds of error messages are more likely to show that someone is actively blocking or tampering with the connection, especially if you know that a site is supposed to be available through HTTPS.
Examples of sites that offer HTTPS
Here are a few examples of popular sites that offer HTTPS. In some cases, the use of HTTPS is optional on these sites, not mandatory, so you have to explicitly choose the secure version of the site in order to get the benefits of HTTPS.
||Insecure (HTTP) version||Secure (HTTPS) version|
|Windows Live Mail (MSN Hotmail)||http://mail.live.com/
For example, if you make a Google search from https://encrypted.google.com/ instead of http://www.google.com/, your network operator will not be able to see what terms you searched for, and therefore it can't block Google from answering "inappropriate" searches. (However, the network operator could decide to block encrypted.google.com in its entirety.) Similarly, if you use Twitter through https://twitter.com/ instead of http://twitter.com/, the network operator can't see which tweets you are reading, what tags you are searching for, what you post there, or which account you log into. (However, the network operator could decide to block all access to twitter.com using HTTPS.)
HTTPS and SSL
HTTPS makes use of an Internet security protocol called TLS (Transport Layer Security) or SSL (Secure Sockets Layer). You may hear people refer to a site "using SSL" or being "an SSL site". In the context of a Web site, this means that the site is available through HTTPS.
Using HTTPS in addition to circumvention technology
Even circumvention technologies that use encryption are not a substitute for using HTTPS, because the purpose for which encryption is used is different.
For many kinds of circumvention technology, including VPNs, proxies, and Tor, it is still possible and appropriate to use HTTPS addresses when accessing a blocked site through the circumvention technology. This provides greater privacy and prevents the circumvention provider itself from observing or recording what you do. This could be important even if you're confident that the circumvention provider is friendly to you, because the circumvention provider (or the network that the circumvention provider uses) could be broken into or pressured to provide information about you.
Some circumvention technology developers like Tor strongly urge users to always use HTTPS, to make sure that circumvention providers themselves can't spy on users. You can read more about this issue at https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext. It's good to get in the habit of using HTTPS whenever possible, even when using some other method for circumvention.
Tips for using HTTPS
If you like to bookmark sites that you access frequently so that you don't have to type in the full site address, remember to bookmark the secure version of each site instead of the insecure version.
In Firefox, you can install the HTTPS Everywhere extension to turn on HTTPS automatically whenever you visit a site that's known to offer HTTPS. It is available from https://www.eff.org/https-everywhere/.
Risks when not using HTTPS
When you don't use HTTPS, a network operator such as your ISP or a national firewall operator, can record everything you do including the contents of the specific pages that you access. They can use this information to block particular pages or to create records that might be used against you later on. They can also modify the contents of Web pages to delete certain information or to add malicious software to spy on you or infect your computer. In many cases, other users of the same network can also do these things even if they aren't officially the network operator.
In 2010, some of these problems were dramatized by a program called Firesheep, which makes it extremely easy for users on a network to take over other users' social networking site accounts. Firesheep works because, at the time it was created, these social networking sites were not commonly using HTTPS, or were using it in a limited way to protect only some portions of their sites. This demonstration created a lot of attention in international media, and also led more sites to require the use of HTTPS or to offer HTTPS access as an option. It also allowed technically unskilled people to abuse others by breaking into their accounts.
In January 2011, during a period of political unrest in Tunisia, the Tunisian government began tampering with users' connections to Facebook in a way that allowed the government to steal users' passwords. This was done by modifying the Facebook login page and invisibly adding software that sent a copy of the user's Facebook password to the authorities. Such modifications are technically straightforward to perform and could be done by any network operator at any time. As far as we know, Tunisian Facebook users who were using HTTPS were totally protected from this attack.
Risks when using HTTPS
When it's available, using HTTPS is almost always safer than using HTTP. Even if something goes wrong, it shouldn't make your communications any easier to spy on or filter. So it makes sense to try to use HTTPS where you can (but be aware that, in principle, using encryption could be restricted by law in some countries). However, there are some ways that HTTPS might not provide complete protection.
Sometimes, when you try to access a web site over HTTPS, your Web browser will show you a warning message describing a problem with the site's digital certificate. The certificate is used to ensure the security of the connection. These warning messages exist to protect you against attacks; please don't ignore them. If you ignore or bypass certificate warnings, you may still be able to use a site but limit the ability of the HTTPS technology to protect your communications. In that case, your access to the site could become no more secure than an ordinary HTTP connection.
If you encounter a certificate warning, you should report it by e-mail to the Webmaster of the site you were trying to access, to encourage the site to fix the problem.
If you're using an HTTPS site set up by an individual, such as some kinds of Web proxies, you might receive an certificate error because the certificate is self-signed, meaning that there is no basis given for your browser to determine whether or not the communication is being intercepted. For some such sites, you might have no alternative but to accept the self-signed certificate if you want to use the site. However, you could try to confirm via another channel, like e-mail or instant messaging, that the certificate is the one you should expect, or see whether it looks the same when using a different Internet connection from a different computer.
A single Web page is usually made up of many different elements, which can come from different places and be transferred separately from one another. Sometimes a site will use HTTPS for some of the elements of a Web page but use insecure HTTP for the others. For example, a site might allow only HTTP for accessing certain images. As of February 2011, Wikipedia's secure site has this problem; although the text of Wikipedia pages can be loaded using HTTPS, all of the images are loaded using HTTP, and so particular images can be identified and blocked, or used to determine which Wikipedia page is a user is reading.
Redirection to insecure HTTP version of a site
Some sites use HTTPS in a limited way and will force users back to using insecure HTTP access even after the user initially used HTTPS access. For example, some sites use HTTPS for login pages, where users enter their account information, but then HTTP for other pages after the user has logged in. This kind of configuration leaves users vulnerable to surveillance. You should be aware that, if you get sent back to an insecure page during the course of using a site, you no longer have the protections of HTTPS.
Networks and firewalls blocking HTTPS
Because of the way HTTPS hinders monitoring and blocking, some networks will completely block HTTPS access to particular Web sites, or even block the use of HTTPS altogether. In that case, you may be limited to using insecure access to those sites while on those networks. You might find that you're unable to access a site because of blocking of HTTPS. If you use HTTPS Everywhere or certain similar software, you may not be able to use some sites at all because this software does not permit an insecure connection.
If your network blocks HTTPS, you should assume that the network operator can see and record all of your Web browsing activities on the network. In that case, you may want to explore other circumvention techniques, particularly those that provide other forms of encryption, such as VPNs and SSH proxies.
Using HTTPS from an insecure computer
HTTPS only protects the contents of your communications while they travel over the Internet. It doesn't protect your computer or the contents of your screen or hard drive. If the computer you use is shared or otherwise insecure, it could contain monitoring or spying software, or censorship software that records or blocks sensitive keywords. In that case, the protection offered by HTTPS could be less relevant, since monitoring and censorship could happen within your computer itself, instead of at a network firewall.
Vulnerability of HTTPS certificate system
There are problems with the certificate authority system, also called public-key infrastructure (PKI) used to authenticate HTTPS connections. This could mean that a sophisticated attacker could trick your browser into not displaying a warning during an attack, if the attacker has the right kind of resources. It has not yet been clearly documented that this is taking place anywhere. This is not a reason to avoid using HTTPS, since even in the worst case, the HTTPS connection would be no less secure than an HTTP connection.