Use cases

From JonDonym Wiki
Revision as of 05:57, 17 April 2010 by AnonymousTerrorist (Talk | contribs)
Jump to: navigation, search

File:En.png File:De.png


Help needed:

  • Fill in missing information, transfer from the JAP forum
  • Fix what's incorrect, retest what's reported from long ago, update what's outdated
  • Add notable and useful sevices that your discover and are not yet here in:
    • Most wanted: Privacy-friendly and JS-free: webmail, anomailers, receive-only mail, file hosting in all flavors, HTML 5 Theora video hosting, YouTube download heplers, web search engines, PDF to HTML and DOC/DOCX to HTML converters
    • Don't include "interesting" single Wikies or forums (except strongly JAP or privacy related), as there are ways too many of such
  • When a service breaks (no longer online, no longer free, no longer works without JS, etc.), label it accordingly, rather than removing it completely from here
  • Translate this into German, keep English and German versions equivalent
  • Contact the providers of painful or incompatible services and ask them to improve compatibility: no JS requirement, video with HTML 5 instead of Flash, no Java plugin, HTML instead of PDF. As arguments you can point privacy, security (avoidings JS+Java+Flash very effectivley blocks all sorts of fraud and malware distribution) as well as compatibility with non-mainstream browsers (although such are not ideal for privacy), see also Anybrowser Campaign (video not mentioned), and finally free and open standards and software ideals (HTML 5 is compliant, while Flash isn't). If many people complain, things may change to get better one day.

Contents

Web browser - anonymous WWW surfing general notes

If you are surfing the web via JonDo using JonDoFox, your IP address and the characteristics of your browser are anonymized. But you should in any case pay attention to the following notes while surfing, because otherwise JonDonym is not able to protect you:

  • If it is possible, enter personal data on web sites only if they are secured by HTTPS. JonDoFox shows for these sites a blue or green bar within the address bar.
  • If it is possible, enter your correct personal data only if you want to order some physical product. In all the other cases you should use imagined identities and do not use login names more than once.
  • Use different, randomly generated and preferably long passwords for each web service. You may use password programs like KeePass, in order to generate identities and passwords automatically and save them securely.
  • Avoid Flash and Java applications. Download web videos instead of viewing them directly in your browser.
  • Deactivate Flash and JavaScript in the settings of your Acrobat Reader. Do not have displayed pdf-documents in your browser.
  • Allow JavaScript only if you need it necessarily.
  • Allow cookies just temporarily. Do not use Google search if you have accepted cookies for Googlemail.

E-mail

If you are using one and the same address more then once in order to send or receive your E-mail, you are "creating" an identity with it. In the following you will find notes about web mail services as well as some web services designed to improve your privacy:

Webmail

Provides a personal E-mail address, requires registration, most services also personal data. Most of them need cookies to login, as well as they do use JS, but still work without too, with some minor or bigger limiations and annoyances. Even if the server pressures you to enable JS or "upgrade your broswer", it may be able to work without. To use your account without JS make sure to always login with JS off, otherwise the server, when it finds JS available at one time, may switch into a JS-friendly mode that is difficult to get rid off again. Also it is possible that a service will require JS on registration only (abuse prevention), but later work without. List of services (without pointing privacy issues): TheFreeCountry. Forum thread: 4306 (German).

  • Yahoo
    • One of the earliest providers
    • JS: not needed
    • Cookies: ???
    • Referrer: ???
    • Forum thread: 4826 (German)
  • GMail by Google
    • Cookies: required (enable before login and disable and clear after logout, don't use Google search while logged in)
    • JS: not needed
    • Referrer: ???
    • Last test: 2010-02
    • Forum threads: 5002 (German) 5007 (German)
  • GMX
    • German language only, E-mail only for people living in Germany, Austria or Switzerland
    • JS: not needed
    • Cookies: in the past not needed (still true???)
    • Trouble with the standard SSL login, need to use non-SSL (persists or fixed???)
    • Last test: 2009
    • Forum thread: 5088 (German)
  • Web.de
    • German language only, E-mail only for people living in Germany, Austria or Switzerland
    • Also web search and news portal (posting comments and viewing videos do need JS)
    • Cookies: required
    • Works with Firefox, but not Opera (?)
    • JS: Pressures the user to enable, but works mostly, still not fully, without
    • Free as long as it works for you, support is only by phone, 3 Euro/min
    • Last test: 2010-03

Anomailer - Sending E-mails from disposable addresses

If you want to send E-mails, but do not want to reveal your identity to the addressee or a third party, the best thing is using an anomailer AKA a web remailer interface. If the addressee has a contact form on his web-site, of course, you may use rather that one.

