I have decided to try and push off of what I normally write about to write about a few things that have been hot in the news lately, namely NSA and data security etc etc. I have been feeling lately that I think the “average joe” could really use some pointers and no shit basic information about one’s internet trail and internet security in general. No I will not be talking about viruses or malware. (In fact, I have a running theory/belief that the computer virus as has been known since the 90s is dead for the consumer individual, I’ve been running without anti-virus since roughly 2006). Instead I will discuss a few things on how the “internet” works, how you can be more secure with your data, and some other thoughts on this subject.
Internet Security Basics
Ok, so let me break down a few things about how the internet roughly works so an average person can understand how insecure a lot of the internet is. There are some newer technologies that provide a “seamless experience” which can complicate exactly how computers talk so I won’t get into them, but when you type a URL or select a link on a website, your computer sends a signal out to that location (IP Address) asking for the contents of the web page. The results are returned in a text file in a format called HyperText Markup Language or HTML, which your browser then displays. Normally these operations take place over the HTTP protocol which effectively is transferred between computers what is called “clear text”. Meaning, when you ask for a webpage, anything that you’ve passed to that website (such as Form values, like your address) is passed in clear text to the server, and the server returns the page back in readable text as well. As it should be clear to you this can present a problem if somebody is “listening” (viewing) in the middle between you and the server. (You do not connect directly to the server, but must pass through many relays, ISP, to get to your destination). This is a major concern for wireless networks particularly free wireless networks such as internet cafes. I know people just LOOOOOVE their free wireless, but I can assure you unless you’re encrypting the transmissions, they’re being passed, in clear text, (to include often your username and passwords) through their hardware, which could be listening in, or somebody else who is on the network can scan your information. This is where HTTPS comes in.
HTTPS is a secure way for two computers to communicate together. (The ‘S’ in HTTPS stands for secure.) Without getting in depth with how asymmetric encryption works, roughly, when you first ask for the webpage, it will be in clear text only to establish a connection, after which a secure (encrypted) line of communication can exist between the two computers without anybody in the middle being able to read or understand what is being transmitted. I should note that this doesn’t prevent anybody from knowing which computers are talking, in otherwords if you were searching on google, somebody in the middle would know that you are communicating with google, but not necessarily what any of the contents are. I should note there are some security issues related to unsigned HTTPs sites, but I will not get into that here, but just making you aware that its not some sort of silver bullet in ALL cases.
I bring this up because HTTPs, while fairly common, is just not used enough. Many people complain about the NSA being able to “read your communications”, or even complaining about metadata, but MOST internet transactions are taking place over HTTP which is effectively allowing your communications to be listened by anybody who can get in the middle of the transmission. HTTPs would limit that to only metadata (who is talking to whom, and at what time, but not necessarily what is being communicated). Looking at the Add-ons with Firefox there is a number of very very useful addons that should be added to your Browser. One of which is HTTP Nowhere, which is a play on the HTTPS Everywhere addon. HTTPs Everywhere forces the browser to attempt to connect via HTTPs whenever you go to a location while HTTP Nowhere makes it so that you have to specifically state that you want to go to an unencrypted location. (You’d think that should be the standard, considering pointing out to you that your communications could be read by just about anybody would make you reconsider what you’re doing and whom you communicate with).
Internet Webmail And Google
Totally switching gears to talk about webmail. Where do I start on this one. Internet Webmail is one of the most interesting topics related to personal security and privacy I think exists. Why? Effectively the major webmail providers have squeezed out all the competition (to include pay to use mail) and now handle most of the email that exists online. This means that Google, Yahoo, and I guess Microsoft (bing/outlook/hotmail or whatever the hell they want to call themselves) have some of your most intimate secrets. It’s not just these entities as corporations but individuals who work at these institutions have generally a surprising amount of information about you. Where you shop, how much you spend, who are your friends, your family, the junk mail that you get etc etc. Most people know this but fail to realize that it isn’t just data sitting off in a server somewhere. This is precisely how Google even exists today. Their ability to sell your data, and add space directly to you because of their intimate access to you is unparallelled.
After so many years of knowingly being tracked by these corporations I decided to spring and setup my own email server. Plenty of other people could use other services, where they may have to pay, but I can certainly say, I rest well at night knowing that A. I control ALL of my data, and B. It’s secure (as it generally can get). I will leave you with one last thing about Google and even unencrypted HTTP. Don’t forget that Google has been actively putting down fiber optic cable across the US (and probably elsewhere), so they’ll have full unadulterated hardware access to all communications sent over their lines. I should also note that the more you look into the head players in google the more you realize there is no way you’d allow these clearly unethical freaks to handle your data. *Shudder*. Google’s not the only one, facebook is another, but I’m not going to jump on that landmine at the moment, you shouldn’t be using facebook what-so-ever.
Further Research and Conclusions
There are some more things with basic internet security that I’ll have to go in depth at another time. Tor is an example of something that takes internet security to the next level, but there are some SERIOUS gotchas to using Tor. The Tor Browser/Internet effectively pools together communications, making your communications autonomous (except for the content) and allows you to communicate with a computer without anybody in the middle knowing where your data is going to. Combined with HTTPs, and further encryption, Tor significantly strengthens your internet security.
So one question you may ask yourself is why bother going to the trouble of looking into any of these things? To be frank we live in a very dangerous world, where the consequences of actions can really be very unknown. I don’t have handy with me links to articles but I’ve ready numerous articles about investigations on individuals starting just off of suspicious internet activity. Yes, here in the ol’ “free” US, somebody can be under an investigation just by being curious. What one has to understand is that there are effectively two threats regarding your data. A. The government’s snooping and political eyes, and B. Some other badnick who could use your data for “identity theft” or even personal malicious harm. The government is the one that many people overlook, but REALLY need to think otherwise. Luckily with the events bubbling to the surface, this is becoming much more obvious and mainstream.
If you have ANYYYYYYYY security questions, please don’t hesitate to ask (via email, or even a post down below).