by Jean Luc Picard

Change MAC address

 

 

If you frequently use open WLANs (Airport, public Internet local, …), you don’t want to be identifiable by the WLAN provider using your MAC address. Also in other LAN cases a change of the MAC address can be useful.

 

Change MAC address (Windows)

Launch built-in tool “regedit”, go to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

and overwrite the address. NOT for novice users.

Other way to to is the program Change-MAC-2010, (page in German, free download, since Windows 2000, needs .NET). It allows to set any address for any adapter. Alternatively use the SMAC program.

 

Change MAC address (Linux)

Install the packet macchanger.

> sudo service networkmanager stop 
> sudo ifdown -a
> sudo macchanger -a eth0
> sudo service networkmanager start

Change MAC address in Linux during boot

#!/bin/bash
### BEGIN INIT INFO
# Provides:          macchanger
# Required-Start:    ifupdown-clean
# Required-Stop:
# Should-Start:      
# Default-Start:     S
# Default-Stop:
# Short-Description: Change MAC addresses
### END INIT INFO
PATH=/sbin:/bin:/usr/bin
NETH=`/bin/netstat -ia | grep eth0 | cut -d " " -f 1`
NWLAN=`/bin/netstat -ia | grep wlan0 | cut -d " " -f 1`
case $1 in
 restart|reload|force-reload|start)
  echo "Change MAC addresses"
  if [ $NETH ] ; then
   /usr/bin/macchanger -a eth0
   /sbin/sysctl net.ipv6.conf.eth0.use_tempaddr=2
  fi
  if [ $NWLAN  ] ; then
   /usr/bin/macchanger -a wlan0
   /sbin/sysctl net.ipv6.conf.wlan0.use_tempaddr=2
  fi
  ;;
 stop)
  ;;
esac
exit 0

Save the script in /etc/init.d/macchanger and make it executable:

> sudo chmod +x /etc/init.d/macchanger

To run the scripte at every boot time, use insserv:

> sudo insserv macchanger

 

 

from here

by Jean Luc Picard

Censorship-free DNS servers

 

Chaos Computer Club Berlin

213.73.91.35

Comodo Secure DNS

  • 156.154.70.22
  • 156.154.71.22

Censurfridns (Denmark)

  • 89.233.43.71
  • 89.104.194.142

DNS Advantage

  • 156.154.70.1
  • 156.154.71.1

Dotplex

  • 91.102.11.144
  • 212.222.128.86

FoeBuD e.V.

85.214.20.141

German Privacy Foundation e.V.

  • 87.118.100.175 (Ports 53,110, DNSSEC IPv6)
  • 94.75.228.29 (Ports: 53, 110, HTTPS-DNS, DNSSEC, IPv6)

awxcnx

62.75.219.7 (Ports: 53, 110, DNSSEC, IPv6)

Swiss Privacy Foundation

  • 87.118.104.203 (Ports: 53, 110, DNSSEC)
  • 62.141.58.13 (Ports: 53, 110, HTTPS-DNS, DNSSEC IPv6)
  • 87.118.109.2 (Ports: 53, 110, DNSSEC)

Schweden DNS Kalmar NDC Registry

213.132.114.4

Island DNS Island Telecom

213.167.155.16

Antartica DNS (Cyberbunker NL)

84.22.106.30

US DNS Westelcom Internet, Inc.

64.19.76.8

How to change DNS Server in Win Vista / Win 7

  • Open System Control (Start->System Control)

Check http://welcome.gpf in the browser. If you see the page then your new DNS works OK.

from here

by Jean Luc Picard

Anonymous Email Communication

 

If you are using one and the same address more then once in order to send or receive your E-mail, you are “creating” an identity with it. In the following you will find notes about web mail services as well as some web services designed to improve your privacy.

 

Remailer – Sending E-mails from disposable addresses

If you want to send E-mails, but do not want to reveal your identity to the addressee or a third party, the best thing is using an anon remailer. Some mixmaster remailer offer a web interface. If the addressee has a contact form on his web-site, of course, you may use rather that one.

 

Temporary E-mail accounts

If you are registering on web-forums you often have to leave an E-mail address in order to get a confirmation. If you do not want to use your own E-mail address for it, you may use rather one of the following temporary accounts.

  • Anonbox provided by Chaos Computer Club (account will be deleted at the next day 24:00, password protection). AnonBox.net uses a SSL certificate signed by CAcert.org. Because this CA is not trusted by default by all web browsers you have to verify the fingerprint of the certificate.
SHA1:    86 FC 1A 7B 16 2A 70 1C E0 5C F0 A9 25 52 5E 2D 7B 59 1D 6A
MD5:     2E 5F AD 20 66 E9 B0 6C 21 00 E2 F2 A2 F8 81 D8

 

by Jean Luc Picard

VPN Gate: Free Access to World Knowledge Beyond Government’s Firewall. @vpngate

 

 

VPN Gate Overview

VPN Gate Academic Experiment Project is an online service as an academic research at the Graduate School of University of Tsukuba, Japan. The purpose of this research is to expand the knowledge of “Global Distributed Public VPN Relay Servers” .

Why VPN Gate?

You can take three advantages if you use VPN Gate:

  1. You can bypass the government’s firewall to browse oversea web sites (e.g. YouTube).
  2. You can camouflage your IP address to hide the source of sending information over Internet.
  3. You can protect use of Wi-Fi with strong encryption.

Unlike existing VPN services, VPN Gate has strong resistance against firewalls.
VPN Gate is free of charge. No user registrations required.

VPN Gate Public VPN Relay Servers

There is a list of Public VPN Relay Servers on the VPN Gate Academic Project Web Site.
Anyone on the Internet can connect a VPN connection to any VPN servers on the list.
No user registrations are required.

How does VPN Gate work?

  • VPN Gate consists of many VPN servers, which are provided by volunteers around the world.
    You can provide your own computer as a VPN server to join this experiment.
  • Windows, Mac, iPhone, iPad and Android are supported.
  • Supports SSL-VPN (SoftEther VPN) protocol, L2TP/IPsec protocol, OpenVPN protocol and Microsoft SSTP protocol.
  • Anonymous connections are accepted.
  • No user-registrations are required.
  • IP addresses of each VPN server are not fixed. IP address may change at irregular period.
  • VPN servers increase and decrease every day. Therefore, all VPN servers don’t located on the particular IP address range.
  • While a VPN client is connecting to the VPN server, the VPN client can access to the Internet via that VPN server. You can hide your IP address of the client.
  • When you use a VPN server which is physically located on an oversea country, your any communication are regarded as if it is initiated from that country. Then you can access to web sites, by using VPN Gate, which are usually unreachable from your country.

The problem that this research solves

Out motivation to begin the VPN Gate Experiment are to solve the following existing problems.

Existing Problem #1. Government’s Firewall Blocks to Access Oversea Web Services for Overprotection

The Internet is a revolutionary network to enable all user’s computers and servers to communicate each other without any restriction. Any web sites which are provided by individuals or companies can be reachable from anywhere around the world. Each people in the world is a potential customer of a web service. So every Internet companies are trying to develop and improve their web services continuously. World-wide competitions occur, and qualities of every services will be better and better, forever.