  • Anonymouse
    • Anomailer, also has a simple web-based anonymizer without encryption and an Anontest
  • Anon978
    • SSL certificate is invalid

Receiving E-mails to disposable addresses

If you are registering on web-forums you often have to leave an E-mail address in order to get a confirmation. If you do not want to use your own E-mail address for it, you may use rather one of the following temporary PO boxes:

  • Tempinbox
    • JS: not needed
    • No manual deletion of mails
  • Spambog and Discardmail (the very same service)
    • Pressures the user to enable JS, limited functionality without
  • spambob.com - this service is no longer alive (checked 2009 and 2010-04)

Create pseudonymous E-mail accounts

Pseudonymous inboxes for whistle-blowers

Journalists, bloggers and other whistle-blowers may use the PrivacyBox.

E-mail accounts in one minute

There are many E-mail provider that allow you to set up a new account very quickly if required. Choose an E-mail address of the form anonymous1234abcd@provider.tld, that is "anonymous" + numbers + letters. If all JonDo users create addresses of this form, they are much less distinguishable. Please be aware that you do never access these accounts without using JonDo because otherwise your IP address is being revealed. Please note that almost all of these services need cookies for login.

  • Hushmail (HTTPS/POP with SSL; needs JavaScript)
  • SafeMail (HTTPS/POP with SSL; usable without JavaScript if you are choosing "User-Interface-NoScripts" below the password while logging in)
  • VFEmail (HTTPS/POP with SSL, you need a disposable address for registration)
  • HotPop (no HTTPS; POP with SSL; only 8 character passwords; choose random answers on questions about personality)
  • Gawab (no HTTPS; POP with SSL you need to allow JavaScript for Gawab and Recaptcha for signup)
  • Bordermail (no JavaScript, but also no HTTPS/POP)
  • Breakthru (no cookies, no JavaScript, but also no HTTPS/POP)

The JonDo help contains a short tutorial for using Mozilla Thunderbird with JonDonym.

Keep your E-mail communication

With Hushmail you can prevent the details of your E-mail communication being left behind on servers and/or computers of your communication partners. Above all this is useful if the addressees of your E-mails are using web accounts which are never deleted, like GoogleMail. At least the E-mail provider can trace your communication then. Therefore, act as follows:

  • Set up an E-mail account (account A) in order to receive E-mails (do NOT use Hushmail now, as otherwise Hushmail would be able to observe your long-term communication, which is just what we want to prevent).
  • Access account A regularly via JonDo using your E-mail programm or your browser.
  • Set up a new Hushmail account (account B) for every addressee who is sending you an E-mail to account A. You may now access this account via JonDo as well, as long as you need it.
  • Answer the addressee only via account B. He is getting now a link. If he is clicking on it, he may write you back directly using the Hushmail web site (HTTPS-encrypted).
  • Account B will be deleted automatically if you are not accessing it for three weeks. With it your communication is gone as well, unless your addressee has saved or printed the Hushmail web sites.

If your conversation partner is also using Hushmail, however, he keeps your messages. You should encrypt your messages using GPG additionally, (best directly in your web browser) in order to make the access of a third party more difficult.

File hosting, document sharing

If you want to send larger documents, you may not be able or not want to attach them on E-mails for various reasons like risk of attachment truncation or loss, or even rejection of the complete mail (receiver won't even notice that you tried to contact him), caused by various attachment size or type limits or even complete ban of them on the way, by the receiver or his provider. Then you can use a file hosting or sharing service, preferably one with a time limit or possibility of deletion by the uploader. List of services (without pointing privacy issues): TheFreeCountry.

If you want to protect the contents of the uploaded files against being accessed by file hosts or third parties you should encrypt them before uploading. You may use, e.g. TrueCrypt, AxCrypt, AES Crypt, 7-ZIP (the own 7z format is very secure) or jFileCrypt. Then you send the password to the same people that get the download link to the files.

Hint 1: An asymmetric encryption of these files using GPG/PGP results in third parties being able to connect your GPG/PGP pseudonyms with those files.

Hint 2: A banal ZIP file with a password set is a bad idea since the "standard compatible" ZIP has a very poor "encryption", while the "advanced" ZIP files have better algorithms but are very incompatible.

