Sunday, June 30. 2013

I am leaving JonDos and I thought I'd take the opportunity to thank all our users who made that adventure happen for me in the last 4 and a half years. Stay engaged. It is more needed than ever. A special thanks goes to Rolf Wendolsky, a.k.a. jondos. Not many would have considered employing me. I won't forget that.

JonDoBrowser 0.7 - Status Report

Tuesday, June 4. 2013
Top 5 things for the JonDoBrowser 0.7 were:

1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013): Done.
2) Integration of partial updates into the update patch for Linux systems: Not done, postponed.
3) Integrating a better compression algorithm for JonDoBrowser packages on Linux systems into the build script: Done.
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser: Not done, postponed.
5) Removing a duplicates UnPlug in the extensions directory of the profile as this is probably causing issues during the first start of JonDoBrowser on Linux: Done.


- patch for defense against tracking with HTTP authentication created
- removed awxcnx.de bookmark
- build documentation for JonDoFox and JonDoBrowser updated/created

ToDo for the 1.0-Release:

1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites

JonDoBrowser 0.6 - Status Report

Tuesday, April 16. 2013

In the future the JonDoBrowser shall replace the JonDoFox profile in order to allow an even better protection against tracking on the Web. As the development is already on its way since a while we would like to deliver a short status report every six weeks from now on. That would hopefully give users an idea about where we are now and what still remains to do:

The top 5 things we did during the last six weeks:

1) Worked on the update mechanism (full updates are working on Linux now)
2) We disabled SSL 3.0 by default. If there are problems, please report them!
3) Disabled the annoying add-on bar and moved the UnPlug icon to the toolbar.
4) Reported possible problems for the protection against tracking with HTTP authentication to Mozilla.
5) Released JonDoBrowser 0.6

Top 5 things for the coming weeks:

1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013)
2) Integration of partial updates into the update patch for Linux systems
3) Integrating a better compression algorithm for JonDoBrowser packages on Linux systems into the build script
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser.
5) Removing a duplicated UnPlug in the extensions directory of the profile as this is probably causing issues during the first start of JonDoBrowser on Linux

ToDo for the 1.0-Release:

1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites

Data retention in the European Union: A call to action

Wednesday, September 7. 2011

The EU Directive 2006/24/EC on the retention of data was adopted within the framework of regulating the Single Market, allegedly to harmonize competitive conditions of telecommunication providers and to provide uniform conditions for prosecutors. 5 years after adopting this directive the differences are larger than before.

  • In Sweden and Ireland the governments have refused to implement the data retention into national law.
  • In Romania and Czechia the constitutional courts have declared the data retention is violating the respective constitution and annulled it. In the decision of the romanian constitutional court it is said the data retention violates article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. The data retention was brought before the European Court of Human Rights but it has not decided on it yet.
  • In Great Britain the new coalition between Conservatives and Liberal Democrats agreed upon stopping the retention of Internet and e-mail protocols without reasonable cause. This agreement is not implemented yet.

Some countries like Slovakia, Austria, Norway and Switzerland are looking about the requirements stemming from Brussels regarding the implementation. In the Netherlands the EC directive is implemented in national law but the senate expressed fundamental critique concerning the data retention.

Some countries are exceeding the requirements set by Brussels considerably:

  • In Bulgaria it is possible to get the retentioned data even after minor offenses. In Hungary prosecutors get the retentioned data without having to give any reasons for it at all. But the EC directive is mandating a limitation on the prosecution of serious crimes.
  • In Denmark the Internet services providers have to log the sender and recipient of every 500th TCP packet additionally. This data is not adequate to prosecute crimes at hand. Rather it may get used for dragnet surveillance.
  • In France exists a 12 month storage period. In Italy telephone connections have to be saved for 29 months.
Situation in Germany

In Germany the dispute about the data retention is not settled yet. The federal constituional court has annulled the until March 2010 valid law but argued that it is possible to implement the EC directive in a constitutional way.

Chancellor Merkel and some members of the federal government are pressing for a new law for the data retention.

