Encrypt your web traffic

image

This is my fifth installment in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

Today, we will encrypt all (or as much as possible) of your web traffic on Windows, Mac, Linux, & Android.

Your web traffic (what you request to view, what is sent to your browser to view, and what you post back in webforms when signing up for new accounts, uploading your photos, uploading your files… is all done in clear, unencrypted text unless the page you’re requesting or posting to begins with https://.   That “s” is the critical piece.  That means “secure”.  That means the web page was encrypted at the web server before being sent to your browser and anything you post (or fill in and submit) will be encrypted too.

But, Not So Fast!

There are several gotchas where that is NOT the case:

    1. You might be on an https site, but the site may have been coded poorly and the data you’re filling in might not be going back to an https page.  If so, then your data is being sent back in clear text over the open internet, and THAT’S more important than the page you’re viewing being encrypted (well, in many cases).  The page COULD be coded to post your data back to a non-secure page.
    2. Just because you’re on an https site, doesn’t mean that the site owners are trustworthy.  All it means is that the connection between the two of you is encrypted.  If you’re on a phishing website, it’s still the bad guys, even IF it’s encrypted.
    3. If you’re at work, it’s entirely possible that your employer has installed their OWN root certificates on YOUR work PC and your employer is acting as a man in the middle.  Even though you may be on an https website on a trusted website like https://google.com, your connection may be encrypted only between your PC and the equipment downstairs in the computer room in the very building you’re in.  Your employer can easily have access to ALL of your web traffic, record it, snoop it, and use it against you.  (We’ll spend some extra time on this one a little later in the article).
    4. If your PC already has malware on it, encrypted traffic is pretty much useless because they’ve already gotten behind all your protections and have access to everything you do BEFORE it gets encrypted and sent over the internet.  (Wipe your hard drive and start over.  Not kidding!)

So, What Do You Do?

    1. If the https site is coded poorly and is sending your data back, unencrypted, how do you know?  That’s a little complicated and unless you’re a web developer (and even IF you’re a web developer), it’s hard to tell sometimes.  In short, do this on a login page or a web page asking for your personal information:
      1. On your desktop browser, right-click the page and choose “View Source” or “View Page Source” or something similar to that.
      2. Look for something that starts with “<form “   Like this from EFF’s website, as an example:
        1. <form action=”https://supporters.eff.org/subscribe” method=”post” class=”newsletter-form” accept-charset=”UTF-8″>
      3. This is called a form and the “action” tells us WHERE our data goes when we submit it on that page.  Notice that it’s an “https” site?  That means it’s encrypted on our end before going back.  If it’s just “http” with no “s”, it’s being sent back in the clear, with ZERO encryption!
        1. What do you do?  Not much you can do about that.  But you CAN install the TOR browser.  It’ll encrypt EVERYTHING you do in the browser, and pass it through a peer to peer network, hopping through multiple other computers, before finally having the last computer actually send your data to the real website.  But, it’ll have to be unencrypted there before going across the internet to the site you wanted to post to.  You can’t force the website to receive your data encrypted.  You can only encrypt it on your end, pass it along a few PCs before it must be decrypted and sent in the clear.  That’ll at least block your ISP form seeing it or anyone snooping on your local network.  But it won’t stop a snoop on the OTHER end of the connection.
    2. How do you know if your employer is snooping on what you THOUGHT was an encrypted connection?
      1. In Chrome:  Go to any https site, like https://google.com, click on the green padlock, click “connection”, click “certificate information”, click the “Certification Path” tab.
        1. image
      2. It should not have your company’s name in there.  If it DOES, guess what?  You’re employer is decrypting and snooping on your traffic.  They’re playing as what’s called a “Man In The Middle”.  This only works because they have control of your PC and have installed their OWN root certificate telling your browser to trust THEIR security certificates as valid owners of Google.com.  NOT COOL!
        1. What do you do about THAT?  Stop using your work computer for anything that’s personal.  That’s the only way out.  I take my own laptop to work, plug in my Android phone to it and share my T-Mobile data connection with my laptop.  I do my web browsing from my laptop and the rest of my work from my work PC.
      3. If your PC has malware on it… You might not even know it.  But if you DO know it, for heaven’s sake!  STOP USING IT… like RIGHT NOW!  Reformat your drive, re-install your OS and your software.  That’s the only realistic way to get rid of it all, and stop downloading those stupid toolbars!  Seriously!  Also, don’t download software from sources you’re not 100% certain are widely accepted as trustworthy!