  • TurboUpload (no registration, no JS needed)
  • FileFactory (no registration, no JS needed)
  • Files.ww (no registration, no JS needed)
  • Share-Now (no registration, no JS needed)
  • JustUpIt (no registration, no JS needed)
  • Load.to (no registration, no JS needed)
  • FlyUpload (no registration, no JS needed, deleting manually maybe not possible)
  • UltraShare (no registration, no JS needed, deleting manually maybe not possible)
  • datenklo.net - no longer online (checked 2010-04)

Long term file hosting

  • Rapidshare
    • The most popular one, large pirated stuff usually hosted here
    • Registration: upload and download possible without, but bad performace and annoyances, paid registration can remove them
    • JS: required to upload and download
    • Cookies: required to download
    • Manual deletion possible
  • Mediafire
    • Registration: required to upload
    • JS: required to upload and download
    • Cookies: required to download, sets many of them before you can download a single file
  • Omploader
    • Hosts files of any type, also big ones, allows hotlinking, also text "pasta"
    • Registration: not required
    • JS: not required
    • Cookies: ???
    • No manual deletion, and no expiry time can be specified

Short term file hosting and sharing

  • YouSendIt
    • Pressures to enable JS, doesn't work without

Image hosting

  • Imageshack
    • Hosts PNG, GIF, JPG, BMP (converts into PNG)
    • Pressures to enable JS, but one can safely ignore this since it works very well without
    • No manual deletion
    • Last test: 2010-04

Text hosting / pasta

  • PasteBin
    • Hosts texts up to 64 KiB in size with a selectable expiry time of 1 day, 1 month or none
    • JS: not required
    • Has problems with abuse (spam posts)

Online file format converters

Instead of installing software on your PC, you can submit the job to an online converter. Of course this is bad for your privacy, even more considering that most of such converters require JS or even registration + payment.

Document conversion

Software for local document conversion exists may bring problems like very large size, high requirements, painful installation or payment requirement, so you could give a chance to an online converter, for non-private documents at least.

  • pdfmenot.com - no longer active
    • Converted PDF into Flash: the bad into the evil
    • Acquired by Google, domain now redirects to Google Docs Viewer (see below)
  • Google Docs Viewer
    • Converts PDF documents, PowerPoint presentations, and TIFF files
    • Flash + JS needed
    • Converts the bad into the evil
  • Google PDF to HTML converter
    • When using Google search, sometimes HTML versions of PDF documents are/were offered
    • Possibly getting dropped in favor of Google Docs Viewer (see above)

Image and video conversion

Many online services exist, but better use some of good and free software products for local conversion: XNwiev or NConvert for images, FFMpeg or FFMpeg2Theora for videos.

Video

There are 2 ways to provide online video: Flash + JS and HTML 5 Theora. Obviously the latter is much better for your privacy, but most pages stick to Flash. In some cases it can be possible (was in the past only?) to "pick" the video manually from page source, but the common deal is "No Flash, No video". For HTML 5 Theora handling JS is used by Firefox browser and Wikimedia Commons page, but also without JS videos are still accessible for playing (possibly outside of context in a separate page and without progress/time info) and download. Note that online video performace will be unsuably bad with any free anonymization service, and the download will take at least 10 times longer than the playing time (wait at least 1/2 hours for 3 minutes clip). So storing the video link and downloading the video later without any anonymization is worth considering. Forum thread: 4477 (English)

  • YouTube
    • The very most popular video service, belongs to Google
    • Needs Flash + JS
    • Intended for online viewing, downloading is "not supported" and prohibited by the TOS
    • Registration required for upload only (but better upload your videos somewhere else like to Omploader (see above) and don't promote YouTube)
    • You can download the videos only with external tools (Firefox plugins, download helper software, video screenshot software), still Flash + JS are required (?) for the act, see Download web videos.
    • There used to be privacy-friendly online services helping with video download form YouTube, but all seem to be dead now (blocked by YouTube?)
  • News portals
    • Videos are more and more popular
    • Pretty all need Flash + JS
    • YouTube download "tricks" usually don't work
  • Firefox videos
    • Using HTML 5 Theora
    • Plays with Firefox 3.5 and above, other browsers can download the videos
    • Cookies, JS and Flash not needed
  • Wikimedia Commons
    • Using HTML 5 Theora
    • Plays with Firefox 3.5 and above, other browsers can download the videos
    • Cookies, JS and Flash not needed

Development

  • SourceForge
    • Cookies required to login
    • JS used but not absolutely required (behavior changes frequently, this was not always true in the past and may not be true in future)
    • Registration required to create or join projects as well to post in most forums and trackers
    • Download possible without login
    • Referrer: ???
  • Google Code
    •  ???
    • Using too many products of Google (GMail + Chrome + Google Code + YouTube + ... ) is bad for privacy
  • Bugzilla, trackers
    • Usually work without JS
    • Registration + cookies enabled usually required to post

