“If the freedom of speech is taken away then dumb and silent we may be led, like sheep to the slaughter.”
– George Washington
What the hell is a proxy, and why do I want one?
Proxies are best described as relays. You send a request *through* it, and receive them back in much the same fashion. Consider the following example, using the classic Alice and Bob characters.
Alice wants to deliver a message to Justin without revealing her identity. She asks Bob him to deliver it. Bob hands the message to Justin, who reads the message and replies to Bob. Bob takes this reply to Alice.
This is effectively how a proxy server works. In short, the important part for anonymity is that as far as the destination host understands, all messages originate from the proxy server, and the user(s) behind it are not exposed. As far as Justin understands, he is talking to Bob. The only way he would be aware that the message did come from Alice, would be if she indicated that in the message.
Similarly, a proxy server obscures the IP address of the sender. However, if you sign your messages, they can still be identified as coming from you. If you use a pseudonym that leads back to you then once again: you are not anonymous. In this way, proxies allow the bypassing of certain restrictions (such as accessing a public site that denies access to certain users).
Advantages of Proxy Servers:
- As long as you can connect to a given proxy, you can connect to any service it can connect to.
- So long as you do not leave any information that leads back to you, your identity is not revealed.
- Proxies are trivial to set up.
Real-world examples of proxy benefits:
- In China, a citizen can reach a censored site by routing their request through a proxy that has not been blocked, bringing information in from the outside world.
- In Iran or Egypt, protesters can use proxies to get information to the outside word, despite restricted media coverage.
Disadvantages of Proxy Servers:
- Proxies are easily blocked by network administrators.
- A compromised proxy server may pose a greater threat than no proxy at all.
- Your identity is not hidden from the proxy server itself.
Risks Involved with Compromised Proxy Servers
- The server may alter messages sent through it without the sender’s knowledge.
- The server may fail to deliver a message, either through intention or fault. The sender may not receive notification of this failed delivery. A malicious proxy may report success.
- A compromised proxy server may log data sent through it and use this against the sender. This is especially problematic in cases where users want anonymity for personal safety.
An especially nefarious proxy may combine these methods, logging the messages sent through, but not delivering them in their original form. If the user checks to confirm delivery (such as refreshing a thread on a forum, or fetching an article on Usenet), the proxy may replay the logged message, and insert it into the content (this would be computationally expensive, and likely very tricky to carry out in real-time). As far as the sender knows, delivery was successful, but the contents of the message may differ.
What kind of proxy server should I look for?
This is a complicated question, and warrants a more in-depth discussion.
How do I set up a proxy server?
You may want to do this for a number of reasons. Perhaps you want to have full control of the server, to avoid requiring trust with a third-party. Perhaps you live in a country where your access to information is not burdened by regulation or censorship, and you wish to aid the free flow of information in places where that is not the case. A topical example would be a Canadian citizen wanting to support the protesters in Iran by setting up an anonymous proxy for Iranian bloggers.
The simplest to deploy would be a web-based proxy, which would enable information flow through web-oriented systems such as forums. This may have been a significant limit in the past, but today there are web applications to deal with most non-web systems (databases and IRC, for instance).
Assuming you have a server with PHP5 available (if you don’t, Apache and PHP are in no way difficult to install, regardless of your platform), Glype is the most robust solution I am aware of, and trivial to install.
Simply download the zip archive, and unpack it on any accessible directory on the server.
$ cd /path/to/www
$ wget http://www.glype.com/downloads/fetch/proxy/53 -O glype-1.1.zip
$ unzip glype-1.1.zip
$ mv glype-1.1 proxy
$ chmod o+w ./proxy/tmp
Point a browser at http://your-domain-or-ip/proxy/, and your web proxy is accessible.
I have set up an example of this at http://tools.olstrom.com/proxy/.
A few points of contention with simple proxies.
One serious concern with most proxies is the potential of compromise. With sufficient access to a network, an eavesdropper can analyze traffic in and out of a proxy server to connect actions out of the server with a user sending data into it. Both HTTP and SOCKS4 proxies suffer from DNS queries not being proxied, and potentially linking back to the sender. HTTP and web-based proxies suffer from potential exposure via tracking cookies, sometimes not handled at the proxy level, but left to the client application.
We can compensate for some of these matters by adding random delays between send and relay actions (at the cost of increased latency), and padding the output with useless data (generally headers that would be ignored, but in many cases, padding content is practical too). Strong encryption is also a practical route, though it requires support on both ends. Given the minimal barrier to entry, it’s something of a mystery that encryption is not ubiquitous by now, but that’s a subject for another rant.
Onion routing is a solution that addresses many of these concerns. It works like a Matryoshka Doll, by encrypting data with several layers of encryption, and relayed across a network of many proxies (nodes). Each node decrypts a layer of the onion (having the keys to only that layer) and reveals the next point, sending the remaining data there. This process repeats until delivery of the original data occurs. Each node only knows anything about the nodes before and after it in the route taken. As these nodes are often in different countries, the legal complexities of coordinating data collection efforts work to the beneficial to those seeking anonymity.
Tor is a prevalent Onion Routing network, and quite simple to set up. However, it is worth noting that the exit node on any given route still has access to the unencrypted data (required to relay it to the destination) unless the connection uses SSL between client and server.
Download Tor, install it with the included installer, and then reconfigure your browser to use it. FoxyProxy and TorButton are two extensions for Mozilla’s popular Firefox web browser to make it convenient to toggle between proxies. Configuration without either extension should simply involve setting “Use Proxy Server” to manual, and setting it to host 127.0.0.1, port 9050.
Proxies are one means of preserving some degree of anonymity, but they are not without their faults. I will introduce some concepts that may address those concerns. For now, this should offer some groundwork for setting up a proxy, and using it.