16 replies to this topic

[Swerve]

Just wondering if anyone had any thoughts on which instant messenger is best to stop people getting your IP?

Trying to avoid the netstat -b which shows the IP of whom I'm talking with.

Any recommendations?

Merci beaucoup

[jeremy_]

Torchat's gotcha covered. http://code.google.com/p/torchat/

Also, look at the Tor Browser Instant Messaging Bundle for use with traditional IM networks. http://www.torprojec...ownload.html.en

Edited by jeremy_, 17 February 2011 - 03:20 PM.

[sickreizin]

Also keep in mind that Torchat, as of around six months ago was unmaintained and the person who wrote the code went AWOL. Could be that this is full of holes and there doesn't seem to be any peer review on it, as opposed to the Tor IM Bundle.

[5imp7y]

I used to use a program called trillion... dont know bout its security but why hide your IP? isnt that like the numbers on your mailbox?

[nyphonejacks]

I used to use a program called trillion... dont know bout its security but why hide your IP? isnt that like the numbers on your mailbox?

which is why some people use PO boxes... not everyone wants to be open to the world, or for the spooks in room 641A to intercept their communications..

[army_of_one]

Just wondering if anyone had any thoughts on which instant messenger is best to stop people getting your IP?

Trying to avoid the netstat -b which shows the IP of whom I'm talking with.

Any recommendations?

Merci beaucoup

I think I might be able to come up with a custom solution, but I'd be paranoid about existing clients. The reason is they weren't designed with anonymity in mind. Everything from the application layer code to the protocols themselves leak information in various ways. Security engineers call all of these covert channels and traditional software and OS's have tons of them. So, I'd say custom approach is the best until doing an exhaustive analysis of some existing approach. I'd take an established, trustworthy anonymous network scheme and layer a messaging system on top of it that leaks as little as possible.

On that note, Freenet is the best route for the transport layer. You would have to give up the "instant" part. Besides, the less latency there is during the session, the more traceable it is. Almost all good anonymity schemes that you can use from home increase latency and delays during the course of their operation. Tor or I2P could conceivably do something like "instant." This has two problems: Tor is getting more attacks every year; I2P is lacking a formal review by knowledgeable security guru's. So, you have Freenet or some custom protocol to work with. Freenet has an excellent design and I haven't hear of anyone being traced by beating its security in friend-to-friend mode. So, a Freenet messaging system whereby two parties continually update a file or forum with GPG signed messages would be ideal, but slower than you want. If you are willing to take on more risk, you could use I2P messenger. It's obscurity might prevent snoops from exploiting and tracing you, but obscurity is only so trustworthy. Avoid anything over Tor.

- Nick P,
schneier.com

[Afterm4th]

my two pennies:

msn wont reveal your IP address to the person you are chatting with unless you transfer a file.

That + pidgin for encryption works pretty good for privacy

[sickreizin]

"Tor is getting more attacks every year; I2P is lacking a formal review by knowledgeable security guru's. So, you have Freenet or some custom protocol to work with."

More FUD about Tor, where is all this coming from? You could say the same thing about Firefox. People finding holes is good, it means the system is being made more secure. There's a lot of active security developers looking at the code, the design etc of Tor and the same can't be said for Freenet or especially I2P. This doesn't mean Tor is better, just that it's not any less trustable than anything else because security flaws were found it. Of those found, almost all of them have been fixed. A few remain, which Tor reminds you of when you download it and requires a very sophisticated adversaries to successfully pull off.

[army_of_one]

"Tor is getting more attacks every year; I2P is lacking a formal review by knowledgeable security guru's. So, you have Freenet or some custom protocol to work with."

More FUD about Tor, where is all this coming from? You could say the same thing about Firefox. People finding holes is good, it means the system is being made more secure. There's a lot of active security developers looking at the code, the design etc of Tor and the same can't be said for Freenet or especially I2P. This doesn't mean Tor is better, just that it's not any less trustable than anything else because security flaws were found it. Of those found, almost all of them have been fixed. A few remain, which Tor reminds you of when you download it and requires a very sophisticated adversaries to successfully pull off.

The term FUD is usually reserved for claims that have no basis in fact and are purely fearmongering. My warnings are based on protocol analysis and attacks on Tor and similar networks that have been steadily published by security researchers for years, including the recent grab of over ten thousand IP addresses of Tor users. How is FUD again?