Maximize Your Encryption While Browsing

  • You can’t force websites that aren’t using encryption to start using it, so avoid websites that don’t offer https .
  • If you’re on a website that’s NOT https., then click in your browser’s address bar and TYPE that s right after the “p” in “https” and click “GO”. Many websites DO offer an encrypted version of their website, but you must manually enter it.
  • Better yet, install Https Everywhere.  It’s a browser plugin available for the most popular browsers.  It will do the above step for you by using the https version of any site you go to (if that site has one available).  This will NOT force all your web traffic to be encrypted, but it sure will avoid the non encrypted versions of sites you visit, if at all possible.  NOTE!  You can still get to unencrypted sites and your traffic won’t be encrypted on those sites.

Stop your ISP, Employer, Family, Neighbors, and Hackers from snooping on your web traffic

I mentioned the TOR browser above.  This is a modified version of the FireFox browser, specially made to route your web browsing traffic through its own sub-network… kind of an underground network of participating servers and PCs around the world.  Normally, when you go to say www.google.com, you’re making a direct connection from your PC to google.com.  With Tor, you’re going to a random server around the world on the Tor network, which then forwards you to another random server somewhere else around the world, to yet another one somewhere else around the world, which finally then sends your request to google.com, but from that 3rd machine.  In other words, as far as Google is concerned, a connection was made from that other machine to them, which might be in Russia, China, America, Germany, or anywhere else in the world.  You’ll frequently see ads in other languages because of this.

This protects you from your ISP, your employer (if you can get away with installing TOR on your work PC… but just assume that even if you can, that your employer can still see your traffic because they have complete control of your work PC), your nosy family members, nosy neighbors, nosy patrons at the coffee shop, or anyone else near by that may be snooping on your traffic.

The end result is it’s damned near impossible to tie YOU to whatever you’re doing on the destination website.  It also encrypts ALL your web traffic to and from any website… BUT ONLY ENCRYPTED UP TO THAT LAST PC!  If you’re visiting an unencrypted website, YOUR TRAFFIC WILL BE UNENCRYPTED from that last PC in the Tor network to the final website, and back again.  You MUST understand this.

This should be obvious, but my experience in IT is that nothing ever is, to everyone.  So!  I’ll state this clearly:  The TOR browser does NOT encrypt your web browsing if you’re using Chrome, or FireFox, or Opera, or Internet Explorer, or Edge.  It’s only going to work on web pages you visit WITH the Tor browser.

What About Android?

You have two good solutions on Android.  One’s good.  The others even better.  Both options are the Orbot app.  But the differences are if you’re Android device is rooted or not.  A rooted Android device gets significantly better security options.

First, go download the Orbot app here from the web, or here from the Play Store.

Orbot, if you’re device is rooted, can rout ALL your internet traffic through the Tor network.  You can also configure Tor to only send traffic from specific apps through the tor network.

When your traffic goes through the tor network, anyone locally snooping on your web traffic has no way of knowing what websites you’re communicating with.  Remember, if the site you’re communicating with is NOT an https site, there will be an unencrypted connection somewhere in the world to your final site.  Don’t trick yourself into thinking it’s fully encrypted all the way through.  It only is for sites that are https.  Tor will protect you from local snoopers.  It won’t protect you from snoopers hacking into the data to the final, unencrypted website.  Got it?  Good!

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Sick of the NSA Spying on you?

imageSetting aside the tin foil hat and paranoia jokes, no one likes being tracked or their private text messages being scraped up by the U.S. government’s massive computers, nor their phone metadata being logged, nor even the possibility of someone being able to listen in or record your phone calls (the NSA denies they listen to calls, but others with even FEWER ethics CAN).

 

Here’s what you can do to protect yourself on your Android SmartPhone

  • Encrypt your text messages.  There are 2 good options:

Install the TextSecure app.  This app will automatically detect which of your contacts also has this app installed and will automatically encrypt your SMS text messages with those individuals.  TextSecure is available on iOS too!  This means you can have encrypted texting sessions with both iOS and Android users!

Root your phone and install CyanogenMod 11 (or higher).  CM 11 has built-in support for TextSecure encryption, coded directly INTO the Operating System.  This means, you don’t have to install the TextSecure app.  Automatically, ALL SMS apps on your phone suddenly support TextSecure encryption.  But, you have to turn it on.  The feature is called “WhisperPush”.  Simply find the WhisperPush app on your phone, run it, and follow the instructions.  It’s the simplest setup you’ll ever experience.

