The browser Mozilla Firefox version 22.0 will block third-party cookies by default. Content from a third-party origin will get only permission to set cookies if its origin already has at least one cookie set. (see: The New Firefox Cookie Policy). This policy will potentially block cookies from advertising networks that are used to track the browsing habits of users. Google, the main sponsor of Mozilla, is not affected by this policy because Firefox gets a Google cookie at first start.

Is blocking of third-party cookies useful to avoid the tracking of browsing habits of users by third parties? Let's make a small test. We installed a fresh Firefox and disabled third-party cookies in the configuration. This configuration setting is a little bit more restrictive than the new Firefox cookie policy, but suitable for our demonstration. Afterwards we opened 3 websites and took a look at stored cookies.

1. Zeit.de (online portal of a German newspaper)

   

   All cookies were classified as first-party content but some of them are used by third-party servers.

   • The cookie "rsi_segs" is used by www.audiencescience.com for behavioral based advertising.
   • "wt3_eid" and "wt3_sid" are used by WebTrekk.
   • The cookies "__umta" ... "__umtz" are used by Google Analytics.
   • The cookie "_chartbeat2" is used by www.chartbeat.com for real-time analysis of website vistors.

   The cookies are generated and send to the tracking service by Javascript. Because these cookies are used to transfer information to third parties it is a violation of user preferences.

2. Zalando.de (commercial webshop)

   

   Zalando.de uses Javascript generated cookies too. But additional we found two cookies for the sub-domain "track.zalando.de". This domain is a DNS alias for "zalando-de01.webtrekk.net", an external server not related to Zalando.de. By using the DNS alias for loading a 1x1 pixel transparent image (webbug), it became first-party status and was able to set the cookies "wteid_xxxxx" and "wtsid_xxxxx".

3. Heise.de (German IT news portal)

   

   Heise.de is using WebTrekk too. Both methods of Zeit.de (1.) and Zalando.de (2.) are combined:

   • If Javascript is active, the cookies "wt3_eid" und "wt3_sid" are created with Javascript.
   • If Javascript was disabled, a 1x1 pixel webbug will be loaded from the sub-domain "prophet.heise.de". This sub-domain is a DNS alias for "heise02.webtrekk.net" and is used to get first-party status for the webbug. The webbug sets the cookies "wteid_xxxxx" and "wtsid_xxxxx" for tracking.

Conclusion

Tracking services are using sophisticated methods to get first-party status for their tracking elements to avoid blocking. The tracking services above are only small examples. Yahoo! Web Analytics sets a one-year, first-party, persistent cookie that includes a unique visitor ID number and is able to track 99,9% of website visitors.

It is not possible, to use first-party cookies for cross-domain tracking. These cookies are only valid and accessible within the context of one domain. But by using additional tracking features, it is possible to link tracking data of multiple domains together. WebTrekk collects Geo-location by IP address, screen size and color depth of your monitor, inner size of browser window, your preferred language, browser name and version, operating system and version, settings of Java (ON/OFF), Javascript (ON/OFF) and cookies (ON/OFF). It is possible to calculate a high quality browser fingerprint with this data. The browser fingerprint will be unique for most user and it may be possible to use it for linking tracking data over multiple domains.

To avoid tracking of your browsing habits by third parties we recommend the blocking of all cookies and Javascript. Enable session cookies or Javascript only for trusted websites if required to get it working as expected. Delete all cookies after leaving the website or at least by closing your browser. JonDoFox and JonDoBrowser are configured for this behavior. During your surf session you can delete cookies with click on the menu item "Tools - Clear Recent History" or you may hit CTRL-ALT-DEL.

SpeedPartner GmbH will perform unscheduled maintenance on the hardware running mix servers lilie/nelke/tulpe today. Please expect a downtime of about 15 minutes and reduced performance while raid disks are rebuilding afterwards.

Sorry for any inconveniences caused.

A few weeks ago we started with the roll-out a a new server software on free mix cascades. This new version contains an additionally integrity check to improve security for users of JonDonym. Unfortunately the latest version has a bug which triggers the following error message in JonDo mostly in case of server overload:

In the last two weeks we have had an overload situation on free mix cascades because of outage of the free mix cascade provided by TU Dresden and time by time because of unexpected very high traffic on free cascades. In the last case it may be possible, the overload was the result on an attack by unknown third parties to disturb the operation of mix servers.