"Wir sind uns gewahr, dass im Bereich der Vorratsdatenspeicherung noch eine Liefernotwendigkeit besteht." (We are aware that there is still some kind of delivery need in the area of data retention.)

Home Secretary Friedrich sees a danger due to islamistic terror attacks in Germany and the data retention as a necessary tool for the anti terror measures.

The civil society is resisting the restriction of civil rights. Thus, we want to suggest two roads of action and ask for your support:

  • There is the demonstration Freedom not Fear in Berlin on next saturday.
  • Further, one can sign a ePetition against the data retention:
    "Der Deutsche Bundestag möge beschließen, dass die verdachtlose Vorratsdatenspeicherung nicht zulässig ist. Darüber hinaus möge er die Bundesregierung auffordern, sich für eine Aufhebung der entsprechenden EU-Richtlinie und für ein europaweites Verbot der Vorratsdatenspeicherung einzusetzen." (The German Bundestag may establish that the data retention without suspicion is not allowed. Furthermore, it may request the german government to campaign for annulling the respective EC directive and for an european prohibition of a data retention.)

The old trick with the e-mail

Monday, April 11. 2011

The warning of dangerous e-mail attachments has already been reiterated many times. Nevertheless, attackers are still succeeding with this method even in the 21. century. Especially regarding targeted attacks against computers of particular persons, companies or governmental institutions is this well-known method promising.

In 2008 were chinese crackers able to infect computers of western governments and the Dalai Lama during the so-called Ghostnet operation. Prepared PDF documents sent with an e-mail were used.

In 2009 were the Royal Navy and some bases of the Royal Air Force hit by a computer worm. The infection occurred via e-mail and the total breakdown of the mail system was a consequence. Parts of the e-mail traffic was redirected to russian servers.

Three weeks ago the company RSA was successfully attacked via infected e-mails. Those e-mails had an Excel file with an embedded Flash file attached. The spreadsheet contained an exploit that installed a backdoor using a vulnerability in Adobe's Flash Player. The backdoor in turn was used to obtain access to sensitive data.

Under these circumstances do we want to reiterate the following advices concerning e-mail security:
  • Read e-mails as plain text and not in HTML.
  • Deactivate the display of attachments inline.
  • Be suspicious against attachments sent unrequested.
  • Almost every file format may be used as a vehicle for malware. Besides EXE and PAF files caution is recommended above all concerning PDF and Office files. But even TIFF or JPEG pictures could compromise the computer.

Bittersweet cookies

Monday, March 28. 2011

About one month ago a study done by the European Network and Information Agency (ENISA) was published that was concerned with new types of cookies. These cookies (e.g. Flash cookies) are characterized by their capability to save much larger amounts of information than normal HTTP cookies. Furthermore, they are usually much harder to control as they are often not assessable by the cookie management of the browser. According to the authors of this study the security and privacy problems that accompany those cookies shall be countered by a set of different requirements: First, users must be able to consent in a meaningful way (i.e. informed consent is required) when receiving/sending such cookies. Moreover, they should be easy to handle and to delete. Their storage outside the control of the browser should, if at all, be limited. And, finally, there should be other services providing the same functionality but without the need for accepting and/or sending cookies.

Even if these requirements are legitimate it is very questionable whether they can be put into force within the future having the history of traditional cookies and the struggle for shaping them in a privacy-friendly manner in mind. Until then, only special browser add-ons or profiles, like JonDoFox, are mitigating the tracking risk accompanying those cookies while surfing the Web.

User tracking beyond cookies

Wednesday, March 2. 2011
Cookies as one means of tracking users are known to almost everybody now at least by name. Scientists at Microsoft Research in Silicon Valley recently have found a way to track users which lets cookies seem to be very old-fashioned as Technology Review reports (german link). Using this new method it is determined whether the IP of a user belongs to her working place, or her home computer or her traveling laptop. This is achieved using statistical models created out of log files and software update and email services (see: http://research.microsoft.com/pubs/139079/hotnets10.pdf). Even though this technique is not widely used yet it is just a matter of time until this is going to change as the user itself cannot configure her web browser or email client properly to avoid this kind of tracking in the same way as this may be done e.g. with cookies. However, the user is by no means helpless against this new way of getting tracked as she can deploy anonymization services like JonDonym which reliably protects her against that threat.