"people finding holes is good, it means the system is being made more secure"

Yeah, it's good if the system isn't in use by people who depend on the anonymity. We're not talking about software for keeping viruses from corrupting your system, whereby you can just restore from backup if it fails. We're talking about a scheme designed for many high stakes situations where well-funded, sophisticated attackers might trace the person trying to stay hidden. The results can be costly or fatal. Systems/protocols like this must be good enough from the get go without serious flaws. Such systems are called "high assurance" systems. There are higher assurance anonymity schemes and they are preferrable over solely depending on Tor.

"This doesn't mean Tor is better, just that it's not any less trustable than anything else because security flaws were found it."

That's false in this case. People often use Tor to hide their identity for a reason and one leak is all it takes to make them regret it. Tor's security issues provided a steady stream of opportunities for this to happen. Tor was (and is) flawed by DESIGN, while schemes like Freenet have a superior design. A good security scheme is architected with good design, implementation, and usage patterns. In Tor, we have a flawed design, a run-of-the-mill implementation, and it's hard to use apps in a secure manner with no leaks.

"A few [security issues] remain, which Tor reminds you of when you download it and requires a very sophisticated adversaries to successfully pull off. "

Why use a method with known, "remaining" security issues when alternatives without any known security issues exist? And with that said, I think I'm more than justified in warning people not to use Tor if they *really* need the anonymity. I'm just surprised your happily using a protocol that you know is flawed instead of a scheme w/out any known flaws.

One sensible reason is that you have little of importance to hide and you're willing to trade a certain amount of security for convenience. Many individuals needing a Tor-like solution can't make that tradeoff. I wrote my original post with them in mind, as I don't know what Swerve intends to hide.

[serrath]

IM's actually something I haven't looked at at all. Aren't most IM sessions negotiated through a server so that the users aren't directly sending each other any sort of information? How is endpoint IP information leaked through instant messaging?

(I'm really looking for some kind of documentation on this sort of thing instead of a user explanation.)

[army_of_one]

IM's actually something I haven't looked at at all. Aren't most IM sessions negotiated through a server so that the users aren't directly sending each other any sort of information? How is endpoint IP information leaked through instant messaging?

(I'm really looking for some kind of documentation on this sort of thing instead of a user explanation.)

It depends on the protocol. The purpose of IP is to ensure delivery of packets, but it can also be used at application layer for other purposes. If the application layer's unencrypted data contains this information, then it leaks identifying information. BitTorrent is an example of a protocol that wasn't really designed for anonymity. Many people started using BT clients over Tor, thinking Tor would anonymize the data. The way that the protocol leaks identifying info led to the source IP identification of at least ten thousand users, maybe more. The application and protocol mustn't leak identifying information or they can become the weakest link in the strongest anonymity scheme. If you're wanting to understand these things, start by Googling that paper. You might also want to look into academic papers on attacks on anonymity schemes.

[dinscurge]

yeah most any ive cared to look at, dont show ip, if at all just when you transfer bigger files which obviously you just dont accept . as its just ip, a proxy should be good enough.. if you want more secure communication as in the actual text, you can always ssh into a box and use write or something..

army_of_one, thoe you have valid points, id say 5imply also had some, just because they dont have any known bugs/leaks/w.e. doesnt mean they are better, it doesnt mean anything, "the absence of evidence isn't evidence of absence" atleast with tor you know/have proof they are working towards fixing the bugs, even forking firefox to help increase the speed of which said bugs could be fixed, the others just havent had any yet, maybe they will take forever to fix them, or maybe they wont at all, or maybe they will do it faster, we cant tell that right now, with tor theres atleast a track record so to speak.. they do look pretty interesting thoe .

[serrath]

IM's actually something I haven't looked at at all. Aren't most IM sessions negotiated through a server so that the users aren't directly sending each other any sort of information? How is endpoint IP information leaked through instant messaging?

(I'm really looking for some kind of documentation on this sort of thing instead of a user explanation.)

It depends on the protocol. The purpose of IP is to ensure delivery of packets, but it can also be used at application layer for other purposes. If the application layer's unencrypted data contains this information, then it leaks identifying information. BitTorrent is an example of a protocol that wasn't really designed for anonymity. Many people started using BT clients over Tor, thinking Tor would anonymize the data. The way that the protocol leaks identifying info led to the source IP identification of at least ten thousand users, maybe more. The application and protocol mustn't leak identifying information or they can become the weakest link in the strongest anonymity scheme. If you're wanting to understand these things, start by Googling that paper. You might also want to look into academic papers on attacks on anonymity schemes.

Start by Google-ing which paper?

[sniper606]

Pidgin has an off the record messaging plugin that me and some friends use when we need to talk about sensitive things.