We are working together with TU Dresden to fix the bug and together with mix operators to improve the robustness against server overload. We're sorry for any inconvenience.

Because of technical problems at TU Dresden all services provided by AN.ON for JonDonym have temporarily stopped working. Free services of JonDonym are currently low. We're sorry for any inconvenience.

More than 80% of Internet user dislike the tracking of their online behavior. But tracking is expanding more and more. Popular Web sites are far more aggressive in their tracking practices.

More Elements on Popular Websites

The project Web Privacy Census of University of California is watching the state of internet tracking and privacy over years. An increasing usage of tracking features was documented. For an example we want to show only the usage of cookies by the 100 most popular websites:

The project observed statistically significant increases in the amount of usage of sophisticated HTML5 features like DOMstorage and other EverCookies for tracking. 38% of popular websites were using EverCookies techniques in Oct. 2012. EverCookies are not easy to manage and remove by users like third-party cookies.

Because it is easy to block third-party content with modern browser more third-party aggregators are working to hide their presence in a first-party site by serving content from what are or appear to be first party servers. This approach makes it very difficult to block tracking scripts by advertising blocker. For an example you may have a look at the easy to use tracking plug-ins offered by Webtrekk for blogs, content management systems and shops.

Some tracking services doesn't use markers like cookies or EverCookies but only browser fingerprinting for surfer recognition. The demonstration project Panopticlick featured out, that more than 80% of browser have a unique fingerprint. The recognition rate increases to 94% if Flash or Java plug-ins were enabled. (How Unique Is Your Web Browser PDF). Tracking services are using more sophisticated methods and achieve 30% higher recognition rates than cookies based approaches. Other tracking services are using browser information, screen size and other values additionally for user recognition.

An increasing number of websites is using more than one tracking service. An example is the webshop Zalando. It uses the following tracking and advertiesment services: 36YIELD, ADSCALE, APPNEXUS, ATDMT, ATEMDA, CRITED, DEMDEX, DOUBLECLICK, FACEBOOK, METRIGO, OPENX, PUBMATIC, ADSERVER, SOCIOMANTIC, YIELDLAB und YIELDMANAGER.

Decreasing number of independent tracking companies

A number of families of domains and tracking services have been created through acquisition of many companies by some global player. The families are sharing collected data and achieve a large coverage of popular websites.

The larges family is Google and associated companies. The earnings of these family are 44% of the world-wide online advertising market. During the last years Google bought the following companies:

Because of this acquisitions tracking features of the Google family are present on more and more popular websites:

Other tracking families are the Overture network, Microsoft and the Yahoo! family, each with a portion of 3-8% of the world-wide online advertising market. The new cooperation of Facebook with BlueKai and Epsilon is the start of a new large tracking family.

Using of Real World Data

The tracking of our online behavior offers only an incomplete view on our interests. First steps are taken by Facebook to include real world data in profiling for proper online advertisements. A cooperation with Axciom and Datalogix was announced in February. Both databrokers operate big databases with real wold data like creditcard payments, loyalty cards at supermarkets and product warranty cards and so on.

If the information flow increased in both direction, our online activities may get more influence of our real live. A year ago Sarah Downey warns:

The harms of online tracking are real and growing. This isn't about targeted advertising, like the ad industry wants everyone to believe. This is about the collection and use of your personal information in ways you can't even imagine.

Today our online activities may decide about getting a new job or may have an influence on assurance taxes. Personally I know 3 cases of including private online activities to check job applicants by personnel managers. In one case the result was positive. In two cases the applicants were rejected mainly (but not only) because of this data.

