Today, Groklaw, a site responsible for, among other things, victory in the SCO patent troll attack on the Linux kernel, followed Lavabit and shut it’s doors. It did so because there is now no way to communicate securely on the internet; traffic is routinely intercepted, servers can be stolen and operators forced to reveal confidential sources.

This is the world we live in, and have been living in for a while now, but thanks to a whistleblower we are all forced to confront this reality.

So, as technologists, what can we do to protect ourselves and our loved ones?

Truth is there is no silver bullet, but that doesn’t mean we just give up and go home. While the technology is only a small part of the issue here, it is something that we as technologists and makers are in a position to do things about.

While we work to solve the political problems that have caused this current situation, I think that we need to work towards making cryptography ubiquitous. Analysis of some of the leaked material already suggests that if the level of cryptographic content was raised, it would raise the cost of analysis by government agencies to an impractical level, and at the very least we’d remove “use of encryption” as grounds for suspicion.

When we build systems we need to decentralise, so there’s no one server and operator to intimidate. We need to protect content and metadata, because who talked to whom, and where, is still sensitive information. We need to work on the UX of the systems that are available, so that cryptography isn’t something someone who just wants to use the computer needs to think about. Think of these sorts of things as safety equipment, like seat belts or airbags. They should just work, without the operator having a degree.

Don’t be this guy.

We needed to think about this stuff before the first sharpie hit the paper.

Coulda, shoulda, woulda….

In the mean-time, we need to use the tools that we have. Make security and cryptography ubiquitous. As technologists, we have the knowledge to protect ourselves (and if you’re not already, you’ve got no excuse), but we also have a duty to help our friends, neighbours and family as well.

So, encourage your friends to use encrypted email and OTR messaging on IM, explain why it’s important while helping them install and use the plugin. Install HTTPS Everywhere on your mum’s computer. Talk to your neighbours about the dangers of the guilt by association fallacy in relation to communication metadata while installing the TOR browser bundle on their laptop.

You get the idea, friends don’t let friends use cleartext!

DNS is the system which converts a human readable address, like www.google.com, into the IP address that the computer actually uses to route your connection through the internet, e.g. 173.194.34.179.

This works very well, however, it is a clear text protocol. So, even if all other traffic from your computer is encrypted (for example, by routing your outbound traffic through a VPN – more on that later), you may still be “leaking” your browsing activity to others on your network.

Since I intend to do my best to stamp out cleartext wherever it may be, this is a problem for me.

Encrypting DNS

Unfortunately, DNS is still very much a legacy technology as far as modern security practices are concerned, and does not natively support encryption. Fortunately, OpenDNS, a distributed DNS alternative, have provided DNSCrypt, which is open source, and will encrypt dns connections between your computer and their servers.

DNSCrypt will help protect your browsing from being snooped on, however, you should be aware it’s not foolproof; while people on the same WIFI hotspot / your ISP will not be able especially if you see a lot of error (broken trust chain) resolving ... messages in your system log and your connection stops working when forwarding upstream.to see the clear text of the DNS resolution flash by, once it’s resolved into an IP address, they will still see the outbound connection. So, while they won’t see www.google.com in their capture logs, they will still see that you made a connection to 173.194.34.179, which an attacker can resolve back into www.google.com if they have the motivation. To protect against this, you must deploy this technology along side a VPN of some sort, which will encrypt the whole communication, at least until the VPN outputs onto the internet proper.

All that said, I’ve got it turned on on my home network (since there’s no sense in making an attacker’s life easy), and I’ve got it running on my laptop to give me extra protection against snooping while surfing on public wifi, and in the case of my laptop, I also surf over a VPN.

Setting it up

By far and away the easiest thing to do is use DNSCrypt-proxy, which serves as a drop in replacement for your normal DNS server provided by your ISP. Run it on your local machine, configure your network settings to talk to 127.0.0.1, and you’re done.

In my home network, I had an additional complication, in that I run my own DNS server, which provides DNS names for various human readable names for computers and devices around the home (my computers, the NAS, the printers and so on). I wanted to preserve these, and then configure the DNS server to relay anything that wasn’t local (or cached) via the encrypted link. To accomplish this, I needed to run DNSProxy on the network DNS machine along side BIND (the traditional DNS server software), but listening on a different port.

dnscrypt-proxy --local-address=127.0.0.1:5553 --daemonize

Over on github, my fork of the project contains a Debian /etc/init.d startup script which starts the proxy up in this configuration. You may find this useful.

Then, all I’d need to do is configure BIND to use the dns proxy as a forwarder, and I should be done.

In /etc/bind/named.conf.options:

forwarders {
    127.0.0.1 port 5553;
};

You can use pretty much any port that you like, but don’t be tempted to use something obvious like 5353, since this will cause problems with any Avahi/Bonjour services you may have running.

