Status Report March

Tuesday, March 25. 2014

During the last week we released new versions of JonDoFox, JonDoBrowser and our live-cd/dvd.

Changes JonDoFox extension for Firefox
  • Because plug-in enumeration is used by many browser fingerprinters for tracking all plug-ins but Flash are disabled in no-proxy mode too. The following rules were implemented:

    • JonDo mode: You may enable Flash in in the JonDoFox settings but it is not(!) recommended. Please read our hints about Flash player security and remaining risks before you think about activating Flash.

    • Tor mode: Flash is disabled like all other plug-ins to match the behavior of TorBrowser.

    • No-proxy mode: Flash is activated but applets are blocked by NoScript. You have to enable each applet by mouse click. If a website really needs an other plug-ins, you may activate it temporary with the add-on manager of Firefox.

  • Downloads are not added to recent documents of Windows desktop to avoid traces on disk and the formfill assistance was disabled for privacy reasons.

  • Added option to config dialog for always set the proxy to JonDo on start.

  • Added a function to reset all values to JonDoFox default values by reset "extensions.jondofox.firstStart" and restart the browser.

  • Set user agent fakes to the latest Firefox versions

  • Several small bug-fixes were implemented.

Changes for JonDoFox profile

The add-ons and the bookmarks for temporary email accounts were updated in the JonDoFox profile. If you kept your add-ons are up-2-date there is no reason to update the profile at all.

Changes for JonDoBrowser

JonDoBrowser 0.14 was build with Firefox 24.4.0 esr and contains the new JonDoFox profile.

For Linux and Debian packages a complete rewrite of the build scripts was done to simplify futher development and maintenance. Search engien plug-ins were moved from user profile to browser to keep it up-2-date without profil updates for the future. The Linux version contains an install script for system-wide installation. If the install script was used and for Debian packages Hunspell dictionaries are used for spellcheck.

JonDoBrowser for MacOS is not ready for Download because of unsolved problems with new build scripts. For the future we will provide JonDoBrowser only for MacOS 10.9+. Because a 64 bit CPU is required for MacOS 10.9. we will not provide a 32 bit version any more. Affected user may use Firefox with JonDoFox profile.

Update: JonDoBrowser 0.14 for MacOS (64 Bit) is ready for Download now.

Changes for JonDo live-cd/dvd

The new version of our live-cd/dvd contains security relevant software updates and some small improvements for usage. An update is highly recommended.

SSL certificate for IP-Check.info

Wednesday, March 5. 2014

We installed a new SSL certificate for our anonymity test ip-check.info. The new certificate is signed by "Go Daddy Root Certificate Authority - G2". We changed the certification authority to get a SHA2 signed certificate.

SHA1 fingerprint of the new SSL certificate is: A0:F0:8A:FB:1C:09:DF:56:C2:70:EC:3C:E3:84:31:9C:E4:A1:3D:41

New Live-CD/DVD release

Monday, March 3. 2014

A new release of of our live-cd/dvd is ready for download. Chnages in version 0.9.52:

  • JonDoBrowser:

    1. Updates for add-ons: no proxy exceptions are possible for security reasons.

    2. JonDoBrowser uses hunspell dictionaries for spellcheck.

  • Icedove:

    1. A patch of TorBirdy enforces the recommendations for "on_startup_login = false" and "download_on_biff = false" for new accounts. Because of a bug in Thunderbird/Icedove the default settings don't apply for new accounts.

    2. Fixed keyserver usage in Tor mode. SSL encryption for keyserver are enforced in general by GnuPG configuration of the live-cd. It is not possible to use Tor hidden HKP servers with this configuration. Now HKPS keyservers are used in Tor mode too.

    3. Removed all proxy exception in JonDo mode and Tor mode for security reasons.

  • Pre-configured Pidgin accounts:

    1. Added XMPP service of Calyx Institut.org (normal web and Tor hidden XMPP server).

    2. Removed dukgo XMPP service because of bad SSL encryption.

    3. Removed Wikileaks IRC because it was closed an anonop.us because it is down for a long time.

    4. To use pre-configured Tor hidden services you have to start Tor with Vidalia, it is independent of default proxy configuration you can choose on Pidgin startup.

  • You can select Tor hidden servers for Electrum Bitcoin client on startup.

  • Some small improvements for Italian localization.

  • Software updates for Jitsi, MAT, libgnutls-openssl27 libgnutls26 libgnutlsxx27 libmagic1, file

An update is recommended.

SSL certificate checks

Sunday, December 15. 2013

The danger of man-in-the-middle-attacks with fraudulent SSL certificates not only theoretical but real. Two weeks ago criminals attacked the user of BitcoinTalk to get login credentials with a man-in-the-middle-attack on SSL connections.

Gouvernment agencies are able to use valid SSL certificates for man-in-the-middle-attacks (see: Certified Lies - Detecting and Defeating Government Interception Attacks against SSL PDF, EFF.org, 2009). Suppliers of plug-and-play ready black boxes for "Lawful SSL Interception" you may find by browsing the SpyFiles of Wikileaks (e.g. ClearTrail, Indian company). The ISS world 2014 in Dubai will present the latest technologies in Track 4: Encrypted Traffic Monitoring and IT Intrusion.

