Welcome to Secure Browsing Part 1.
LESSON ID=> 0020
Key Terms: HTTP, HTTPS, SSL, Certificate, Layered Security, End Point Security, Transmission Security
Lesson Goal: Understand the difference between HTTP and HTTPS; Install and Use Firefox
We are going to discuss:
- Browser tracking / Social Media / Risks
- Secure Browser install
- Lesson Recap – A summary of the security you’ve put in place already
- Transmission Security – HTTP / HTTPS / SSL
Why is browser selection and configuration important? Our cell phones are the worst offender of personal privacy invasion, but our browsing activity is next. Everything you do is tracked, reported and correlated – unless you shut them down by protecting your information.
You must have noticed how in one browser window you are looking at some consumer item, then you hop to a news site, and immediately there is an advertisement in the top or side banner for EXACTLY what you were just looking at. If that Orwellian nightmare doesn’t scare you into action, I’m not sure what will.
When you read Sam Culper’s SPACE Analysis, you will see that poor browsing habits allow our enemies to build signatures, profiles and associations. OpFor can know who you “are” by your profile, and they’re just waiting to assign your name to the profile identity. We’ll talk more about SPACE and Digital Security in a future lesson.
Here’s www.theblaze.com when seen through 2 different blocking add-ons (DoNotTrackMe and Ghostery):
Here are some of the risks of insecure / tracked browsing:
- Data collection of your identity
- Data collection of your browsing behaviors – the pages you visited and when (profile, traffic patterns)
- Data collection of your passwords and auto-fill information
- Data collection of your location (and previous locations)
- Data collection of your associations
- Man-in-the-middle attacks, often for the purpose of malware (surveillance) injections into your Secure End Point.
A word on Social Media
Facebook / Social Media is a double edged sword. On one hand, you are marketing, recruiting and building public awareness for Liberty. On the other hand, you just handed over significant Intel about yourself, your operations and your associations. Personally I don’t use it, except in a pseudonymous capacity (you did do Lesson 0017, didn’t you?). The usage of Social Media is powerful, and we must harness it. It will be a future post, perhaps an open discussion topic.
There will be 4 areas to cover in order to secure your browser. The first is more technical than the rest, and that will be today’s lesson, along with the browser install. The next lesson will cover Configuration, Hardening and OPSEC.
Secure Browser Install – Do these things right now:
- Stop using Internet Explorer or anything else. Begin using Firefox exclusively. Tor uses Firefox and you should start right now. It is available for Win, MacOS and Linux. Get it HERE.
- Although Browser Add-Ons will be in the next lesson, there are two that are relevant for today’s lesson. Install these two FireFox add-ons:
Administrative note for geeks:
For those who have more technical background, we are going to streamline this lesson with as little technical detail as possible. Please don’t freak out if we take a few shortcuts for the sake of simplicity. The goal is to have people using FireFox and HTTPS, and understanding less secure versus more secure. For example, we aren’t going to try to explain SSL vs TLS.
Congratulations on getting this far. You are almost done with a Level 1 Security Posture. It may seem like the lessons aren’t connected, but let’s take a look at the End Point Layered Security you now have. The diagram below shows what you’ve accomplished if you’ve followed the lessons. (Lesson Tracker)
At this point you are compartmentalizing and you’ve done a SPACE Analysis on your behavior. Your End Point is fairly secure.
Take particular note of the fact that you have layered your security. We still need to cover Physical Security and Secure Data, however you have concentric rings of defense at your End Point and the ability to search anonymously.
You’ve basically secured your Green Zone and are practicing digital OPSEC. You also understand what IP and MAC addresses are, packets, DNS servers, routers and clients. You know that you need to keep the following information private and anonymous and you know why:
- IP Address Source
- IP Address Destination
- Browser Fingerprint
- Traffic Patterns
Sounds great, right?
Wrong. Do NOT rely on technology. Remember that Security is rooted in Behavior, not Technology. You must continue the discipline of routine scans, data sanitation and compartmentalization every time you turn on your computer.
Select the security posture that aligns to the mission. Know your objective for each session and close out one activity before doing another. Treat every browsing session on a patriot site as you would a physical recon.
The next thing we need to focus on is Transmission Security. For this lesson, we will only discuss the Browser path in the diagram above. Email and Chat (which is a third transmission channel not shown) will come later.