Access Blocking Made in EU

Friday, January 21. 2011

At the beginning of February 2011 the Civil Liberties Committee of the European Parliament will decide whether mandatory EU-wide web blocking should be introduced. Using the pretext of fighting against child pornography all members of the European Union shall build an blocking infrastructure to be able to prevent access to ndexed websites effectively. The 2007 Commission impact assessment on terrorism said that the adoption of blocking measures necessarily implies a restriction of human rights, in particular the freedom of expression. Human rights organisations like EDRi.org und Bits of Freedom are currently campaigning against access blocking. Support is welcome!

Deleting child pornography works well

The German AK Zensur deleted 2009 within 12 hours 60 websites containing child pornography. It checked the danish blacklist and websites blocked for 2 years were deleted within 30 minutes. In 2010 99,4% of all reported websites with child sexual abuse material were deleted. (German news here, maybe an english translation is coming soon).

Number of websites
Total reported 656
deleted by INHOPE 448
deleted by foreign ISPs 204
no sexual abuse material 2

While deleting those 652 websites evidence for a criminal prosecution was also seized by the provider.

As the discussion concerning the data retention already showed: the proposed action does not make sense to achieve the stated goal. The restriction of fundamental rights cannot be justified by the needs of criminal prosecution.

French law Loppsi 2 adopted by the General Assembly

The Loppsi 2 law (law on guidelines and programming for the performance of internal security) was approved by the French General Assembly. The law which asks ISPs to block Internet sites deemed to have child pornographic content, now includes a version that will no longer require a previous judicial approval, which is actually against the French Constitution.

User tracking via JavaScript

Wednesday, December 15. 2010
We have been blogging here before on history sniffing attacks showing that this kind of attack is a real threat to users. Recently, a paper has been published by scientists of the University of California in San Diego examining this and other attacks in a broader context. They checked the top 50.000 websites concluding that

"485 of the top 50.000 sites inspect style properties that can be used to infer the browser's history. Out of 485 sites, 63 transferred the browser's history to the network [and] 46 of them are actually doing history sniffing, one of these sites in the Alexa global top 100." (quoted from here).

Besides this well known attack they examined the deployment of other JavaScript means to track the user. The so-called attention tracking tries to determine how the user is behaving on a visited website. Is she scrolling or clicking somewhere? Or did she have her mouse over a particular link? The scientists found that a lot of the top 100 sites, including youtube.com and microsoft.com, are using these means to learn things about a current visitor.
Therefore, the lesson for us is: use the JonDoFox profile and try to avoid enabling JavaScript as often as you can, if your privacy is important to you.

Chrome and Safari leak IP address

Tuesday, December 7. 2010
Google's Chrome and Apple's Safari leak the user's IP address as a FTP test, recently implemented into our anonymity test suite, shows. Browsers based on WebKit seem to disregard their FTP proxy settings and fetch respective content directly. This is entirely independent of the particular anonymization service used. For instance, Tor users having Chrome or Safari as their browser are affected as well. Therefore, we strongly recommend to use a browser not based on WebKit, e.g. Firefox (with our privacy enhancing profile JonDoFox), in order to use the Internet anonymously.

Firesheep and JonDonym

Thursday, December 2. 2010

The Firefox extension Firesheep has caused a certain fuzz in the media some weeks ago (see e.g. lifehacker or Forbes). With its help one may sniff open WLANs and steal session cookies to hijack an active user session. In order to avoid this several solutions have been proposed. On the one hand one can try to detect Firesheep itself and act accordingly. On the other hand there is an option to flood the network with packets in order to impair Firesheep's functionality. Or, as a third and best choice, one just uses services that are only provided by SSL secured connections. Unfortunately, the latter is not available for services like Twitter that only secure the login page but not the session identifier.