[army_of_one]

IM's actually something I haven't looked at at all. Aren't most IM sessions negotiated through a server so that the users aren't directly sending each other any sort of information? How is endpoint IP information leaked through instant messaging?

(I'm really looking for some kind of documentation on this sort of thing instead of a user explanation.)

It depends on the protocol. The purpose of IP is to ensure delivery of packets, but it can also be used at application layer for other purposes. If the application layer's unencrypted data contains this information, then it leaks identifying information. BitTorrent is an example of a protocol that wasn't really designed for anonymity. Many people started using BT clients over Tor, thinking Tor would anonymize the data. The way that the protocol leaks identifying info led to the source IP identification of at least ten thousand users, maybe more. The application and protocol mustn't leak identifying information or they can become the weakest link in the strongest anonymity scheme. If you're wanting to understand these things, start by Googling that paper. You might also want to look into academic papers on attacks on anonymity schemes.

Start by Google-ing which paper?

This was the BitTorrent attack: http://arstechnica.c...tor-network.ars

The attack exploited a compromise in the operation of the protocol over Tor. The protocol was impossibly slow if all of it was forced over Tor, so they just tried to do the identifying portions over Tor. Malicious exit nodes were used to catch identifying pieces with the rest. The DHT mode was susceptible because it uses UDP, not TCP, and Tor doesn't support UDP. Are you starting to see the complexity involved in knowing whether a given protocol and Tor configuration will preserve anonymity? Compare the Tor "solution" to a dedicated proxy embedded PC connected to a far-away WiFi hotspot with a long-range cantenna, a LiveUSB RAM-based distro, a mac changer, and optionally Tor as an extra layer. Best to view Tor as just one component in an anonymity scheme. The physical device or IP connecting to it shouldn't be yours, just to be safe.

As for other attacks, most are DOS attacks. Here's one non-DOS attack and a link to research groups.

Attack on particular routing strategy w/ lab test (2007)
http://citeseerx.ist...p=rep1&type=pdf

Page with links to many anonymity R&D groups
https://www.torproje...esearch.html.en

[army_of_one]

Pidgin has an off the record messaging plugin that me and some friends use when we need to talk about sensitive things.

That's nice for encrypted conversations, but the OP wanted anonymity-preserving communications. The rarity of Pidgin-OTR use alone makes their users stand out amongst other Internet traffic.

[army_of_one]

yeah most any ive cared to look at, dont show ip, if at all just when you transfer bigger files which obviously you just dont accept . as its just ip, a proxy should be good enough.. if you want more secure communication as in the actual text, you can always ssh into a box and use write or something..

army_of_one, thoe you have valid points, id say 5imply also had some, just because they dont have any known bugs/leaks/w.e. doesnt mean they are better, it doesnt mean anything, "the absence of evidence isn't evidence of absence" atleast with tor you know/have proof they are working towards fixing the bugs, even forking firefox to help increase the speed of which said bugs could be fixed, the others just havent had any yet, maybe they will take forever to fix them, or maybe they wont at all, or maybe they will do it faster, we cant tell that right now, with tor theres atleast a track record so to speak.. they do look pretty interesting thoe .

See my reply again. The absence of known flaws isn't my main argument for their superiority. It's their superior design and Tor's higher risk, often-broken design. I've been thinking about building a high assurance implementation of Tor, Freenet or I2P. That they run on "certified insecure" (EAL4) systems is disturbing. Even a minimized OpenBSD appliance with careful configuration would be better than the existing approach. Most of my recent designs have been targeted for Green Hill's INTEGRITY & INTEGRITY-178B platforms. They seem to be the best in security, performance and hardware availability. I've also done some designs utilizing the remaining certified platforms from the old days: Aesec's GEMSOS, BAE Systems' XTS-400/STOP, and Boeing's SNS Server.

INTEGRITY Product Line
http://www.ghs.com/p.../integrity.html

INTEGRITY-178B & Middleware (passed toughest recent NSA evaluation)
http://www.ghs.com/p...ty-do-178b.html

Aesec's GEMSOS (got NSA's highest security rating ever, I think)
http://www.aesec.com/

XTS-400/STOP: last decendent of secure Unix os's
http://www.baesystem...sit_xts400.html

LOCK (implemented Type Enforcement & ran UNIX apps)
http://www.cryptosmi...om/archives/179

Boeing SNS Server (in evaluation under Common Criteria to EAL7, highest rating)
http://www.boeing.co...070621b_nr.html

I'm still evaluating design approaches. Problem is that high assurance projects require lots of specialized skill and money. I haven't decided the most cost effective approach. Might combine several as building blocks & just glue them together in a robust way.