We installed new SSL certificates on our webservers. Only the following certificates are valid now:

• For our main domains anonymous-proxy-servers.net and www.anonym-surfen.de the SHA1 fingerprint of the valid HTTPS certificate is:

  89:33:DD:4C:45:AA:33:CD:21:38:5E:79:8B:7A:38:FE:11:A8:10:A3

• For all subdomains *.anonymous-proxy-servers.net (shop.anonymous-proxy-servers.net, storage.anonymous-proxy-servers.net and others) the SHA1 fingerprint of the valid HTTPS certificate is:

  6B:99:C0:75:B5:8D:AF:E0:72:)E:BF:0B:DA:26:CD:18:36:9C:65:63

Auf einem Polizeikongress finden die Teilnehmer ein dankbares Forum, um neue Überwachungsbefugnisse zu fordern. Zentrales Thema auf dem 16. Europäischen Polizei­kongress war die Wiedereinführung der Vorrats­daten­speicherung (neudeutsch: Mindest­speicher­dauer). Heraus­ragende Gedanken äußerte BKA Vize­präsident J. Maurer: Jeder Bürger müsse eine neue Sicht auf das Internet verinnerlichen und eine Speicherung von IP-Adressen sei nicht problematisch, weil:

Wer im Internet ist, hat die Privatheit verlassen.

Diese pauschale Sichtweise würde eine Aufhebung des Post- und Fern­melde­geheimnis für E-Mails und sonstige private Kommunikation im Internet bedeuten. Das Post- und Fern­melde­geheimnis wurde nach den Erfahrungen mit der faschistischen Dikatur Mitte des letzten Jahr­hunderts als Grund­recht in allen über­geordneten Normen­katalogen verankert (UN-Menschen­rechts­konvention, EU-Grund­rechte­charta, Grund­gesetz), als Schutz­recht für Bürger gegen einen über­mächtigen (Polizei-) Staat. Für mich stellt sich die Frage, ob Herr Maurer die geeignete Einstellung hat, um verantwortungsvoll die Führung einer Polizei­behörde mit weit­reichenden geheim­dienstlichen Kompetenzen zu übernehmen.

Ein weiteres Beispiel für den Geist des Kongresses war der starke Beifall für den nordrhein-west­fälische Innenminister R. Jäger, als er die Haltung von Bundes­justiz­ministerin Leutheusser-Schnarren­berger als "nah an einer Straf­vereitelung" bezeichnete. Die Bundes­justiz­ministerin hält eine Mindest­speicher­dauer von sieben Tagen für IP-Adressen und Quick Freeze für Verbindungs­daten für ausreichend (siehe Eckpunkte­papier des BJM zur VDS, PDF). Außerdem ist für Frau Leutheusser-Schnarren­berger Anonymität ein Grund­prinzip des freien Internets.

Medial begleitet wurde der Polizeikongress mit Horror­geschichten über drohende Terror­anschläge per E-Mail oder die schlimmen Folgen fehlender Vorrats­daten­speicherung für die Aufklärung von Mord­fällen (FAZ). Der Bundes­daten­schutz­beauftragte bezeichnete den FAZ-Artikel als unredlich.

Kein Sprecher auf dem Polizeikongress konnte neue Fakten oder Studien präsentieren, welche die Notwendigkeit der Vorrats­daten­speicherung wissenschaftlich belegen. Zur Erinnerung:

• Das wissenschaftlichen Gutachten des Max-Planck-Instituts (MPI) für ausländisches und internationales Straf­recht kam zu dem Schluss, dass die Aufzählung spektakulärer Einzel­fälle nicht als Nach­weis der Notwendigkeit für eine 6-monatige Mindest­speicher­dauer genügt. Die Straf­verfolgungs­behörden haben nach Ansicht der Autoren bisher keine belastbaren Begründungen für eine Schutz­lücke im Internet liefern können.
• Die Zahlen der jährlichen Kriminalstatistiken des BKA zeigen, dass die Vorrats­daten­speicherung 2009 keinen Einfluss auf die Aufklärungs­rate und die allgemeine Entwicklung der Straf­taten im Internet hatte. Es gibt von Jahr zu Jahr mehr Straf­taten im Internet bei abnehmender Aufklärungsrate.

  	2007 (ohne VDS)	2008 (ohne VDS)	2009 (mit VDS)	2010 (ohne VDS)
  Straftaten im Internet	179.026	167.451	206.909	223.642
  Aufklärungsrate im Internet	82.9%	79.8%	75.7%	72,3%

Sicherheitspolitiker aller Ebenen sollten mehr Respekt vor Grund­prinzipien unserer Gesellschaft zeigen, statt nicht-diskussions­fähige Maximal­forderungen zu präsentieren.