Irrespective of which protective means a user deploys (if one at all) if one is using JonDonym Firesheep is not dangerous due to the fact that all traffic is already encrypted on the users' computer. That means an attacker using a WLAN or an Internet Service Provider is not able to get the sensitive data to hijack a particular session, be it provided by an unsecured or a secured (SSL) connection.

But, of course, the things just said only apply if one has no malware on the computer. That means in the current context to avoid just installing unreviewed browser extensions as these could easily contain Firesheep's (or similar) sniffing code without that being detected while surfing the Web.

Facebook ID data leak

Monday, November 8. 2010
Three weeks ago there was some fuzz in the media about a new Facebook data leak. The problem was that a lot of Facebook applications, small pieces of software usually made by third parties allowing e.g. to play games, were transmitting users' Facebook IDs to outside companies. This was done by an HTTP Header, the Referer. As a result, some people were demanding that browser vendors should embrace privacy by default and block or at least modify the Referer properly in order to avoid such data leaks. Meanwhile, the user has just the option to deactivate or somehow modify the Referer in order to mitigate the problem. Deactivating the Referer is not a good solution as it often breaks the web. Thus, modifying the Referer seems the only viable option here. This is done best within the browser e.g. by an extension. We therefore included that particular functionality into our JonDoFox extension a while ago: Basically, the Referer is now deleted if a user surfs to a new domain but kept if she just surfs to a subdomain. That does not give domain owners any clue from which other domain a user was coming while it at the same time does not break the Web as some sites need the Referer for internal aims.

EU data rentention is useless

Wednesday, September 22. 2010
The Federal Criminal Police Office has published the crime statistics for the year 2009. As the EU data retention law was in force during the whole year 2009 in Germany, we can check the success rate of this data retention (DR) for preventing crimes and solving cases by comparison to former statistics:

(without DR)
(without DR)
(with DR)
total number of crimes 6.284.661 6.114.128 6.054.330
solved (total) 55.0% 54.8% 55.6%
Internet related crimes 179.026 167.451 206.909
solved (Internet) 82.9% 79.8% 75.7%
The rate of solved Internet related crimes is much higher than the rate of solved crimes in general, even without the data retention. Further, the data retention does not prevent crimes and does not increase the rate of solved crimes related to the Internet. Therefore: we do not need that data retention!

Study about entering personal information on the Internet

Tuesday, September 14. 2010
In order to surf the Web anonymously it is not enough to hide ones IP address. Additionally, a specially adapted browser, like JonDoFox, is needed to filter browsing data that could lead to an identification of the user. But even this is sometimes not sufficient as researchers of the Carnegie Mellon University have shown. They investigated if and under which circumstances users can be lured into revealing personal information while surfing the Internet. The researchers set up three differently designed web sites where the users should answer several personal questions. The surprising result was that web sites designed less professionally got more personal information. One third of the users entered even their email address on the least respectable looking website which lead in fifty percent of the cases to an identification of the person behind it. The obvious reasoning was that these sites do not so much aim to get personal information of their visitors which was clearly wrong.

As a conclusion we can say that even if we use anonymizing tools, like JonDo and JonDoFox, there is no way to guarantee our anonymity on the net if we are not cautious while offering personal information.

Private browsing mode does not safeguard privacy while surfing the Web

Tuesday, August 10. 2010
As browser vendors have implemented so-called private browsing modes, people might think that separate anonymity and/or privay enhancing software is not needed at all. But recent research has shown that this assumption is wrong. There exist many data leaks be it in the browser itself or in installable extensions. For instance, self-signed certificates installed in normal browsing mode are as well available in private mode, thus allowing to connect both states and potentially track the user's surfing habits. But even if the private browsing mode worked like it should, the biggest threat of loosing one's anonymity is unmitigated: leaking the IP address. Therefore, in order to protect your privacy properly while surfing the Web (in private as well as in normal browsing mode) carefully crafted tools, like JonDonym and JonDoFox, are still indispensible.