Such competitions over the world without any barriers are essential for improving the quality of Internet services. Internet provides such a great playing field for fair competition environment. However, some countries are attempting to interfere against the fair competition. For example, great video-sharing sites such as YouTube, or excellent SNS sites such as Twitter or Facebook, are existing in the world. Some governments place a contents-filter on the border between domestic and international Internet. Such a contents-filter is used to be called “Government’s Firewall” . People in such a country are often affected by the government’s firewall.

In United States, Japan and most of Europe countries, people prohibits their governments from placing such a government’s firewall, by the Constitution. However, it is said that some other countries have such a firewall for contents-filtering.

The government’s firewall force the people to use only domestic web services instead of international web services. They cannot visit international web-services which compete with domestic web-services. In other words, such a government supplies unfair advantages to the few domestic web-service providers in exchange for push inconveniences to the all Internet users of the country. In the long-term viewpoint such a government’s overprotecting policies will be cause of decline in public-interests, because most of people in the country are blinded to the world-valuable overseas web services.

It is convenient for users behind the government’s firewall if they can free-access to YouTube, Twitter, Facebook or other great web services. As the consequence, over-protected domestic web-service providers under unfair good-treatment by the government’s firewall will be involved to the world-wide fair competitions. In the long-term view, the competitions will improve both domestic and international web services, and every domestic people will receive benefits.

 

Existing Problem #2. Identifying an individual by tracing an IP address on the access log of the server is possible.

If you access to web sites, or send an e-mail, your source IP address will be logged on the destination web server, or on the headers included in the e-mail contents.

An IP address is not a personal information as only it. However, IP address can be used to track an individual who makes activities over several web sites. Such a tracing technique is used for unwanted advertising.

Additionally, an IP address can be used to identify the person who initiated the concerning communication, by using the law-enforcements procedures. Polices, prosecutors or lawyers can abuse their privileges to request the log files of IP address allocation which are hold by ISPs. Such IP address allocation logs are enclosed by ISPs in usual time. However, once someone obtains the logs, he can investigate who sent an e-mail, or who post a message to the web site. It might be abused to revenge to the one who conducted an indictment for public interests. The risk of IP address traceability might discourages the good people’s motivation to accuse something for public benefit.

Moreover, on the Internet, a person who was assigned a specific IP address at a specific time will be regarded to have the responsibility of any illegal communications which were initiated from that IP address at the same time. Recently in Japan, law-enforcer’s disgraceful matters are criticized as serious problems that law-enforcement officers mistaken arrests innocent Internet users who never conduct nothing illegal on his computer but the computer was infected a Trojan which is controlled remotely by the real criminal person. The real criminal person let the computer of the innocent Internet user to send blackmails to some companies, and the innocent persons was arrested unjustly by law-enforcers. The innocents were finally released, but it was one of the worst false accusation incidents in Japan’s recent history.

Therefore, it is preferable that there is a method to hide your real IP address temporary when you access to the Internet. If your real IP address will be hidden, no advertisement-purposed IP address tracing will be unsuccessful. The risk of IP address traceability will be reduced, and the good people who are planning to accuse something for public interests will be easy to do it. The risk of mistaken arrests will never come to you if you hide your real IP address while connecting to the Internet, even if your computer is infected by Trojan or malicious software.

Existing Problem #3. Public Wi-Fi is under the risk of packet tapping.

Most of public Wi-Fi can be tapped by everyone. Your plaintext communication are not safe. Wired networks are also under the risk of tapping. ARP spoofing attackers can capture your packets. Moreover, the network administrator or the facility owner of cafe or airport who provides the public Wi-Fi can always tap on your communication. Even if you are using Internet at your home, there is a risk that the employee of your ISP or telecom company might tapping on the line to peek your plaintext packets. (In fact, there was a criminal incident that an employee of Nippon Telegraph and Telephone Company conducted the wiretapping in the telecom building. So we can never trust employees of ISPs or telecom companies.)

When using HTTP, POP3 or IMAP plain-text communication on the Internet, you cannot avoid the tapping. SSL (HTTPS) is secure against tapping, however most of web sites uses HTTP. HTTP packets are transmitted in the plaintext format.

It is preferable that there is a method to encrypt all communications to Internet servers automatically. In such a situation, no one on the local network or local telecom building cannot peek contents of your packets.

VPN encrypts and relays your packets

If you use VPN when you uses the Internet, you can solve above all of three problems.

Solution 1. VPN can bypass the government’s firewall.

If the government’s firewall is out of order, and some overseas web sites are unreachable from behind the firewall, you can access such web sites via overseas VPN servers. The overseas VPN server will relay your communication towards the target web server.

Solution 2. VPN can hide your real IP address.

While the VPN connection is established, all communication’s source IP addresses will be replaced to the IP address of the relaying VPN server. This will very helpful for you because no one can no longer easily analyze and trace your real IP address of that moment. IP address logs on the target web server or the header list of e-mail will be recorded as if the communication was initiated by the relaying VPN servers. You can hide your IP address securely, and you can send anonymous posts or e-mails toward web sites or mail servers. It will encourages you if you are intend to conduct a righteous accusation for public benefits. You are now not under the risk of revenge by the accused person. Moreover, if your computer is infected by the Trojan which were sent by the “real criminal” , and the real criminal sends an remote operation to let your computer sends illegal blackmails to someone, you are no longer under the risk of mistaken arrests by law-enforcers.

Solution 3. VPN can prevent the tapping.

If you always use VPN, all communications will be automatically encrypted. Even if your neighbor on the local network is a wire tapper, your packets cannot be peeked by him.

Note that this solution can only encrypts the VPN tunnel, and can only avoid tapping on the local network. Packets between the relaying VPN server and the destination web servers are plaintexts. Plaintext packets might be tapped. However, at least local tapping can be prevented.

VPN Gate’s advantage to existing VPN services

As described above, VPN can solve several problems on using the Internet. However, usually you need at least one VPN server in the remote place (overseas) physically to exploit the functions of VPN as mentioned above.

Most of Internet users are unable to have their own VPN servers in an overseas country. For such users, there are existing paid shared-VPN services which are provided by some Internet companies. Such a service requires a user registration with credit-card number for payment, and an account will be created for the user. The user will gain the right of use the shared VPN servers for specific terms along to the contract.

So what is different between VPN Gate and existing such paid VPN services? In the viewpoint of users, the two seems to be similar. However, VPN Gate has differences to existing VPN services as described as following.

Problems of existing shared VPN services

Existing VPN services are implemented that the provider company hosts some VPN servers on the datacenter. This traditional way of providing some shared VPN servers on the datacenter has a problem that IP addresses of each VPN servers are on the same or similar IP address allocation block. Because the IP addresses are assigned by the same ISPs, generally. And IP addresses of each VPN servers are fixed, so they are seldom changed.

Such a shared VPN service has not tolerance against “unknown trouble on the government’s firewall” . The “unknown trouble on the government’s firewall” usually appears to the circumstance that some series of IP address blocks become completely unreachable from inside the country. If “unknown trouble” occurs to cover the IP address range of allocated IP address blocks for a shared-VPN server cluster, no VPN servers of the cluster will be unreachable from such a country. In fact, recently it is reported that one day a specific cluster of existing shared VPN servers become unreachable suddenly from a specific country which has the government’s firewall.