Forums

The forum market is covered by several major competitors (phpBB2, phpBB3, v-bulletin, ...) and many "special" forums. JS is usually not required for forum usage including posting, it is just used for marginal things like smiley and BBcode inclusion, but in some forums it may be required for registration (as abuse prevention), or viewing user profiles or searching. Forum permissions, like the ability of guests to post or view profiles, are highly cofigurable by the administrators in all major forum solutions, nevertheless there exist also modified versions of such forums, exposing non-standard behavior like additional security precautions, possibly including JS requirement or referrer checks. Almost all forums do store IP addresses of all posts and give the moderators and administrators permissions and tools to view and evaluate them. Registration is required to post almost everywhere, guest posting, being the standard years ago, got disabled after excessive abuse (trolling, flamewars, automatic spam posts, sockpuppertry) encountered over the time.

  • phpBB2, pbpBB3
    • Cookies not required (identification string stored in the address, corrupting or loosing it causes logout)
    • JS not required except for smiley and BBcode inclusion
    • phpBB2 is obsoleted by phpBB3
    • Many modified versions exist
  • v-bulletin
    •  ???
  • Invision
    • JS not required for login and posting, but it is for profile viewing
  • JonDos forum
    • JS used for smiley inclusion only
    • IP addresses not stored
  • Commenting on news portals
    • JS and registration usually required
    • Many will let you type your text anyway, but after hitting "Submit" either nothing happens (because JS is off), or it tells you that your post of course will be accepted, but only if you log in or register.

Wiki

Most Wiki-like services work without JS, just advanced features like special character inclusion are not available then. Cookies are required to login.

  • Wikipedia
    • All anonymization services including JAP are carefully blocked by output IP
    • IP addresses of edits done without login are permanently stored and publicly visible
    • IP addresses of edits by registered users are not publicly visible, and reportedly used only in case of justified suspect of abuse, and automatically unrecoverably deleted after 1 week.
  • Other Wikies
    • Look and functionality similar to Wikipedia
    • Blocking of anonymization services usually doesn't apply
    • Abuse is a big problem, registration usually required, or even account request on forum or mailing list, possibly after making "some useful posts" proving that you are a human interested in the topic.

Webhosting / FTP

Many cheap and free webhosts don't offer FTP, instead they provide a HTTP web based system for upload and management, usually requiring not only Cookies, but also JS.

  • www2ftp
    • Allows HTTP access to manage pages offering FTP only
    • JS: ???
    • Last test: 2010-04 (still online, functionality not tested)

Web searching

Make sure to have Cookies and JS off when using search services.

  • Google
    • The most polular one
    • When anonymization services are used, Google can complain about "automated searches" and "virus", solving a capcha can allow to search or not
    • Also provides web based E-mail (see above)
  • Yahoo
    • Also provides web based E-mail (see above)
  • Web.de
    • Also provides web based E-mail (see above)
    • German only
  • Bing
    • Belongs to Microsoft
  • Baidu
    • Chinese and Japanese language only

Timetables, transport information + reservation

Many such pages do require JS enabled, otherwise they complain or simply fail. Online ticket purchase or reservation is bad for your privacy.

  • Bahn.de - German Railway
    • This one works without JS (at least timetable services, reservation not tested)
    • Covers considerable parts of Europe, not just Germany, good alternative to pages of many other rail companies unable to provide themselves working timetable services for their lines.

Online banking

Cookies required to login, may require JS also. You are not anonymous to your bank anyway, the bank knows both your name and your home location, and the communication contents is protected from your provider and 3rd party by HTTPS, so it may be a good idea not to use any anonymization service at all. If you use it nevertheless, you can just hide your login location from the bank and the name of your bank from the provider. Enable Cookies (and JS if required) before login and disable them after, on both occasions also clear all private data of the browser. Don't access other pages or use other software accessing the Internet while logged in. Avoid browsers with limited or no HTTPS support.

Online virus and malware scan and removal

Bad, browser Java plugin needed.

Online gaming

Needs Flash + JS or Java plugin or installation of special software, no way to do with pure HTML, very bad for privacy. Only good way is special software respecting proxy settings, it can than be used with paid JAP services only.

Porn and piracy pages

Will usually pressure you to enable JS or Flash or to install or "update" something, or to call an expensive phone number, high risk of privacy intrusion or virus capture. Easy solution: avoid such pages completely.

Personal tools