Skip to topic | Skip to bottom
Home
Search:

Local

Local.UkSecurityr1.11 - 07 Jun 2005 - 17:10 - GarconDuMondetopic end
You are here: Local > ImcUk > ImcUkTech > UkCrypto > UkSecurity
Start of topic | Skip to actions

UK Security Page

The idea is to sort out the text for the new Security page on the UK IMC site that will be linked to from the new security box which is explained on the UkCrypto page, see also CaCertSsl.

We need to add in Tor stuff!!!

Browse using an encrypted connection

Indymedia UK values the principles behind open-publishing and is working towards completely anonymous publishing of media upon the website. One of the things that you can do to help this is browse the web site using an encrypted connection: this helps disguise who is posting to the site at any given time.

Why is this important?

We have tried to minimise what information can be found out about posters. Currently, Indymedia UK does not log ip addresses. However, it is possible for someone to monitor individuals who are using the site and check which time they visited Indymedia UK. If this corresponds to the time a certain article was posted, then whoever is doing the surveillance may get useful information. One way of diminishing this is to ensure that lots of people are connecting at the same time - hence, any one of them could be making a post or merely viewing the site.

What is an "encrypted connection"?

An encrypted connection between computers is used to hide the details of the information that is being transferred. For example, many organisations use encrypted connections when making or discussing financial transactions: you have probably used one if you've ever booked a ticket or used the bank online.

During the exchange, a third-party is used to verify that the website is who they say they are. There are many big corporate companies who sell identification-certificates - and procedures for acquiring them may be variable; such organisations are known as Certificate Authorities (CAs). Thus, it can be difficult to know whether to trust them or not (although often, one does not have a choice).

Indymedia UK, instead of using a commercial Certificate Authority, has decided to use the non-profit organisation CACert (cacert.org). All our certificates are certified by the 'root' certificate of the CACert Certificate Authority.

What are certificates?

Certificates are used to verify the identity of people or computers. In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether!

What is a certificate authority?

Certificates are the digital equivalent of a government issued identification card. Certificates, however, are usually issued by private corporations called certificate authorities (CA). Indymedia UK has, instead, chosen to use CA Cert (cacert.org), a free and non-profit certificate authority.

Unfortunately, you need to do a little work to get your software to recognize CA Cert as a certificate authority. Every CA has a 'root certificate' which identifies a particular organization as a certificate authority. Corporate CAs have their root certificates distributed with most of the major computer programs and operating systems, and are preconfigured in most web browsers. For CAcert, however, you need to manually install the cacert.org root certificate.

How do I install the cacert.org root certificate?

IE users can use the Internet Explorer cert install page.

Mozilla users can follow this link to the root cert and follow the instructions that poip up.

Internet Explorer on the Mac is messed up, and requires that you use this link (provided by Riseup) instead:

Alternately, you may wish to visit the CAcert root cert page.

Here are a few installation tutorials:

What happens if I don't install the root certificate?

Without the root certificate, you will receive a security warning each time you attempt to establish a secure connection to indymedia.org.uk. You can usually choose to ignore this warning and accept the server's certificate on a temporary or permanent basis.

"That doesn't sound so bad," you might say. In the past, this is exactly what many users have done in order to use secure connections. But there are major problems with this:

  1. If people get in the habit of approving new server certificates every time they get a security warning, it completely defeats the purpose of having certificates in the first place.
  2. indymedia.org.uk has several different servers and a different certificate for each one. It is easier for users to install CA Cert as a certificate authority once, rather than approving each certificate one at a time.
  3. indymedia.org.uk actively wants to spread the adoption of CA Cert as a certificate authority, because it is also being used (or will be) by other parts of the indymedia network as well as other activist collectives and groups around the world.

I thought you were against authority?

We are, but the internet is designed to require certificate authorities and there is not much we can do about it. There are other models for encrypted communication, such as the decentralized notion of a "web of trust" found in PGP. Unfortunately, no one has written any web browsers or mail clients to use PGP for establishing secure connections, so we are forced to rely on certificate authorities. Some day, we hope to collaborate with other tech collectives to create a certificate (anti) authority.

What are the fingerprints of indymedia.org.uk's certificates

Some programs cannot use certificate authorities to confirm the validity of a certificate. In that case, you may need to manually confirm the fingerprint of the riseup.net certificate. Here are some fingerprints for various certificates:

Anonymous browsing: Tor

Indymedia has in the past attracted the attention of authorities, that have occasionally tried to request logs of whom is accessing the web site and have in one occasion seized without any explanation our server. We believe in the right to anonymous political speech and therefore we do not keep logs that could provide any such information. Still, we advise indymedia readers that are concerned about the privacy of their reading and posting habits to hide them by using anonymizing services, like Tor or using SSL encrypted connections.

Tor - Anonymous browsing

Tor is a decentralized network of computers on the Internet that increases privacy in Web browsing, instant messaging, and other applications. We estimate there are some 30,000 Tor users currently, routing their traffic through about 200 volunteer Tor servers on five continents. Tor solves three important privacy problems: we prevent websites and other services from learning your location; we prevent eavesdroppers from learning what information you're fetching and where you're fetching it from; and we route your connection through multiple Tor servers so no single server can learn what you're up to. Tor also enables hidden services, letting you run a website without revealing its location to users.

Individuals use Tor to keep remote websites from tracking them and their family members, or to connect to resources such as news sites or instant messaging services that are blocked by their local Internet providers. The Electronic Frontier Foundation (EFF) is backing Tor's development as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis. A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East. This diversity of users helps to provide Tor's security.

Tor is free (open source) and unencumbered by patents, meaning anybody can use it, and anybody can get the source code and examine it for problems. It runs on all common platforms: Windows, OS X, Linux, BSD, Solaris, and more. Further, we have extensive protocol documentation, including a network-level specification that tells how to build a compatible Tor client and server; Dresden University in Germany has built a compatible client, and the European Union's PRIME project has chosen Tor to provide privacy at the network layer.

Of course, Tor isn't a silver bullet for anonymity. First, Tor only provides transport anonymity: it will hide your location, but what you say (or what your applications leak) can still give you away. Scrubbing proxies like Privoxy can help here by dealing with cookies, etc. Second, we don't hide the fact that you're using Tor: somebody watching you may not be able to figure out your destination, but they might get upset at you anyway. And lastly, Tor is still under active development and may still have bugs; also, since the Tor network is still relatively small, it's possible that a powerful attacker could trace users. Even in its current state, though, we believe Tor is much safer than direct connections.

See Also

NB: adapted from Riseup text * see below for the original text that this was adapted from * the original is at http://help.riseup.net/mail/security/certificates/
to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.11 | > | r1.10 | > | r1.9 | Total page history | Backlinks
You are here: Local > ImcUk > ImcUkTech > UkCrypto > UkSecurity

to top

Copyright © 1999-2008 by the contributing authors.
All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding this tool? Send feedback (in English, Francais, Deutsch or Dutch).