Additional SSL certificate checks in JonDoFox

With JonDoFox 2.9.0 / JonDoBrowser 0.12 we modified the additional checks of SSL certificates. In order to provide better protection you may use the SSL observatory of EFF.org or you may use Certificate Patrol with a local database.

Settings Header

...

JonDoFox settings
  1. SSL observatory of EFF.org

    You may use the SSL observatory of Electronic Frontier Foundation (EFF.org). In this case the certificate fingerprint and domain name of SSL encrypted websites will be send to the observatory an compared with the certificates sent by other users. The large database of worldwide collected certificates is the advantage of this solution. You will get a warning, if something goes wrong with your certificate.

    warning about wrong SSL certificates

    By default the SSL observatory is only used together with JonDo. You may change the settings by self to match your individual requirements.

  2. Certificate Patrol

    Alternatively you may use the Certificate Patrol feature of JonDoFox. In this case a local database is used to store all websites visited via HTTPS together with some information about the SSL certificate. You will get an warning, if the certificate changes unexpected for later visits.

    2. warning about wrong SSL certificates

    You may have a look at the certificate change and may accept it or not. (It's up to you to decide.)

    changes of SSL certificate

    The example shows a strong warning. The certification authority switched to Verisign (VeriSign NetDiscovery is working since 2002 in assistance for law enforcement) and the old certificate was valid for a long time but it was replaced unexpected. Both features are strong indications for a man-in-the-middle-attack but not a prove. You may have a look on the website, if a new SSL certificate was announced or you may ask the webmaster.

    By using Certificate Patrol a third party has no means to get that saved data.

JonDoFox user agent

Friday, November 8. 2013

With release version 2.8.0. of JonDoFox we changed the definition of the anonymity group of JonDonym users. A Firefox 24 (Linux, i686) is now used to fake the user agent of JonDoFox browser. Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

Reasons for the change are:

  • Because of analysis of publications of real world browser fingerprinting some old assumptions were corrected.

  • We don't want to use a fake of a Windows browser any more. It is a little bit obscurity (not security).

The new fake is only full plausible if you were using a Firefox 24esr. Firefox 17esr and Firefox 24esr have small differences in Javascript values, which may be used for browser fingerprinting. Javascript is blocked by default in JonDoFox, but time by time it will be enabled. We recommend an update to Firefox 24esr for all JonDoFox users.

Full set user agent fake parameters for do-it-by-self men:

general.useragent.overrideMozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
general.appname.overrideNetscape
general.appversion.override5.0 (X11)
general.buildID.override0
general.oscpu.overrideLinux i686
general.platform.overrideLinux i686
general.productsub.override20100101
general.useragent.vendor 
general.useragent.vendorSub 
intl.accept_languagesen-US,en
network.http.accept.defaulttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Release of JonDoBrowser 0.11 beta (based on Firefox 24.1.0) is sheduled for Monday. The new live-cd will follow 2 days later.

Part-Time developer for JonDoBrowser

Wednesday, September 25. 2013

We are looking for an enthousiastic developer to support us in improve the free JonDoFox/JonDoBrowser as a side-job or part-time job. In particular, we aim to enhance the software to an even more user-friendly browser for anonymous web surfing in the scope of the JonDonym anonymisation system.

Prerequisites: Interest or experiences in

  • JavaScript programming or Firefox browser extensions
  • online tracking techniques and online anonymity
  • C++

Preferably, you add a programming example of your work to your application, and some short comments what you did in the area of software development before.

Whoever wants to support playing tricks on prism is invited hereby! Please write to: support [at] jondos.de (OpenPGP: 0xF1305880).

JonDoBrowser 0.7 - Status Report

Tuesday, June 4. 2013
Top 5 things for the JonDoBrowser 0.7 were:

1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013): Done.
2) Integration of partial updates into the update patch for Linux systems: Not done, postponed.
3) Integrating a better compression algorithm for JonDoBrowser packages on Linux systems into the build script: Done.
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser: Not done, postponed.
5) Removing a duplicates UnPlug in the extensions directory of the profile as this is probably causing issues during the first start of JonDoBrowser on Linux: Done.

Miscellaneous:

- patch for defense against tracking with HTTP authentication created
- removed awxcnx.de bookmark
- build documentation for JonDoFox and JonDoBrowser updated/created

ToDo for the 1.0-Release:

1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites

Planned Maintenance

Monday, June 3. 2013

Because of planned maintenance the following services of JonDos GmbH will be unavailable for a short time tomorrow morning:

  • IP check
  • Sales of premium accounts (JonDo and webshop will be affected)
  • E-mail services of JonDos GmbH
  • Subversion repository of JonDos GmbH

We're sorry for any inconvenience, but hope that the interruption will only last for 30-60 minutes.