There is another problem of existing shared VPN services: occupation of bandwidth. Existing shared VPN servers are physically placed on the specific datacenter. All of every users’ communication will be concentrated at the Internet transit line of the datacenter’s uplink. And all processing workloads will be concentrated on some shared-VPN physical servers hosted in the datacenter. The service provider considers to increase the number of VPN servers in the cluster, or increase the bandwidth of Internet transit lines, but such expansions take costs. If cost increases, the fee of such a shared VPN service will increase. If serves cost, the speed of such a shared VPN service will be decline. Most of shared VPN services cannot provide the adequate quality to users.

Advantages of VPN Gate Academic Experiment

As you can see on the List of VPN Gate Public VPN Relay Servers, there are a lot of running VPN Gate Public VPN Relay Servers. These VPN servers are not physically placed on a specific datacenter nor a specific IP address allocation block; they are hosted on different ISPs and on physical locations to each other.

Every VPN Gate Public VPN Relay Servers are distributed and hosted by many volunteers. A volunteer is a person who owns a computer which is keeping the broadband connection to the Internet. He is a person who agrees to provide the CPU time and bandwidth to support the VPN Gate Academic Experiment. You can become a volunteer.

Volunteers are distributed geographically. The ISPs of volunteers are also distributed. So IP addresses of every VPN servers are distributed. No characteristics on the assigned IP addresses. The number of volunteers increases or decreases every day, and each IP address vary every time. If something “out-of-order” will occur on the government’s firewall, whole the VPN Gate Relay Server are not affected. If a few VPN servers become unreachable from your country, you can still reach other VPN servers.

Because VPN Gate servers are hosted by volunteers and each volunteer spends very small amount of costs for bandwidths and CPU times for his VPN server, the VPN Gate Service can be used for free of charge for everyone. The free of charge means that no user registration is required to anyone who wants to use VPN Gate service.

Therefore, unlike the existing shared VPN services, the VPN Gate Academic Experiment Service can be used with no paying.

Mirror servers of VPN Gate web site

Once a user connects a VPN session to one of the VPN Gate Public VPN Relay Servers, he can gain free access to the Internet from any country.

However, if the www.vpngate.net web site (this web site) is unreachable from his country, he cannot obtain the VPN Gate Public VPN Relay Servers List at first.

So we are providing Many Mirror Site URLs to help users who are in such countries. If a user can obtain access to at least one of the mirror sites, he can browse the VPN Gate Public VPN Relay Servers List page.

If you are a citizen of the country which has a government’s firewall with unknown error which prevents accesses to the www.vpngate.net from the domestic Internet, please access to the Mirror Sites List page, copy the URL list and paste it to SNS, Blogs or community forums in your country to help VPN users in your country.

VPN Gate is an extended plug-in for SoftEther VPN Software

Visit our another VPN project, “SoftEther Project”.
This is the parent project. VPN Gate is a child project of SoftEther Project.

from here

by Jean Luc Picard

n2n: Layer Two Peer-to-Peer VPN

 

n2n is a layer-two peer-to-peer virtual private network (VPN) which allows users to exploit features typical of P2P applications at network instead of application level. This means that users can gain native IP visibility (e.g. two PCs belonging to the same n2n network can ping each other) and be reachable with the same network IP address regardless of the network where they currently belong. In a nutshell, as OpenVPN moved SSL from application (e.g. used to implement the https protocol) to network protocol, n2n moves P2P from application to network level.

The main n2n design features are:

  • An n2n is an encrypted layer two private network based on a P2P protocol.
  • Encryption is performed on edge nodes using open protocols with user-defined encryption keys: you control your security without delegating it to companies as it happens with Skype or Hamachi.
  • Each n2n user can simultaneously belong to multiple networks (a.k.a. communities).
  • Ability to cross NAT and firewalls in the reverse traffic direction (i.e. from outside to inside) so that n2n nodes are reachable even if running on a private network. Firewalls no longer are an obstacle to direct communications at IP level.
  • n2n networks are not meant to be self-contained, but it is possible to route traffic across n2n and non-n2n networks.

 

The n2n architecture is based on two components:

  • edge nodes: applications installed on user PCs that allow the n2n network to be build. Practically each edge node creates a tun/tap device that is then the entry point to the n2n network.
  • an supernode: it is used by edge nodes at startup or for reaching nodes behind symmetrical firewalls. This application is basically a directory register and a packet router for those nodes that cannot talk directly.

 

Edge nodes talk by means of virtual tap interfaces. Each tap interface is an n2n edge node. Each PC can have multiple tap interfaces, one per n2n network, so that the same PC can belong to multiple communities.

Quickstart

  • Download and compile the code
  • Decide where to place your supernode. Suppose you put it on host a.b.c.d at port xyw.
  • Decide what encryption password you want to use to secure your data. Suppose you use the password encryptme
  • Decide the network name you want to use. Suppose you call it mynetwork. Note that you can use your supernode/edge nodes to handle multiple networks, not just one.
  • Decide what IP address you plan to use on your edge nodes. Suppose you use IP address 10.1.2.0/24
  • Start your applications:
    #supernode > supernode -l xyw
    #edge node1> edge -a 10.1.2.1 -c mynetwork -k encryptme -l a.b.c.d:xyw
    #edge node2> edge -a 10.1.2.2 -c mynetwork -k encryptme -l a.b.c.d:xyw

    Now test your n2n network:

    #edge node1> ping 10.1.2.2
    #edge node2> ping 10.1.2.1

Platform-dependent Differences

  • OSXIn some OSX version, the tun/tap device is missing. In this case you need to download and install the tuntapdriver.
  • LinuxYou need to specify the tap interface name with -d.
    #edge node> edge -d n2n0 -c mynetwork -k encryptme -a 1.2.3.4 -l a.b.c.d:xyw
  • WindowsThe port is available. You need to compile the project part of the SVN code using Visual C++ .NET 2008 Express. For your convenience from time to time we compile Win32 binaries that you can download from this URL.

n2n Security

n2n 1.x has been designed to be simple and used in private n2n networks. We’re aware that it has some security limitations such as

  • Keys on the command line are a problem.
  • Lack of nonces in encryption makes it relatively easy to perform replay attacks.
  • Lack of HMAC makes man in the middle relatively easy. (I don’t think this is a valid criticism as n2n is not trying to attach trust to a connection, just opacity).
  • Difficulty in rolling keys and integrating secure key exchange protocols.

For this reasons the next n2n 2.x release will feature the following security extensions:

  • Each encrypted payload gets a 32-bit nonce (salt) so the same packet will get encrypted differently each time. This makes it harder to perform replay attacks, discover keys, etc. [status = WORKING]
  • Each encrypted packet carries a key index in clear-text so the edges can signal key changes to the receiver. Key exchange could be done by eg. IKE (IPSec) or Kerberos, or just having a list of shared keys that is updated from time to time. Having a key index allows for reliable key rolls if the clocks on the two edges are skewed slightly. [status = WORKING]
  • Edge program will have a key discovery channel to allow eg. IKE, Kerberos, SSL, etc. to be plugged in and provide a secure key exchange method. [status = design phase]
  • Each n2n packet carries a transform identifier so a mixture of encrypted and unencrypted packets can be carried and the decoding transform identified at runtime. The transform identifier allows data transform plugins and extensions. When new encryption or compression types are added, the n2n packet format does not need to change and receivers can detect if know how to process the packet. [status = nearly finished]

    The above statements do not mean that n2n is insecure, just that security will be better addressed in the next major release.

n2n Gui: graphical frontend for n2n.

example

n2n website

 

by Jean Luc Picard

Comparison of Whonix, Tails, Tor Browser Bundle and Qubes OS TorVM

Introduction

Quick comparison of Whonix and Tails key virtues. If ever anything in this table is incorrect/outdated feel free to contact Whonix developers, we’ll correct as fast as possible.