  • Encrypt your voice phone calls (yes, you can do that)

This used to be stuff of only fiction in spy movies, but it’s a reality today and YOU can do it within minutes of reading this article.  First, install the app RedPhone from the Google Play Store.  This app is made by the same people that make TextSecure.  Both you and the person you’re calling (or receiving a call from) have to be using this in order to have a secure, encrypted phone call.  When you install the app, the first time you run it, it’ll ask you to register your phone number.  Now, anyone else with the app, when they call you’re number, the app knows you have it and will offer the caller the option to make the phone call encrypted.  Note that this uses your DATA connection and NOT your phone connection.  You’re not actually making an actual phone call.  It’s more of an internet audio chat.  But you don’t need to know that other than if you have a data cap, this will use your data.  As far as you and the other caller are concerned, for all practical purposes, it’s a phone call.  But your carrier will have no record of it AND anyone trying to listen in will only see a stream of random bytes streaming.  It’s totally encrypted… just like in the spy movies! Smile

  • Encrypt your E-Mail

This is a bit more difficult.  I’ll provide another article on how to do this.  The short version is you need to install djigzo from the Google Play store to manage your keys.  Then you’ll need an e-mail client that can use those keys to encrypt and decrypt your e-mail.  K-9 Mail is supposedly one of those apps.  For the record, I’ve NEVER gotten this to work.

  • Encrypt your phone

Android can encrypt your entire phone.  Don’t confuse yourself.  This does NOT encrypt ANY internet traffic to or from your phone.  It encrypts the files on the phone itself.

Go to Seetings –> Security –> Encrypt Phone

Warning!  This can take an hour or so!  Make sure your phone is plugged in AND has at least an 80% charge.  You do NOT want this failing in the middle of  it.  It will also require you to set a lock screen PIN or password, if you don’t already have one.  Once you do this, you CANNOT flash anymore ROMs on your phone (if you’re rooted).  So, make sure you’re good to go with the ROM you have.

  • Add a PIN or password to your phone

This one is obvious.  You need to set a PIN or a Password on your lock screen, otherwise, anyone can use your phone and see your data.

  • Add extra PIN for individual apps

Install the app AppLock from the Google Play store.  Open it up and set your settings.  You’ll set a PIN and you’ll select the apps you want to have an extra layer of protection.  Hint:  DO NOT use the SAME PIN here that you’re using for your phone lock screen.

This app will pop up a PIN prompt whenever someone tries to open one of your extra protected apps.  For example, you may want to enable your backing apps and credit card apps via AppLock so that you have to know that extra PIN in order to lauch them.  This way, if you let someone borrow your phone, they can’t go snooping into your financial data.

  • Hide apps and/or files on your phone

Maybe you have some apps that you don’t want other people to know or use.  Go to the Google Play store and download an app called Hide It Pro.  When you install it, it’ll show up on your phone as “Audio Manager”.  It’s deliberately deceptive.  The purpose of this app is to hide apps and/or files on your phone.  You protect them with a password of your choosing.  If someone’s snooping around on your phone, all they’ll see for this app is a music icon with a label, “Audio Manager”.  And if they launch it, it’ll even have working audio controls.  Those controls are totally for faking out people snooping on your phone.  Long press on the app title at the top of the screen (inside the app) and you’ll be prompted for a password, which then takes you into the real app where you can select apps and files to hide.  They won’t even show up anywhere on the phone with the regular phone interface.

  • Hide your browsing and internet traffic

Your ISP can see all the sites you go to, and so can the NSA, and so can anyone else snooping on your wireless connection (or even your wired connection).  And websites know what IP address you’re using, which means they can ask the ISP that own’s that IP address who is using it, and they’ll give them your name, address, and phone number.  What you need is something that bounces your web page requests to random computers all over the world.  Yes, this is exactly what you see “hackers” doing in hi-tech spy movies and YOU can do it too… VERY EASILY.  Install the app Orbot on your phone.  Follow the directions.   It’s super simple.  If your phone is rooted, it can obfuscate ALL of your internet traffic.  If your phone is NOT rooted, it can work with a few apps on your phone (web browser and e-mail, in particular) and bounce all your traffic from those supported apps all around the world.  It’ll slow down your connection a little, but it’ll also protect you against nosy, 3 letter acronyms including ISPs.

Click here to follow me on Google+.

Follow me on Twitter @CSharpner.

See these images?

imageimage

You’ll find an actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!