Hushmail.com enjoys a good reputation for privacy friendly e-mail services or years. The EFF.org recommended in the tutotial about anonymous e-mails accounts only Hushmail.org (Don't be a Petraeus) and the German Journalist P.Beuth wants to publish a tutorial for anonymous e-mail accounts by using Hushmail.com next days in the online newspaper ZEIT.de.

JonDos does NOT recommend Hushmail.com

Have a look at the privacy policy of Hushmail.com. The content of all emails is scanned and like an extended data retention the following data records are stored for 18 month:

• all sender and recipient email addresses (data retention log)
• all file names of attachments
• subjects of all emails
• URLs in the bodies of unencrypted email
• ... "and any other information that we deem necessary"

The stored records are not deleted when you cancel your account.

When you make a purchase to buy a premium account your IP address, country, city and postal code will be transfered to third party PCI compliant services. Hushmail.com is not responsible for the privacy policy of these services. The usage of PCI compliant services may be useful for payment processors like PayPal.com but it is not required for telecommunication services. JonDos GmbH operates for years successful without using PCI compliant services.

The website of Hushmail.com uses third-party services for some parts such as the help system. After login your Hushmail ID and your name is transferred to these service on purpose (not unintentionally!). For the privacy policy of third-party services Hushmail.com is not responsible.

Recommended e-mail provider

A small list of recommended e-mail provider you may find in our online help about anonymous e-mail accounts with Mozilla Thunderbird. You may send us your recommendations by using our contact form and we will add it after checking the service.

In April 2012 the security scientist Pete Swire published a paper about trends in lawful surveillance. Intelligence services and law enforcement agencies are seeking access to stored data in the cloud and on private computers because wired interception of telecommunication is less effective.

With a new drafted law (BR-Drs. 664/12) the German government is taking a leading position in this development. For the future intelligence services and law enforcement agencies may have warrant-less access to passwords of e-mail accounts and cloud-stored data, PIN codes of smartphones and to the TR-069 interface of routers provided by Internet access provider for customers. Provider with more than 100,000 customers have to offer automated interfaces for lawful access. Smaller provider have to answer a request within 6 hours. All providers are not responsible in case of unauthorized access to user-related telecommunication data.

The German Pirate Party commented:

"This draft is not supported by constitution." (Patrick Breyer, MDL)

JonDonym storage grid

We are going for development of new services to keep your data private. For premium users we offer a storage grid, which does not have all the comfortable features of DropBox and is only accessible by webinterface (at the moment). But it implements some great security concepts:

• The storage nodes of the grid are operated by verified JonDonym operators. Because of splitting and encryption of data the operators can't inspect your uploads.
• An account is not required and no personal data is collected.
• The cryptographic keys for read/write or read-only access are included in the URI and are not linkable to a single person.
• Access to the storage grid is protected by one of the strongest anonymisation services around the world.

The project SSL Pulse tracks nearly 200,000 high profile web sites from the Alexa top one million site list and evaluates their SSL implementation. Only 10% of all sites are genuinely secure.

We want to give some small recommedations for webmaster to improve the security of HTTPS encryption. All sample configuration snippets are working for Apache2, but you may adapt it for other web servers too.

Create a SSL certificate

At first you have to create the SSL certificate and get a signature by a certification authority (CA). You may use checkdomain to get a signed certificate.

All CAs offer a comfortable webinterface to use your browser of all steps of the certificate creation process. We do NOT recommend the use of website wizards. You do not have full control over the creation of your private key. You may use the OpenSSL library to create at first the private key and a certificate signing request (CSR) afterwards on your computer:

Now you can send only the CSR to the CA and you will get the signed certificate (CRT) back.

Enable SSL encryption in your server configuration

To enable SSL encryption you have to load the module "ssl" and add the following lines to your virtual host configuration for port 443. The certificate chain file is only required time by time, please read the documentation of you preferred CA and download the bundle if required.

Restart your web server and SSL encryption is working. But SSL is a complex standard and contains may insecure features.