* Attention: these tools are experimental, they are without any warranty.

Last update

Comparing:

  • Whonix 0.4.5
  • Tails 0.1.6.
  • Qubes OS TorVM 0.1.beta1

Different views

One has always to be very careful, when talking about others. Especially, when talking about advantages and disadvantages. Different opinions are accepted and listed here.

General

Whonix Tails Tor Browser Bundle Qubes OS TorVM
Focus on anonymity, privacy and security Yes Yes Yes Yes
Type general purpose os available as VM images and physical isolation LiveCD/DVD/USB portable browser general purpose os, VM plugin for Qubes OS,
Supported hardware any ^1^ x86 compatible and/or and Virtual Machines Windows, Linux, Mac and Virtual Machines any capable of running Qubes OS
Based on Tor, Debian ^2^ and a Virtualizer ^3^ [Virtual Box] when not using Physical Isolation Tor, Debian Tor, Firefox Tor, Qubes OS, Fedora
Gateway and torify any operating system (advanced users) Yes ^4^ Not a Gateway. Not a Gateway. Probable (?) yes, when using HVM
Live CD No Yes No No
Live USB No Yes No No
USB bootable Yes ^5^ Yes Yes ^5^ Yes ^5^
Requires Virtual Box If not using Physical Isolation, yes. ^3^ No No No
Requires Qubes OS No No No Yes
System requirements higher lower lowest highest
Can run in VM Yes Yes Yes Yes
Persistence Full Optional for Live USB Yes ^6^ Full (?)
Number of developers one with lots of anonymous contributions multiple multiple One (?)
Maturity project since 2012 established, respected project for many years established, respected project for many years project since 2012 (?)
Open Source Yes Yes Yes Yes
Anonymous developers Yes Yes No (?)


,,
^1^ Whonix Framework workstation: self made builds can run on any real or virtual hardware. Intel VT-x or AMD-V will greatly speed up Virtual Machines. Whonix Framework gateway: anonymizer (Tor) must support that platform.
^2^ Whonix-Workstation: also OtherOperatingSystems are supported.; Whonix-Gateway: In long term we are also agnostic about any other secure distributions. The concept is agnostic, you could use another operating system as base, but it requires effort.
^3^ Default downloads are for Virtual Box. (Subject for change in future.) [PhysicalIsolation] is an security optional feature for advancend users. Experimental optional support for [VMware]. You can build your own images for other virtualizers, but it requires effort.
^4^ See OtherOperatingSystems.
^5^ You can install your host operating system on USB.
^6^ You can download files and keep them, save bookmarks and passwords depending on your settings.

Security

General

Whonix Tails Tor Browser Bundle Qubes OS TorVM
Amnesic No ^7^ Yes No ^12^ No
Protection against IP/location discovery through root exploits (Malware with root rights) on the Workstation ^18^. Yes ^a^ No ^2^ No ^2^ Yes
IP/DNS protocol leak protection Full ^1^ Depends ^5^ Depends ^5^ Full
Takes advantage of Entry Guards Yes No Yes Yes (?)
Operating System Updates persist once updated are lost after reboot persist once updated persist once updated (?)
Hides hardware serials from malicious software Yes ^16^ No ^17^ No ^17^ (?)
Collects hardware serials No No No No
Includes Tor Browser Yes No Yes No
Stream isolation to prevent identity correlation through circuit sharing Yes Yes ^13^ See ^14^ ^15^ Manually (?)
Stream isolates Tor Browser No ^14^ No ^14^ No ^14^ No ^14^
Encryption Should be applied on host. Yes, for persistent USB. Should be applied on host. Should be applied on host.
Cold Boot Attack Protection ^8^ No, planed. Yes No No (?)
Secure Distributed Network Time Synchronization Yes Yes No No
Hides your time zone (set to UTC) Yes Yes Yes Yes
Hides your operating system account name Yes, set to user. Yes, set to amnesia. No Yes
Hides your MAC address from websites Invalid ^19^ Invalid ^19^ Invalid ^19^ Invalid ^19^
Secures your MAC address from local LAN (sometimes ISP) ^20^ No, planed, see. ^21^ No, planed. ^22^ No (?)
Hides your MAC address from applications Yes ^24^ No No (?)
Secure gpg.conf Yes Yes Not an operating system. No
Privacy enhanced IRC client configuration. Yes Yes Not an IRC client. No


,,
^a^ Whonix has Protection against IP/location discovery through root exploits (Malware with root rights) inside Whonix-Workstation. But you really should not test it. In case Whonix-Workstation gets rooted, the adversary can not find out the users real IP/location. This is because Whonix-Workstation can only connect through the Whonix-Gateway. How difficult is it to compromise Whonix? See Attack on Whonix and [Design]. More skill is required.
^1^ Such kinds of leaks are impossible ^a^ in Whonix, since the Whonix-Workstation is unaware of it’s external IP.
^2^ In case Tails or TBB gets rooted, the adversary can simply bypass the firewall and get the user’s real IP.
^5^ See first example of Whonix security in real world. When applications in Tails are configured wrong, due to a bug in Tails or the application, IP can leak. Quoted from the Tails Security Page: “Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as − at the very least − possible.”
^7^ There are no special measures to limit what is written to disk. This includes (non exclusive list) user created files, backup files, temporary files, swap, chat history, browser history and so on. Whonix acts like an ordinary installed operating system. It can also not be prevented, that the host memory swaps to the host disk. There is a Recommendation to use multiple VM Snapshots and it is is recommend to apply Full Disk Encryption on the host.
^8^ See Cold boot attack.
^12^ Although it does not try to store to disk, swap can still leak.
^13^ Tails separate Tor streams
^14^ Tor Browser should set SOCKS username for a request based on referer
^15^ Tor Browser comes with it’s own Tor instance. It’s just a browser, not a live system or operating system.
^16^ See Whonix’s Protocol-Leak-Protection and Fingerprinting-Protection for details.
^17^ By default there get of course not send to anyone. This is only at risk in case the machine gets compromised by malware. See also, Are hardware serial numbers hidden in TAILS?.
^18^ The Workstation is the place where the browser, IRC client and so on is running. The Gateway is the place where Tor and the firewall is running.
^19^ It is in the nature of the MAC addresses, that destination servers can not see them. Therefore yes, always hidden from destination servers.
^20^ Most ISPs do not see the MAC addresses of their clients. Some ISPs are based on LANs, in that case they can see the MAC address. Also hotspots can see the MAC address.
^21^ Please read Whonix in public networks / MAC Address.
^22^ Tails Todo: machanger
^23^ Placeholder.
^24^ The virtual MAC address of Whonix-Workstation and Whonix-Gateway ^25^ is shared among all Whonix users. If any (malicious) applications would spill it ^26^, it would only be known that it’s from a Whonix user.
^25^ The virtual MAC address for Whonix-Gateway’s internal network interface (eth1) is shared among all Whonix users, because Whonix-Workstation can see it. However, Whonix-Workstation can not see Whonix-Gateway’s external network cards (eth0) MAC address.
^26^ Which they usually won’t do. Sometimes anti cheat or copyright protection tools do it.