Transmission Security – HTTP, HTTPS, SSL & Certs
The important takeaways here for you are that:
- HTTP is NOT secure and HTTPS is
- HTTPS will use a cryptographic protocol called SSL, and Certificates are used to negotiate and encrypt your session
- HTTPS can use different ciphers, key strengths, symmetric and asymmetric encryption in the underlying SSL.
Recall from the Internet 101 lesson that the browsers exchange information with websites using HTTP (Hyper Text Transfer Protocol), and that a protocol is simply a set of rules on how a process occurs. HTTP has no real security built into it, and an adversary could easily sniff your traffic.
Since HTTP traffic can easily be intercepted, a method was devised to encrypt sensitive traffic. The protection relies on SSL (Secure Sockets Layer) and SSL Certificates (same as CA Certificates) to encrypt the data transfer. The process for encrypting web traffic information and then exchanging it is called HyperText Transfer Protocol Secure (HTTPS). HTTPS is really just HTTP using SSL cryptography to create the secure HTTPS session.
The SSL layer has 2 main purposes:
- Verifying that you are talking directly to the server that you think you are talking to
- Ensuring that only the server can read what you send it and only you can read what it sends back
When using HTTPS, even if someone sniffs your traffic, they cannot read it since it is encrypted. Only the sender and the recipient, who know the “code,” can decipher the message. Notice that we are going to describing protecting the content of your traffic (Privacy) and not necessarily your identity (Anonymity). We will add Anonymity measures later on.
Keep this diagram in mind as you read the following example:
Here is how it works.
Your browser wants to establish a secure connection to a website. To do this, you need to encrypt traffic. However, you don’t store symmetric (shared secret) encryption keys for any websites. It would be impractical (and quickly a security risk) if you tried to hold sets of shared-secret keys for all the websites you need to communicate with securely.
HTTPS actually uses both Asymmetric (Public/Private Keys) and Symmetric (Shared Secret Key) encryption. It goes something like this (simplified). It is basically “Hello”, “Certificate Exchange”, and “Key Exchange”:
- Patriot: (over plain HTTP) “Hi, I want to talk to you securely.”
- WRSA: (over plain HTTP) “Ok, we need to exchange some keys to encrypt our messages”
- Patriot: Sounds good, but how can I trust you? How do I know you aren’t the NSA pretending to be WRSA?
- WRSA: Well, go get my public key from your Certificate Authority that you trust, and give me your public key.
- Patriot: Ok, my Cert Authority gave me your key, I’m sending you some info. You do the same for me with my key.
- WRSA: Ok, message sent, and I received your message. I trust you.
- Patriot: I received your message as well, I trust you too. (note, these are called SSL Certificates).
- WRSA: Great, let’s use this trusted asymmetric, inefficient encrypted channel to exchange a symmetric, shared secret key that will be more efficient and secure for the rest of this session (note, this is called a session key and it has an expiration on it).
- Patriot: Ok, I will send you a symmetric session key so we can start talking using shared-secret encryption instead of this public/private key session.
- Patriot is now talking to WRSA over HTTPS. Content is protected during transmission.
A user can tell if they are connected to a secure website if the website URL begins with https:// instead of http://, and there is often a lock icon displayed. The browser and the website negotiate to find a common encryption algorithm and cipher (key) strength so they can talk to each other.
Not too bad, right? If you want a more thorough explanation of this process (that isn’t too technical), check this site: http://robertheaton.com/2014/03/27/how-does-https-actually-work/
And this is a great visualization for what can be seen with and without HTTPS. Take a look at the Tor / HTTPS link and check the HTTPS visualization:
At a minimum, go get FireFox installed, and install the HTTPS Everywhere add-on. It will attempt to give you an HTTPS secure connection whenever one is available. Not all websites offer HTTPS.
Check this lesson to see what InformOps looks like without and with HTTPS:
You may want to explore several tools on the Tool Kit ->Test Tools tab. Check these out as well:
IP Leak Tests (https://informops.wordpress.com/ip-test-sites/)
DNS Leak Test (https://informops.wordpress.com/dns-leak-sites/)
Unique Browser Fingerprint test – EFF’s Panopticlick ( https://informops.wordpress.com/system-tests/ )
This was LESSON ID=> 0020