• Disable insecure SSL protocols

  SSL v.2.0 is "broken by design" and SSL v.3.0 is not secure any more. You have to disable both and use only TLS 1.0 - TLS 1.2. You may use the following configuration option in the file ssl.conf:

  SSLProtocol TLSv1

• Disable insecure cipher

  Disable insecure cipher suites and weak keys in ssl.conf. A year ago the security researchers Juliano Rizzo and Thai Duong presented BEAST (Browser Exploit Against SSL/TLS). Actual browsers are not affected by this attack any more. You can ignore warnings about BEAST vulnerability of your webserver. Secure settings are:

  SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!EDH:!3DES:!ADH

• Disbale TLS compression

  This year Juliano Rizzo and Thai Duong presented a new attack CRIME (Compression and Information Leakage of Plaintext). You can avoid this attack by disable TLS cempresion and do not use SPDY. For Apache2 a patch was released in November this year to fix the problem. Keep your software up-2-date.

• Enable HTTP Strict Transport Security

  HTTP Strict Transport Security is a security policy mechanism whereby a web server declares that webbrowser interact with it using only secure HTTPS connections. A HTTP header field is added by the web server to the response. This will avoid an attack which was first introduced by Moxie Marlinspike at 2009 BlackHat. To add the Strict Transport Security header you have to load the module "headers" and add the following line to your virtual host configuration:

  Header always set Strict-Transport-Security "max-age=31536000"

Security is a process and not an one-time action. Check your server time by time with the SSL server test for new vulnerabilities and fix it as soon as possible.

The EFF.org evaluated the investigation of FBI in the personal lives of CIA Director David Petraeus, Paula Broadwell, Jill Kelly and General John Allen and published A Tutorial on Anonymous Email Accounts.

1. You should use an anonymisation service when setting up and accessing your webmail account. You must always use the anonymisation service. (The EFF.org recommends Tor, but JonDonym is suited too.)
2. Use a privacy-friendly mail provider with secure SSL encryption. GMail or Yahoo! are not acceptable, but Hushmail is not the only one proper mail provider all over the world. You may find some more recommendations in our online help.
3. If an email address was required for account creation you may use disposable addresses. Do not use an email address, which is traceable to you real identity - never.
4. Use encryption to keep you mails private. The content of emails may be used for deanonymisation. OpenPGP is recommended.
5. Additional we want to add a fifth point. Do not store read or sent mails or drafts on the server of your mail provider. Stored mails are not protected by privacy law like telecommunication, if the owner was able to delete them.

Today JonDos GmbH launches a Bitcoin Shop. You my use our Bitcoin shop to buy Bitcoin anonymously and pay with Paysafecard. Paysafecard vouchers for the currencies euro and dollar are accepted.

Bitcoin is a digital currency and it uses peer-to-peer technology to operate with no central authority. Therefore, it does not depend on the monetary policy of any central bank, but rather evolves based on the user performing an activity. A long list of merchants accepts bitcoin for payment.

The theoretical roots of Bitcoin can be found in the Austrian school of economics led by Eugen v. Böhm-Bawerk, Ludwig Mises und Friedrich A. Hayek. The economists criticize the current fiat money system and the current money creation process in a fractional-reserve banking system. Friedrich A. Hayek wrote some influential publications like Denationalisation of Money (1976, PDF), in which he claims that governments should not have a monopoly over the issuance of money and for returning to money based on the gold standard.

At the moment Bitcoin is the most popular digital currency inspired by the Austrian scholl of economics. With cryptographic methods the problem of double spending was solved the the total number of available coins is limited. Therefore, it can be used for payment services.

Bitcoin is not perfect and it is discussed controversial, but we decided to support Bitcoin. Since July 2011 it is accept for payment for premium services by JonDos GmbH. Now we offer an anonymous Bitcoin Shop and you may find hints for anonymous administration of your wallet in our onine help.

Update 1: Because of licensing requirements and orders of BaFIN we can offer the Bitcoin shop only for our customers (the user of JonDonym). Please use our anonymisation service to get access to our Bitcoin shop.

Update 2: At the moment the pool of Bitcoins is sold very fast. We are working on a solution to supply the pool with new Bitcoins depending on the selling rate. But it will take a few days.