Fingerprint

Whonix Tails Tor Browser Bundle Qubes OS TorVM
Network/Web Fingerprint Whonix Fingerprint Page Tails Fingerprint Page TBB traffic is tunneled through Tor. Host traffic passes clearnet.
Network fingerprint: ISP can trivially guess project type ^27^ No. No. No. (?)
Network fingerprint: ISP can guess a non-persistent Tor directory is being used No. Yes, because not yet supporting persistent entry guards. No. (?)
clearnet traffic All Whonix-Gateway and Whonix-Workstation traffic is tunneled through Tor. Host traffic (operating system updates, eventually host browser etc.) uses clearnet. None, unless other users sharing the same internet connection are not using Tails. TBB traffic is tunneled through Tor. Host traffic (operating system updates, eventually untorified second browser etc.) uses clearnet. Yes, Gateway is not torified.
Network fingerprint: ISP can guess which anonymity software is being used because of ratio of Tor and clearnet traffic Unknown. ^33^ Can guess a Tor Live CD is being used, unless Unsafe Browser is in use or other people sharing same internet connections not using Tails. ? (?)
Network fingerprint: ISP can guess which anonymity software is being used because of tordate ^34^ No, does not include tordate. Yes, if clock is too much off when booting. ^34^ No, not an operating system. No, does not include tordate.
web fingerprint ^28^ Same as TBB. ^29^ Tails specific. ^30^ TBB. ^31^ Does not include Tor Browser.


^27^ Find out if Whonix, Tails or TBB is running.
^28^ Fingerprint for the websites that you are visiting
^29^ Uses the original Tor Browser from torproject.org with the only difference, that Tor runs on Whonix-Gateway instead the locally shipped Tor.
^30^ See evaluate web fingerprint.
^31^ Is the original Tor Browser Bundle from torproject.org.
^32^ Live CD without persistent USB storage for the Tor data directory.^^
^33^ Whonix users might tend to have more traffic than TBB users, due to operating system updates of Whonix-Workstation and Whonix-Gateway through Tor. Unknown if this is specific enough to guess a transparent or isolating proxy is being used or if enough other Tor users run big enough amounts of traffic through Tor. Research before Whonix was created has shown that big amounts of filesharing traffic were run through Tor. Classical filesharing tends to have more upload than Whonix, but it’s also unknown how many people disabled upload or moved to methods which do not involve much upload, such as file hosters.
^34^ Quoted from the Tails Design about Time syncing: “Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded.

Flash / Browser Plugin security

Note: Whonix developer adrelanos recommend due to anonymity, privacy and security issues against using Adobe Flash when anonymity is the goal. As far I know, Tails and Tor developers recommend against it as well.

Flash Tracking Technique Whonix-Workstation Tor on host
Proxy bypass IP leak Protected. Insecure, leads to deanonymization.
Protocol IP leak Protected. Insecure, leads to deanonymization.
Flash Cookies Reduce anonymity to pseudonymity. Recommend to delete Flash Cookies. Can link your clearnet Flash activity to your Flash activity over Tor, which leads to deanonymization (or at least a good guess) if the skew is big and rare. Also useful for fingerprinting, which is bad. ^1^
Number of installed fonts. The number of fonts inside Whonix-Workstation and your clearnet/host operating system will differ, which is good. Same fonts are reported for your clearnet and your Tor Flash activity, which is bad. ^1^
Exact flash player version. Shared among all up to date Debian users. Not very useful for fingerprinting. Probable different from your clearnet/host operating system, which is good. Same version is reported for your clearnet and for your Flash activity over Tor, which is bad. ^1^
GNU/Linux Kernel version. Shared among all up to date Debian users. Not very useful for fingerprinting. Same version is reported for your clearnet and for your Flash activity over Tor. ^1^
Language. Set to en_US for all Whonix users. Your local language setting. Useful for fingerprinting and anonymity set reduction, which is bad. ^1^
Exact date and time. Differs from your clearnet/host operating system, which is good. (See Whonix’s Secure And Distributed Time Synchronization Mechanism for details.) Same time/clockskew is reported for your clearnet and your Tor Flash activity, which is bad. ^1^
Exact screen resolution and DPI. Shared among all Whonix users. (See Whonix’s Protocol-Leak-Protection and Fingerprinting-Protection for details.) Even if you changed it, the screen resolution and DPI it will differ from your clearnet/host operating system. Same screen resolution and DPI is reported for your clearnet and Tor use, which is bad. ^1^
Full path to your flash plugin. Shared among all Debian users. Depends on your clearnet/host operating system. In worst case it could contain your operating system user name, which is even worse if that is your real name. Same path to your flash plugin is reported for your clearnet and Tor use, which is bad. ^1^
Anything else. (You can check that yourself offsite on https://ip-check.info.) Assume reduction from anonymity to pseudonymity. Even more possibilties for fingerprinting and linking, which is bad. ^1^
Conclusion IP/location/identity will still be hidden inside Whonix-Workstation. Assume it to be pseudonymous rather than anonymous. Flash over Tor (on the host, without something like Whonix) is totally unsafe. In case you also ever use(ed) Flash over clearnet, linkability is possible. Assume the Flash fingerprint to be that strong, that your clearnet and your Tor Flash activity can be linked together, which leads to deanonymization.

^1^ Which is bad, because it could be used for fingerprinting, linking and also deanonymization (or at least a good guess) if the fingerprint is detailed enough.

For more information about Flash and Browser Plugins in Whonix, see also Browser Plugins.

Attacks

Circumventing Proxy Obedience Design

Knowledge assumed:

  • Comparison of different Whonix variants.
  • Unsafe Browser: Tails and Liberte Linux contain a so called Unsafe Browser. The Unsafe Browser does not use Tor. Connects in the clear. It is useful to register on hotspots or to view content in the clear without Tor.
  • Exploit against physically isolated Whonix-Gateway: difficult against a bare metal physical isolated Whonix-Gateway. This is because Whonix-Workstation can only access Tor running on Whonix-Gateway. We minimized attack surface, hardening etc. See the whole Security and Hardening page for details.
  • TBB stands for Tor Browser Bundle.
  • In the following table,
    • “fail” is defined as “IP/location of user is compromised.”.
    • “safe” is defined as “IP/location of user is hidden behind Tor.”.
  • The numbers (1) to (10) are used to numerate various attacks. Those attacks are described in more details below.

Whonix protects against IP/location discovery through root exploits (Malware with root rights) on the Workstation^1^. This does not mean, risk to get infected with malware. Do not! It would still make all data inside Whonix-Workstation available to the attacker. Like said at other places as well, Whonix is not a perfect system. It can not be. Whonix is not unbreakable. What Whonix does, it higher the effort for an attacker to find out the user’s real IP address, thus de-anonymizing the user. The following table shall visualize the various defense layers provided by Whonix.


