Guide for a safer and freer internet experience
Last revision: 9 july 2013
Disclaimer: No guide can provide you with solutions against all possible attacks on all combinations of systems, applications, and hardware. So this short guide doesn't pretend to be the ultimate guide on internet security. It's just a good starting point for newcomers to this topic.
Before putting in practice the recommendations below, you will need to take all the necessary precautions to protect the data (back-ups), the applications, the hardware etc...
Also, this guide is intended for pacifist-only activists to help them protect themselves against unlawful attacks. Any criminal use of the tools mentioned below will be the sole responsibility of the user.
Precautions to be taken: social or technical |
useful Firefox add-ons | how to circumvent censorship |
the Tor network | proxies | Virtual Private Networks (VPNs) | further reading
Internet users and activists are sometimes the target of cyber-attacks which can come from individuals or organizations acting on economic (e.g. credit card details or patent theft for use or sale), political (e.g. disabling the digital capabilities of potential or real enemies) or ideological (e.g. massively spreading or suppressing an idea) motives.
This guide aims to provide pacifist internet users and activists with recommandations on basic precautions to take in order to reduce the risk of being attacked to a reasonable level (zero risk unfortunately doesn't exist). What we call an attack can be on of the following:
- Attack type 1: someone taking control of your computer or server without authorization
in order to vandalize its content, or worse use it for illegal or criminal activities (to which you will be consequently tied),
- Attack type 2: someone hijacking your e-mail, Facebook, Twitter, website account, with the same objectives as above,
- Attack type 3: somebody rendering your website unavailable as a consequence of a Distributed Denial of Service (DDoS)
- Attack type 4: the infection of your computer by a malware (virus, trojan or other types of malware.
Since activists sometimes face internet censorship (as was the case in Tunisia and Egypt) we will also discuss how to circumvent it.
Note: Keep in mind that when one deals with security (computer security or any other kind of security), no measure can allow you to eliminate all risks (actually that's not true, there is one: turning-off your computer ;-). You should put in place measures that are adequate to the motivation that a potential attacker may have in attacking your system. If you possess high value information in it, expect highly sophisticated attacks, in which case you will have to apply all the folllowing recommandations, and maby more (but this is a good starting point).
Precautions to take
We're going to create two categories of precautions:
a) "social" precautions (yes, you will rapidly understand why it is so called),
b) technical precautions.
The first ones are the most neglected, consequently attackers generally use social engineering attacks first, and if they don't give results they move to technical attacks. So let's start with the social precautions.(attacks 1 and 2) NEVER pick-up passwords that are too easy to guess for someone who knows you or knows your habits. If you are a Pokemon fan don't choose Pikachu as a password! If the account belongs to an occupy movement don't choose "wearethe99%" as a password. It will be one of the first attempts an attacker will make!
(Between brackets are mentioned the types of attacks prevented:)
(attacks 1 and 2) Choose ALWAYS passwords that do not come from a dictionary, since several password-cracking programs use brute-force to try words coming from dictionaries. Always choose a combination of numbers, letters and special characters. Of course it is harder to remeber such passwords but it is better than taking the big risks of n easy password. However, if you fear forgetting it do not write-it down on a sticky-note (or any paper or surface) near your computer: that's the first thing any attacker with a physical access to your computer will look for ;-)
(attack 2) Think of changing your secret question(s) (and the corresponding answer(s)) that are supposed to verify your identity in case you forget your password. Choose a combination of questions and answer that only you can possibly know. If your secret question is "What is your mother's maiden name?" then anyone who knows a little will be able to use that possibility to access your account,
(attack 1 and 2) Sharing the same password across several accounts is the best way to have all your accounts (e-mail, Facebook, Twitter, website...) hijacked at the same time.
(attack 2) For accounts with multiple users (for instance for occupy movements), it is better to have several accounts with the same priviledges and every account attributed to one and only one person, who will choose her own password. The accounts and theirs priviledges will have to be under the respnsibility of one designated and highly trusted manager. Any deviation from this will unavoidably lead to annoying consequences.
(attack 4) Don't click too fast on links in e-mails, especially when coming from unknown persons. The links may point to a web page that is full of malicious code.
(attacks 1 and 3) If you have the responsibility of a website, think of making regular back-ups (preferably on a removable drive that you can put in a safe place after every back-up. If an attacker erases or makes changes to your website at least you will be able to recover it. And if the server hosting your website is under attack (DDoS or other) at least you will be able to upload a mirror on another server, making the attack inefficient,
(attacks 1 and 3) Plan in advance for one or several mirror websites in case yours becomes unavailabloe after an attack. Keep the identity and number of these potential mirrors secret to avoid a pre-emptive attack on them. Communicate intensively after the attack in order to redirect traffic to the mirrors until the attack is over and your main website available again. Communicating on the attack will also protect you from liabilities associated to the misuse of your website (if the attacker gets actual access to the server).