JonDo Live-CD / DVD v. 0.9.43

Thursday, May 23. 2013

A new release of our live-cd/dvd is ready for download. It supports LUKS-encrypted persistent storage with USB sticks or USB hard drives. You may use the wizard to prepare a pesistent storage media and keep your data files and settings over reboot.

We re-added the I2P router with a suitable configuration for live systems and added the client software for Wuala cloud storage. Contrary to Dropbox and other cloud services all files are encrypted before upload by Wuala. JonDoBrowser, Jitsi and others were updated to latest release versions.

JonDo Error Message

Friday, May 3. 2013

A few weeks ago we started with the roll-out a a new server software on free mix cascades. This new version contains an additionally integrity check to improve security for users of JonDonym. Unfortunately the latest version has a bug which triggers the following error message in JonDo mostly in case of server overload:

error message

In the last two weeks we have had an overload situation on free mix cascades because of outage of the free mix cascade provided by TU Dresden and time by time because of unexpected very high traffic on free cascades. In the last case it may be possible, the overload was the result on an attack by unknown third parties to disturb the operation of mix servers.

We are working together with TU Dresden to fix the bug and together with mix operators to improve the robustness against server overload. We're sorry for any inconvenience.

HTTPS Certificate Updates

Friday, February 22. 2013

We installed new SSL certificates on our webservers. Only the following certificates are valid now:

  • For our main domains anonymous-proxy-servers.net and www.anonym-surfen.de the SHA1 fingerprint of the valid HTTPS certificate is:89:33:DD:4C:45:AA:33:CD:21:38:5E:79:8B:7A:38:FE:11:A8:10:A3

  • For all subdomains *.anonymous-proxy-servers.net the SHA1 fingerprint of the HTTPS certificate is:6B:99:C0:75:B5:8D:AF:E0:72:)E:BF:0B:DA:26:CD:18:36:9C:65:63

Buy Bitcoin anonymous

Thursday, November 15. 2012

Today JonDos GmbH launches a Bitcoin Shop. You my use our Bitcoin shop to buy Bitcoin anonymously and pay with Paysafecard. Paysafecard vouchers for the currencies euro and dollar are accepted.

Bitcoin is a digital currency and it uses peer-to-peer technology to operate with no central authority. Therefore, it does not depend on the monetary policy of any central bank, but rather evolves based on the user performing an activity. A long list of merchants accepts bitcoin for payment.

The theoretical roots of Bitcoin can be found in the Austrian school of economics led by Eugen v. Böhm-Bawerk, Ludwig Mises und Friedrich A. Hayek. The economists criticize the current fiat money system and the current money creation process in a fractional-reserve banking system. Friedrich A. Hayek wrote some influential publications like Denationalisation of Money (1976, PDF), in which he claims that governments should not have a monopoly over the issuance of money and for returning to money based on the gold standard.

At the moment Bitcoin is the most popular digital currency inspired by the Austrian scholl of economics. With cryptographic methods the problem of double spending was solved the the total number of available coins is limited. Therefore, it can be used for payment services.

Bitcoin is not perfect and it is discussed controversial, but we decided to support Bitcoin. Since July 2011 it is accept for payment for premium services by JonDos GmbH. Now we offer an anonymous Bitcoin Shop and you may find hints for anonymous administration of your wallet in our onine help.

Update 1: Because of licensing requirements and orders of BaFIN we can offer the Bitcoin shop only for our customers (the user of JonDonym). Please use our anonymisation service to get access to our Bitcoin shop.

Update 2: At the moment the pool of Bitcoins is sold very fast. We are working on a solution to supply the pool with new Bitcoins depending on the selling rate. But it will take a few days.

New JonDo Live-CD / DVD released

Wednesday, October 17. 2012

The version 0.9.29 is a major release of our live-cd. It is based on Debian "wheezy", offers improved hardware support and contains many bugfixes and other improvements. The new privacyfriendly browser JonDoBrowser is installed for web-surfing.

To meet the wishes of different user groups we offer two versions for download:

  1. The CD version for anonymous internet communication with some small office tools
  2. The DVD version with more office programs, tools for image manipulation, website development...

Download JonDo Live-CD / DVD

TorBirdy 0.0.13.1

Thursday, October 4. 2012

A new release of the Thunderbird add-on TorBirdy is now out. TorBirdy is the safest way to manage anonymous e-mail accounts with Mozilla Thunderbird together with anonymisation services like JonDonym or Tor but it's still quite experimental.

Download TorBirdy 0.0.13.1

How to use Thunderbird with JonDonym

Thursday, August 30. 2012

We recommend the usage of Mozilla Thunderbird for anonymous e-mail accounts and explained the reasons in the former blog post Secure your E-Mail Usage.

The Thunderbird add-on TorBirdy simplifies the configuration of Thunderbird and implements security features for anonymous e-mail usage. We offer a newer version for download with small bugfixes and improvements, which are not available in the TorBirdy release published on the Mozilla add-on page until now. Install instructions and download links you may find in our online help at the page Anonymous e-mail accounts with Thunderbird ->.