,,
^1^ The Workstation is the place where the browser, IRC client and so on is running. The Gateway is the place where Tor and the firewall is running.

attack Whonix Standard Download version host+vm+vm Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM
(1) Proxy Bypass IP leak safe ^5^ safe ^5^ safe ^5^ safe ^5^ fail fail safe
(2) Protocol IP leak safe ^4^ safe ^4^ fail safe ^6^ fail safe ^6^ safe
(3) exploit + Unsafe Browser safe safe fail fail fail fail safe
(4) exploit + root exploit + Unsafe Browser safe safe fail fail fail fail safe
(5) root exploit + Unsafe Browser safe safe fail fail fail fail safe
(6) exploit + vm exploit + Unsafe Browser fail safe fail fail fail fail fail
(7) exploit + vm exploit + exploit against physically isolated Whonix-Gateway fail fail fail fail fail fail fail
(8) vm exploit fail safe safe fail safe fail fail
(9) vm exploit + exploit against physically isolated Whonix-Gateway fail fail safe fail safe fail fail
(10) exploit against Tor process fail fail fail fail fail fail fail
(11) attack against the Tor network fail fail fail fail fail fail fail

(1) An application doesn’t honor proxy settings. Example: Tor Browser Bundle: Firefox security bug (proxy-bypass).

(2) For example proxy bypass bugs, where the application spills the users real IP. See Whonix security in real world, for examples where Whonix circumvented them. It gets circumvented by Whonix because Whonix-Workstation does not know the users real IP address.

(3) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the users machine. Remote cod execution is used to install malware on the users machine. The used vulnerability allows the adversary to get “only” user rights, not root. The adversary could remotely start the Unsafe Browser and therefore find out the users real IP address. This attack gets circumvented by Whonix, because any applications inside Whonix, including malware, can only connect through Tor.

(4) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the users machine. Remote cod execution is used to install malware on the users machine. The used vulnerability allows the adversary to get “only” user rights, not root. The adversary gains root through escalate privileges using a second vulnerability. This allows the adversary to tamper with iptables rules, to make non-Tor connections and so on. This attack gets circumvented by Whonix, because Whonix’s Firewall runs on another (virtual) machine. This attack gets circumvented by Whonix, because any root applications inside Whonix, including malware with root rights, can only connect through Tor.

(5) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the users machine. Remote cod execution is used to install malware on the users machine. The used vulnerability allows the adversary to get root rights. This allows the adversary to tamper with iptables rules, to make non-Tor connections and so on. This attack gets circumvented by Whonix, because Whonix’s Firewall runs on another (virtual) machine. This attack gets circumvented by Whonix, because any root applications inside Whonix, including malware with root rights, can only connect through Tor.

(6) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the users machine. Remote cod execution is used to install malware on the users machine. A second exploit is being used to break out of the Virtual Machine. Whonix Standard Download version host+vm+vm is broken against this attack. Whonix Physical Isolation defeats this attack, because the Whonix-Workstation’s host does not know it’s real IP address, only Whonix-Gateway, running on an other physical machine knows it.

(7) Same as attack (5). But the adversary uses an extra vulnerability to break into Whonix-Gateway. Whonix is broken against this attack.

(8) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the host. Whonix Standard Download version host+vm+vm: fail, same as attack (5). Physical Isolation defeats this attack, same as attack (5).

(9) Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the host. The adversary uses an extra vulnerability to break Whonix-Gateway. Whonix is broken against this attack.

(10) Example: user visits a website over Tor with a torified Browser. Tor processes the traffic. The adversary uses a vulnerability to gain remote code execution. The machine were Tor is running always ^2^ knows the users real IP address. Whonix is broken against this attack.

(11) Example: end to end correlation attack, but there are much more attacks where Tor is known to be broken against. Any successful attack against Tor on a Tor based anonymity operating system will naturally deanonymize the user. ^2^ ^3^


,,
^1^ Placeholder.
^2^ Unless you are using Multiple Gateways. (Optional Whonix feature in progress.)
^3^ Whonix defeats some attacks against Tor (and components such as Tor Browser), for example, see Whonix’s Secure And Distributed Time Synchronization Mechanism and Whonix’s Protocol-Leak-Protection and Fingerprinting-Protection and the rest of the Security and Hardening page.
^4^ Workstation doesn’t know it’s own external IP address.
^5^ Prevented by firewall.
^6^ VM replaces the IP with an internal LAN IP, which is safe.

Knowledge assumed:

  • Tails Design: Time synching
  • Whonix Design: TimeSync
  • In the following table,
    • “(VM host) update/crypto block” is defined as: Can prevent (VM host) operating system updates and cryptographic verification such as for SSL verification in (VM host) browser.
    • “u/c-block” is defined as: update/crypto block
    • “Tor blocked” is defined as: Can prevent connections to the Tor network until clock gets manually fixed.
    • “big clock skew” is defined as: more than 1 hour in past or more than 3 hour in future. ^13^
    • “small clock skew” is defined as: less then 1 hour in past or less than 3 hour in future. ^13^
_ Whonix Standard Download version host+vm+vm Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM
Info: VM host time synchronization mechanism NTP Gateway: There is no VM host.; Workstation host: NTP There is no VM host. Same as operating system synchronization mechanism NTP There is no VM host. NTP NTP
Info: operating system synchronization mechanism tails_htp tails_htp tordate and tails_htp tordate and tails_htp NTP NTP (?)
if clock is too much off Tor blocked Tor blocked tordate will fix it. tordate will fix it. Tor blocked Tor blocked Tor blocked
VM host time differs from operating system time Yes, ^2^ Yes, ^2^ There is no VM host. Yes. ^11^ No. ^5^ Maybe. ^6^ No
unsafe browser time differs from torified browser time. ^1^ Yes. ^2^ Yes. ^3^ No. ^10^ No. ^10^ No. ^5^ Maybe. ^6^ No
big clock skew attack against NTP ^8^: VM host effects u/c-block VM host u/c-block There is no VM host. VM host u/c-block There is no VM host. VM host u/c-block u/c-block
big clock skew attack against NTP ^8^: operating system effects Tor blocked Tor blocked ^7^; tordate will fix it. ^7^; tordate will fix it. Tor blocked; u/c block Tor blocked; u/c block Tor blocked
Fingerprintable reaction ^12^ when big clock skew attack was used No, fails the same way TBB fails. No, fails the same way TBB fails. Probable yes, see Fingerprint section above. Probable yes, see Fingerprint section above. TBB TBB No
small clock skew attack against NTP ^8^, VM host effects: VM host u/c block VM host u/c block There is no VM host. VM host u/c block VM host u/c block VM host u/c block VM host u/c block
small clock skew attack against NTP ^8^, operating system effects: Whonix VMs: tails_htp will fix it. tails_htp will fix it. VM: tails_htp will fix it. tails_htp will fix it. If users visits a page which is under observation by the adversary, the adversary knows who is connecting. ^9^ If users visits a page which is under observation by the adversary, the adversary knows who is connecting. ^9^ If users visits a page which is under observation by the adversary, the adversary knows who is connecting. ^9^