You may also want to put a blank forwarders section in the zone file for your local domain (which is strictly speaking “correct”, but many examples don’t), e.g.:

zone "example.local" {
    type master;
    notify no;
    file "/etc/bind/db.example.local";
    forwarders { };
};

Some gotchas

First, OpenDNS by default provide “helpful” content filtering, typo correction and a search page for bad domains. This last means that any bad domain will resolve to their web servers on 67.215.65.132, which can break your resolv.conf search domain. This can cause problems in certain situations if, for example, you have subdomains or wildcards in your zone file for your local domain, and will make them only accessible by the fully qualified domain name.

A workaround for this is to create a free account on OpenDNS, register your network, and then disable their web content filtering and typo correction, although my feeling is that I may have made a mistake in the configuration.

Second, OpenDNS’ servers do not support DNSSEC despite promises to the contrary. Not sure why, probably because it would break the DNS hijacking which makes the above unrecognised domain redirection possible. Since their business is security, OpenDNS should be doing DNSSEC validation on your behalf, how much of an issue this is an open question.

Still, it’s worth noting, since you will at least see a lot of error (broken trust chain) resolving ... messages in your system log and in all probability your connection will stop working when forwarding upstream.

Happy encrypting!

Update: CloudNS, an Australian based name service, now offer DNSCrypt together with no logging. There are also a number of OpenNIC servers which are starting to support DNS Encryption, so it’s worth keeping an eye on the Tier2 server page.

6a0120a85dcdae970b016301e98de2970d-800wi One of the good things to come out of the recent revelations that the NSA have been doing what we always supposed that they might be doing, as well as our lot pushing ahead with ill conceived plans to do the same, is that it has made the public at large much more aware of the need to protect themselves online. It has also acted as a spur for many of us in the tech community to pick up our game a little, and to work to better protect ourselves and others online by redoubling our efforts to finally stamp out cleartext communication protocols.

The humble email, sent for the most part in the clear and readable to everyone, is one of the last legacy unencrypted technologies still in common use. These days HTTPS can be being switched on for just about everything, and it is considered the height of irresponsibility in the tech community to still use telnet or ftp.

Technologies for securing email have been around for decades, but haven’t seen widespread adoption. PGP is the canonical example, however s/mime, which does the same job and is often forgotten about, may be more practical for most people, for two main reasons: 1) most mail clients have native support, including native support in iOS, 2) it does a much better job at key exchange, in the most part handling it transparently (as long as you have the “sign email” option turned).

Setting it up is still far from a one click “make my email secure” button, but once set up it is transparent and easy to use, so there is very little reason not to do it if you’re reasonably tech savvy (or know someone who is who can help you). Even if you use one of the NSA’s free webmail services (gmail et al), providing you don’t use the webmail interface to read your email, you can still set this up.

What this won’t do

Even if your email is encrypted, there are a number of gotchas which you should be aware of…

  • It relies on both parties switching on encryption – this is an age old issue.
  • Subject lines are never encrypted.
  • The spooks and other ne’er do wellers can still see who you contacted and when, leaving you vulnerable to being caught by the inevitable guilt by association fallacy that such mass surveillance programs are guaranteed to produce.

Setting up S/MIME

  1. Obtain a signing certificate: Unlike PGP, which relies on self generated keys and a web of trust to establish authenticity, S/MIME relies on signed certificates in the same way as HTTPS does. These are in many cases free to obtain. I currently sign my emails with a Comodo certificate obtained via their handy online form.
  2. Collect your certificate: Next, you need to collect your certificate, this is done via your web browser, and is possibly the most confusing step. You must visit a link, and your browser will generate and install a certificate into itself. What this means is that once you’ve clicked on the link, you should get a message along the lines of “Certificate from xxxx installed”, but you won’t be able to directly use it in your email client. You must also use the same browser on the same computer throughout the whole signup and retrieval process, which caught me out.
  3. Export your certificate: In order to be able to use your new certificate to sign and encrypt email, you must first export it as a certificate file. From your browser, visit your advanced settings and export the certificate. In chrome, this is under Settings -> Advanced -> Manage certificates. Save it somewhere safe, give it a password you’re going to remember.
  4. Import the certificate into your mail client: Here’s how on thunderbird, OSX/ios, outlook.

If you’re tech savvy, this isn’t too painful a process, and once it’s done its done (at least until the certificate expires). If you’re not, then I think it is up to those who are to help. Stamping out unencrypted communication protocols can be considered a civic responsibility in tech circles.

Hand holding is a start, however I see absolutely no reason whatsoever that this process can’t be made into a nice click button wizard. For the most part, S/MIME is natively supported in all modern mail clients, so is it not high time that the setup process was made a good deal simpler? Why on earth is this not all done by the setup wizard?

As a community, lets make a pledge to make this better and to stamp out clear text communication protocols once and for all, making security an invisible process for everybody. What do you say?