(attack 2) There is a type of attack called phishing which consists in making you believe you are on the website of your e-mail provider, your bank, or simply Facebook or Twitter, then get you to type your username and password in order to steal them and use them to log into your real account without authorization. The Ben Ali government (in Tunisia) use extensively phishing in order to disable activists' accounts.
Thanks to help from the Anonymous collective and other hackers, who developped add-ons to protect from phishing, activists have been able to mitigate the damage.
To prevent this kind of attack, install the NoScript add-on below, and always activate SSL (the add-on HTTPS-Everywhere mentioned below can help you with that), and most importantly (and that's why this is a social precaution) always check that it is active in the address bar (where the URL of the website you're visiting is displayed) and that the address is the correct one. The slightest difference (e.g. gemail.com instead of gmail.com) will mean you're being the victim of a phishing attempt.
(Same as above, between brackets are mentioned the types of attacks prevented:)
- (attacks 1, 2 and 4) Keep your operating system and your web browser updated. We strongly recommend you use Firefox (an open source software) as your web browser. Avoid Internet Explorer, whic has several security issues that are not fixed with updates. If you can use a GNU/Linux distribution rather than Windows or Mac OS, it will be much better (most programs coming with GNU/Linux are open-source),
- (attacks 1, 2 and 4) If you use Windows, you'll have to install an anti-virus software (AVG and Avira seem to provide free and efficient versions of their anti-virus products; always install just one anti-virus on a same computer, not two or more) and an anti-spyware (for instance Spybot and Ad-aware, that you can install together) ,
- (attack 2) Prefer an internet connection through wire rather than wifi, which is much less safe because easier to intercept and read. If you can use only wifi then opt for a WPA2 encryption with a 20-characters minimum passphrase. Never choose WEP, as it is easy to crack,
- (attack 2) If you use Gmail (which we don't recommend since Google has very lose ties with several governments) go to the "Parameters" menu and check "Always use SSL". After this your connection to your e-mail account will be systematically encrypted by SSL (note that this isn't a protection against all attacks, but again it is a measure that contributes to reducing the overall risk). Do the same thing on Twitter and all your service providers, where possible,
- If you think you may be the target of sophisticated attacks, it is wiser to manage cookies (that are small and widely used files storing information on your internet activity) with caution, since they can inform a potential attacker on your internet habits (websites visited...etc), helping him design a specific attack with a high probability of sucess. Check the option in your browser's preferences so that you will be asked everytime that a website tries to install a cookie on your computer. You will have to accept only very few necessary cookies (you will know which with some experience), refuse all the rest. Think of cleaning up the cookies on your computer from time to time, for instance with Firefox's BetterPrivacy add-on (see below),
- (attacks 1, 2 and 4) If you're not sure if you can trust your system, then you can use a specially designed GNU/Linux-based live distribution called TAILS (The Amnesic Incognito Live System). Once you download the ISO image you'll have to burn it on a CD/DVD and use it as a live CD/DVD. The fact that it runs from a CD or DVD is an assurance against post-burning tempering of its system by an attacker (something you can never be 100% sure about when you use your usual system that boots from the hard drive), and the fact that it uses Tor constitutes the best assurance of anonymisation and encryption of your communications. However as always read carefully the documentation to know the limits of the product. Always use the latest version to prevent an attack through known security issues of older versions.
Useful Firefox add-ons
If you use Firefox (it is by far the safest browser out-there) then we strongly recommend you add the following add-ons (that are both useful and free) to make your internet experience much safer. To add an add-on, go to "Tools" -> "Add-ons" in the menu. This will open a page from which you can search and install add-ons using their names:
HTTPS-Everywhere: very useful, automatically activates a SSL-encrypted connection wherever a website provides it. Exceptionnally, you will not find it in Firefox's add-ons search engine, but rather on the EFF's website.
BetterPrivacy: this add-on prevents Adobe Flash from keeping records of internet habits, that Adobe or other parties could use without your authorization and against your interest. The default setting is generally good, but you may want to increase the level of safety and precautions taken.
NoScript: very useful if there is a risk you find yourself on a web page with malicious code. However it will force you to manually allow the execution of every script you think is safe (at least the first time you visit a page after installation of the add-on).
Adblock Plus: as its name suggests, this add-on blocks ads. No security improvement here really, it's more for improving comfort. But we thought you might like installing it while you're at it ;-)
TorButton (also see the "Circumvent internet censorship" section below): this add-on, downloadable here, allows you to anonymously reach websites that are censored in your country, using the Tor network on nodes. The communication is also strongly encryted, so even if it is intercepted (for instance if someone has cracked your wifi connection) the data will still remain unreadable (but that is only AFTER you establish a connection to Tor, and only for communicatins going through Tor). Read carefully this Tor network FAQ if you're about to use it, so as you know what to do and what not to do to use it safely.
Circumvent internet censorship
Censorship on the internet shouldn't exist because it is every citizen's fundamental right to inform and to be informed on the state of affairs, from general government policies to the smallest municipal council decision regarding the neighborhood. Governments that promote internet censorship often use the fallacious argument of fighting paedophilia websites, whereas not only censorship won't help arrest the individuals behind paedophilia websites, but only an internationally coordinated effort between governments will put an end to them.