,,
^1^ This is important because otherwise non-anonymous activity could be linked to anonymous activity if the clock skew is too big and/or too unique.
^2^ Because unsafe browser runs on the VM host (NTP) and torified browser runs inside Whonix-Workstation. (tails_htp)
^3^ Whonix-Workstation (tails_htp) and Whonix-Gateway (separate tails_htp) time differ.
^4^ VM host time gets synchronized with NTP and VM time gets synchronized with tails_htp.
^5^ Untorified host browser uses the same clock as TBB.
^6^ Host and VM clock both get synchronized with NTP, but it could still make a difference, because they are synchronized independently.
^7^ Assumed an installed regular operating system using NTP was used earlier and the adversary introduced a clock skew.
^8^ Introduced by ISP level adversary attack.
^9^ Due to unique clock skew.
^10^ Unsafe browser and torified browser share the same clock. (tails_htp)
^11^ VM Host time gets synchronized with NTP and operating system time gets synchronized with tails_htp.
^12^ Such as running tordate.
^13^ source of information

Usability

Whonix Tails Tor on the host Qubes OS TorVM
Difficulty to install additional software while IP remains hidden ^1^ easy ^2^ medium ^3^ hard ^4^ easy
Difficulty to initially install the anonymity software medium ^5^ easy easy easy (?)
Required knowledge to prevent the user shooting it’s own feet ^7^ hard hard hard hard
Pre-installed applications Not many. ^6^ Nice selection. None. Not many. (?)
Host clock too much off No connection to the Tor network until clock gets manually fixed. Uses tordate to fix it. No connection to the Tor network until clock gets manually fixed. No connection to the Tor network until clock gets manually fixed.


,,
^1^ To do it safely.
^2^ Easy: In Whonix one could also install an Tor-unsafe BitTorrent client. In worst case it would be pseudonymous (IP still hidden) rather than anonymous.
^3^ Medium: Tails has a firewall to block non-Tor traffic, but an audit at protocol level is still required. Quoted from the Tails Security Page: “Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as − at the very least − possible.”
^4^ Hard: It’s left to the user to prevent non-Tor traffic, DNS leaks and protocol level leaks.
^5^ Text, screenshot or video instructions available.
^6^ This and the whole documentation will be improved in next Whonix version.
^7^ Examples what not to do: DoNot.

Many other differences

Please also read Why don’t you merge with Tails and join efforts?.

Conclusion

Conclusion: different threat model, different implementation, different use cases, although some overlap. Different political and design decisions.

from here

by Jean Luc Picard

#China stops #VPNs we #stopcensure

 

Notice: VPNs Are Not for Fun

These two notices, posted to Google+ last week, inform employees at a business center in the capital of new measures to ensure that virtual private networks (VPNs) are used for work purposes only. VPNs allow users to connect to the Internet outside of China’s Great Firewall. Without access to the free Internet, it would be near impossible for most international organizations to do business in China. But because they have “abused their privilege,” these employees will now have to let technical staff know whenever they need access.

Warning

Recently, it has been discovered that at night in some rooms, staff have been privately logging on to prohibited websites (Facebook, Twitter, MySpace, etc.). Upon discovering such activity, the violator’s Internet access will be directly cut off and the police will be notified. In cooperation with police policy of Internet access through real-name registration, starting today, we will begin the trial implementation of PPPoE* real-name registration for Internet access.

Zhi Jia Rui He Business Center
Jinan City Internet Monitoring Team
2012-11-19

* PPPoE: Point-to-Point Protocol over Ethernet

Warning

In order to eliminate access to prohibited websites through use of software by internal staff, starting today, the function will now be disabled. For those who must use a to access the Internet, after preparing your file, go to D1 (88885681) and ask a technician to help set up your connection.

Jinan Zhi Jia Rui He Business Center
Jinan City Internet Monitoring Team
2012-11-19

Read more about the travails of VPNs, Google, and the free Internet in China from CDT.

Via CDT Chinese. Translation by Little Bluegill.

November 27, 2012 11:32 AM
Posted By:
from here

 

VPNs & Proxies

VPNs and proxies can be used as tools to get around the Great Firewall of China. This means that by using these tools one can access any website when in China, regardless of whether it’s blocked or not. Naturally, many of these tools are themselves blocked. Here’s an overview of some major VPN and proxies and whether they’re accessible in China. If the main website of the tool is blocked, it may be difficult to sign up for the service. However, the service itself may still be working.

Showing 1 to 64 of 64 matching URLs.

URL Tested Since Alexa Traffic Rank (Global)sort descending Blocked* Restricted**
URL Tested Since Alexa Traffic Rank (Global)sort descending Blocked* Restricted**
https://code.google.com/p/goagent Dec 17, 2012 1 0% 0%
https://itunes.apple.com/app/opendoor/id5438080… Dec 17, 2012 50 0% 0%
https://s3.amazonaws.com/0ubz-2q11-gi9y/en.html Dec 15, 2012 146 0% 0%
https://1.hidemyass.com Jan 10, 2013 855 0% 0%
https://hidemyass.com Jan 19, 2013 863 0% 0%
www.hidemyass.com Mar 19, 2011 863 100% 0%
hotspotshield.com Feb 26, 2011 7 302 100% 0%
https://www.torproject.org Mar 27, 2011 13 194 100% 0%
www.torproject.org Feb 25, 2011 14 804 100% 0%
cyberghostvpn.com Jul 22, 2011 35 080 100% 0%
https://btguard.com Dec 15, 2012 35 477 0% 0%
https://www.ipredator.se Jul 21, 2012 35 582 100% 0%
https://cyberghostvpn.com Mar 23, 2011 39 998 100% 0%
www.dongtaiwang.com/loc/download.php Dec 15, 2012 40 758 100% 0%
https://www.strongvpn.com Dec 15, 2012 43 793 100% 0%
www.strongvpn.com Mar 10, 2011 44 169 100% 0%
https://www.purevpn.com Mar 25, 2012 77 395 0% 0%
www.purevpn.com Mar 22, 2011 77 395 100% 0%
https://www.goldenfrog.com Mar 23, 2011 78 748 0% 0%
https://www.privateinternetaccess.com Dec 15, 2012 90 085 100% 0%
https://www.overplay.net Mar 23, 2011 108 830 100% 0%
https://ultrasurf.us Dec 17, 2012 109 571 0% 0%
www.overplay.net Aug 02, 2011 112 771 100% 0%
https://torrentprivacy.com Dec 15, 2012 119 231 0% 0%
https://www.tunnelbear.com Mar 10, 2013 137 816 100% 0%
https://www.kepard.com Mar 10, 2013 137 849 100% 0%
https://www.astrill.com Mar 23, 2011 137 870 0% 0%
www.astrill.com Apr 05, 2011 145 402 0% 0%
www.ibvpn.com Mar 10, 2011 149 866 100% 0%
www.hideipvpn.com Mar 04, 2011 157 695 100% 0%
www.witopia.net Mar 12, 2011 181 283 100% 0%
https://www.witopia.net Mar 25, 2012 203 843 0% 0%
https://www.ipvanish.com Dec 15, 2012 205 797 0% 0%
www.ffvpn.com Aug 30, 2012 228 417 0% 0%
www.vpnoneclick.com Dec 17, 2012 230 318 100% 0%
www.vpn4all.com Mar 04, 2011 234 651 100% 0%
https://www.grjsq.biz Dec 26, 2012 244 718 0% 0%
https://www.vpnreactor.com Dec 15, 2012 249 779 0% 0%
www.expressvpn.com May 23, 2011 288 613 100% 0%
www.puffinbrowser.com Apr 19, 2012 310 032 100% 0%
https://vpnreactor.com Mar 10, 2011 315 839 100% 0%
https://airvpn.org Mar 23, 2011 321 963 100% 0%
https://www.vpntunnel.com Dec 15, 2012 337 021 0% 0%
https://faceless.me Dec 15, 2012 338 542 100% 0%
www.itshidden.eu Dec 15, 2012 492 033 0% 0%
torvpn.com Mar 08, 2011 562 130 100% 0%
www.vpnvip.com May 19, 2011 639 311 100% 0%
https://mullvad.net Dec 15, 2012 661 566 100% 0%
https://www.vpnvip.com Dec 17, 2012 702 242 100% 0%
www.vpncloud.me Dec 19, 2012 714 047 0% 0%
https://www.privatvpn.se Dec 15, 2012 790 987 0% 0%
https://www.torservers.net Mar 23, 2011 802 574 0% 0%
https://www.blackvpn.com Dec 15, 2012 802 724 100% 0%
https://puffstore.com Dec 15, 2012 0% 0%
thefreevpn.com Mar 25, 2011 100% 0%
www.swissvpn.net Mar 19, 2011 100% 0%
psiphon.ca May 04, 2011 0% 0%
psiphon3.com Nov 08, 2012 0% 0%
www.vpnfire.com Dec 17, 2012 100% 0%
https://privacy.io Dec 15, 2012 0% 0%
www.ultrareach.com Feb 18, 2011 0% 0%
https://killwall.com Dec 19, 2012 0% 0%
https://ivacy.com Dec 15, 2012 0% 0%
www.yourprivatevpn.com Feb 14, 2012 100% 0%
* Blocked, in the last 30 days. ** Otherwise restricted, in the last 30 days. More info.
from here

