Anonymizer
sites access
the Internet on your behalf, protecting your personal information
from disclosure. An anonymizer protects all of your computer's
identifying information while it surfs for you, enabling you
to remain at least one
step removed
from the sites you visit.
You can see some of the wide range
of data that websites can read from your browser, including
your IP
address and other identifying information, at the
following sites:
The following sections describe the two basic types of Internet anonymizers, networked
design and single-point
design, and their common common features.
Networked
anonymizers. As their name
suggests, this type of anonymizer transfers your communications through a network
of Internet computers
between you and the destination.
For example, a request to visit a web page might first go through computers A, B, and C before going to the website, with
the resulting page
transferred back though C, B, and A then to you.
The main advantage of the networked anonymizer design
is that it makes traffic analysis -- a vulnerability of single-point anonymizers
-- much more difficult.
For example, analysis of the incoming and outgoing traffic of a single-point
anonymizer could note that communications
with
your
machine,
even though the contents are encrypted,
are closely synchronized
in time with the anonymizer site's unencrypted communications with some particular
website. If ten times in a row your communication with the anonymizer
is followed milliseconds later by a request from the anonymizer to a particular
site, and that site's response to the anonymizer is followed milliseconds
later by an encrypted communication to you, then it
is a good
bet you made a visit that site. More
sophisticated anonymizer traffic analysis could also perform matching on communication
sizing -- matching incoming
unencrypted traffic to outgoing encrypted traffic based on size of the communications.
Protections that Internet anonymizers can use to mitigate the risk
of traffic analysis include: (a) add small but random delays to the passage
of responses back to the user to make time matching more difficult; (b) make
random requests to random pages across the web to pollute the pool; (c)
have a large number of simultaneous users
to make analysis more difficult; and (c) have a large
cache of web pages so not all incoming requests have outgoing requests. It
is not known if any anonymizer uses techniques to protect against communications
sizing
traffic analysis,
such as sending
continuous streams of noise traffic
to connected users to disguise the real responses.
In practice, only large organizations are usually capable of the Internet
network traffic interception and analysis required for this sort of eavesdropping,
and they
may not be interested
in you, so this risk may not be of concern for those doing everyday surfing.
Nevertheless, many
security
experts are uncomfortable with the unknown extent of the traffic analysis vulnerability
-- who knows if an
anonymizer site is being tapped or not, by whom, and what is being done with
the records? The networked anonymizer design meets this threat by passing your
communications through a preferably random path of other computers. This design
has advantages,
but also disadvantages, summarized below:
- Advantage. Complication of the communications makes
traffic analysis likely prohibitively complex. An eavesdropper
would have to put in place the equipment and programs to watch all of the
computers in the anonymizer's Internet network, likely a fluid group distributed
around the world, and then solve a much more complex analysis.
- Disadvantage. Any multi-node network communications
has some degree of risk at each node for compromise of confidentiality,
with the risk linearly related to the number of nodes. Networked anonymizers
have the same problem -- at each computer in the anonymizer chain there
is a risk that it has already been compromised by the owner or an intruder
and the communications can be tapped.
The first networked anonymizer system was Zero
Knowledge Systems, which provided a multi-server network design and
provided a range of confidentiality features. Although the company closed
in the fall of 2001 due to lack of financing, it was influential as an
example of the concept's feasibility, and led to the establishment of EFF's Tor a
few years later, the only currently known networked anonymizer.
Single-point
anonymizers. This type of anonymizer passes your surfing through
a single website to protect your identify, and often
offers an encrypted communications channel for passage of results back to the
user. Single-point anonymizers offer less resistance to sophisticated traffic
analysis
described
above than
do networked designs, but they also provide a compensating simplicity, organizational
familiarity, and apparent trustworthiness. You can access your favorite
anonymizer website, type
in your destination, and the anonymizer does your surfing for you
and passes the results back to your browser. Many single-point anonymizers
create an anonymized URL by appending the name of the site you wish
to access to their URL, something like the following:
http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.yahoo.com/
With single-point anonymizers, your IP address and related identifying information
are protected by the arms-length communications and not transferred
to the sites you visit. If you are using a secure channel to the anonymizer,
as most services offer, then your communications to the anonymizer site are
also confidential to any local eavesdroppers tapping your Internet line connection
or
service provider -- essential if you have reason to suspect a local tap.
Common features. Both networked and
single-point anonymizers share a range of design features. Most importantly,
once you access a web page through an anonymizer, the page is filtered so that
all
of its links are also anonymized. Therefore, you can just continue
to click on links and stay in the anonymizer mode. Most anonymizers
can
anonymize at least the web (http:), file transfer protocol (ftp:), and gopher
(gopher:)
Internet
services.
There is an overhead with use of anonymizers, and they can add a
second or more of delay depending on how busy they are.
Some
anonymizers
keep a
local
cache of several
hundred
megabytes of commonly accessed sites to address this problem, and
so occasionally you can actually get faster access
to a site through the anonymizer. Chaining of anonymizer
services is not recommended, since it simply multiplies your risk
to confidentiality by the number of
services and computers in
the chain.
Note that unless you use an encrypted mode to the anonymizer, all
your communications are in the clear and can be intercepted
anywhere on the way from your computer to the anonymizer. Most anonymizers
now offer encrypted communications to
solve this problem.