Internet censorship comes in one of two forms:
- Either your internet connection is cut-off, for instance within the frame of the French three-strike law (that isl soon to be abolished) under the pretext that you have been downloading copyrighted material. This kind of censorship cuts you off the whole internet, and is (in terms of rights) as dangerous as cutting water or electricity to a household,
- Or because websites you wish to visit are filtered or blocked, as it is the case in China, Iran, and the US administration (which blocks Wikileaks' website on its networks to prevent its employees from reading its content). Unlike the previous kind of censorship this one is very targeted (although often more websites are filtered or blocked than initally planned) and is politically or ideologically motivated.
There is unfortunately no remedy against the first form of censorship but to recognize the internet as a basic right that can't be removed. Some countries are leading the way and hopefully in a few years most countries will adopt this stance.
Fortunately the second kind of censorship can be circumvented in several ways:
The Tor network
This free network, based on free software, is comprised of several thousands of nodes (called relays) that allow you to hide your IP address vis-à-vis the websites you visit using Tor. It can also allow you to reach websites that are flitered or blocked in your country.
In order to use Tor you can either install the TorButton (only available with Firefox), or, and this is best, by using the Tor Browser Bundle (available for Windows, Mac or GNU/Linux) which contains everything you'll need, including a relatively secure browser based on Firefox. Great, isn't it?
You can put the Tor Browser Bundle on a removable drive and take it with you and use it on others computers (provided you take the version compatible with the operating systems of those computers).
If censorship is very severe, as it has been the case in Iran, it is possible that even Tor relays will be blocked. In which case you'll need to connect to Tor through "bridges", which are relays that are not publicly displayed to avoid being blocked. For this go to Vidalia's settings interface, and then "Parameters" where you'll have to check "My ISP block connection to Tor", after which you'll be provided with the possibility to enter bridge number to join Tor through them. The bridges numbers can be obtained here.
The incovenient of Tor is its latency time, which is normal since your traffic bounces off several relays worldwide before it reaches its destination. The connection speed may also be low. But as some of you may already know this is a small price to pay for avoiding censorship.
Whether your country's internet is undergoing censorship or not, you can help improve Tor's capabilities and performance by running your own relay. For this you just need to run Tor on your computer with the default settings.
Tor is legal in every country of the world, despite the fact that relays are sometimes blocked in some of them.
These are servers that forward your in and out traffic, so that websites you visit will not see your IP address but the proxy's. If a proxy is not blocked and if it is outside the censorshiop jurisdiction you can use it to reach blocked websites. However unlike Tor they are not based on free software (i.e. no transparency or relative safety of the code), and a proxy can be run by just about anybody. So they are not considered very safe. To be used only for non-critical activity.
Examples of proxies are bb.s6n.org (without charge), arethusa.su (paying), samair.ru/proxy (paying).
Virtual Private Networks (VPN)
They provide the same functionalities as proxies except that they are considered more secure when they use the OpenVPN protocol (those who use it mention it clearly). As with proxies avoid doing critical activities on them (they are also often run by private for-profit entities). Prefer Tor despite the fact that it is slower.
Examples of VPN include bestfreevpn.com (without charge), anti-hadopi.com (paying), vpnfacile.fr (paying).
If you strictly follow the recommendations above you can consider yourself as relatively well protected. However, again, risk-free internet browsing doesn't exist, so the more you learn the better protected you will be. So below we suggest other guides that will provide you with complementary recommendations:
- the Freedom of the Press Foundation's White Paper on encryption (a must-read published after the NSA PRISM scandal),
- The PRISM-Break website will help you figure out which tools are safe (free and open source software) and which are to absolutely avoid as an activits (the proprietary ones). Also introduces encrypted chat programs and more.
- the guides of Access,
- the Surveillance Self-Defence guide of the EFF (mostly applicable to the US, but you can learn lots of interesting things),
- article on how to Get Internet access when your government shuts it down (OpEdNews).
We hope this guide was both clear and useful to you. Keep in mind that security is a permanent quest as new types of attacks appear and adequate protection means are available. Also it is important that you set-up a security level that is proportional to the value of the information you have (from the potential attackers' point of view).
For any comment please drop us an e-mail: firstname.lastname@example.org
This guide is published under the Creative Commons BY-NC-SA license (details at the bottom of the page). You can reuse it, modify it, improve it freely provided you mention the author (Association Liberté-info) and as long as you don't make a commercial use of it.
Did you like this guide? We are a small group of volunteers creating content and updating news on this site. We need more volunteers to help promote and defend digital democracy and whistleblowers. Help us move to the next level! Get involved in a critical issue for the future of democracy! Join us!
Also, please consider supporting us through a bitcoin donation: 19YdQuudgg5q9E5vBCKiege4HRVZzHsPnL