 

Use our tools to bypass the censure

by Jean Luc Picard

Great Firewall of China

 

 

Online Censorship In China

GreatFire.org brings transparency to the Great Firewall of China. We have monitored blocked websites and keywords since 2011.

Latest Stats

Monitoring 969 Alexa Top 1000 Domains: 41 are blocked in China
Monitoring 17265 Domains: 1762 are blocked in China
Monitoring 7746 Google Searches: 1657 are blocked in China
Monitoring 371 Google Sites: 27 are blocked in China
Monitoring 1180 HTTPS: 218 are blocked in China
Monitoring 364 IP Addresses: 54 are blocked in China
Monitoring 60966 URLs: 8757 are blocked in China
Monitoring 13213 Weibo Searches: 1747 are blocked in China
Monitoring 433 Wikipedia Pages: 233 are blocked in China

from  here

Use our tools to bypass the censure

by Jean Luc Picard

Tor obfsproxy

 

https://www.torproject.org/images/tor-logo.jpg

 

 

is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.

 

Obfsproxy Icon

obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking transformed traffic instead of the actual Tor traffic.

 

obfsproxy diagram

obfsproxy supports multiple protocols, called pluggable transports, which specify how the traffic is transformed. For example, there might be a HTTP transport which transforms Tor traffic to look like regular HTTP traffic.

Even though obfsproxy is a separate application, completely independent from tor, it speaks to tor using an internal protocol to minimize necessary end-user configuration.

Please open a ticket on our bug tracker for any bugs you find or features you would like to see added in future releases.

Looking for obfsproxy bridges?

You can use BridgeDB to get obfsproxy bridges.

Example:

Here are your bridge relays:

  bridge obfs2 96.47.67.233:12984  
  bridge obfs2 54.247.0.43:52176

Bridge relays (or “bridges” for short) are Tor relays that aren’t listed in the main directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won’t be able to block all the bridges.

To use the above lines, go to Vidalia’s Network settings page, and click “My ISP blocks connections to the Tor network”. Then add each bridge address one at a time.

Configuring more than one bridge address will make your Tor connection more stable, in case some of the bridges become unreachable.

Another way to find public bridge addresses is to send mail to bridges@torproject.org with the line “get bridges” by itself in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from an email address at one of the following domains:

  • gmail.com
  • yahoo.com

Looking for IPv6 bridges?

Looking for obfsproxy bridges?

Specify transport by name:

Note for experts: if you can use IPv6, try upgrading to Tor 0.2.3.12 or newer and use these bridge lines:

  bridge [2001:948:7:2::163]:6001
  bridge [2600:3c01::f03c:91ff:fe93:d525]:9001
  bridge [2600:3c01::f03c:91ff:fe93:b8ee]:443

Let us know how it goes!

Download Obfsproxy Tor Browser Bundle

We’ve made an experimental package that currently works in all censored countries with no config changes.

Windows Obfsproxy Tor Browser Bundle (signature).

OSX (10.6 & 10.7) Obfsproxy Tor Browser Bundle (signature).

Linux 32-bit Obfsproxy Tor Browser Bundle (signature).

Linux 64-bit Obfsproxy Tor Browser Bundle (signature).

Installation Instructions

To set up an obfsproxy bridge, or to build it from source, see the separate Obfsproxy Installation Instructions page.

Obfsproxy Instructions

client torrc

Hey! Are you looking for the guide on how to set up an obfuscated bridge on a Debian system? Check this out.

Step 1: Install dependencies, obfsproxy, and Tor

You will need a C compiler (gcc), the autoconf and autotools build system, the git revision control system, pkg-config and libtool, libevent-2 and its headers, and the development headers of OpenSSL.

On Debian testing or Ubuntu oneiric, you could do:
# apt-get install autoconf autotools-dev gcc git pkg-config libtool libevent-2.0-5 libevent-dev libevent-openssl-2.0-5 libssl-dev

If you’re on a more stable Linux, you can either try our experimental backport libevent2 debs or build libevent2 from source.

Clone obfsproxy from its git repository:
$ git clone https://git.torproject.org/obfsproxy.git
The above command should create and populate a directory named ‘obfsproxy’ in your current directory.

Compile obfsproxy:
$ cd obfsproxy
$ ./autogen.sh && ./configure && make

Optionally, as root install obfsproxy in your system:
# make install

If you prefer not to install obfsproxy as root, you can instead just modify the Transport lines in your torrc file (explained below) to point to your obfsproxy binary.

You will need Tor 0.2.3.11-alpha or later.

Step 2a: If you’re the client…

First, you need to learn the address of a bridge that supports obfsproxy. If you don’t know any, try asking a friend to set one up for you. Then the appropriate lines to your tor configuration file:

UseBridges 1
Bridge obfs2 128.31.0.34:1051
ClientTransportPlugin obfs2 exec /usr/local/bin/obfsproxy --managed

Don’t forget to replace 128.31.0.34:1051 with the IP address and port that the bridge’s obfsproxy is listening on.

Congratulations! Your traffic should now be obfuscated by obfsproxy. You are done! You can now start using Tor.

Step 2b: If you’re the bridge…

Configure your Tor to be a bridge (e.g. by setting “ORPort 9001” and “BridgeRelay 1”). Then add this new line to your tor configuration file:

ServerTransportPlugin obfs2 exec /usr/local/bin/obfsproxy --managed

Launch Tor using this configuration file. You can do this by using your favorite init script, or by pointing the Tor binary to the torrc file:

spawn tor

Next, find the TCP port opened by obfsproxy. Look in your log file for a line similar to this one:
bridge torrc
The last number, in this case 34545, is the TCP port number that your clients should point their obfsproxy to.

Congratulations! Tell your clients to point their obfsproxy to your IP address and to port 34545.

from here