Linux distributions for anonymous Internet browsing – what’s new?

The most famous of the security distributions is Tails, it has been in production since 2009. Everything is familiar and familiar there: I inserted a flash drive, booted, worked, cleaned the RAM after myself. At the same time, alternative solutions periodically appear, such as Whonix, Qubes OS or a completely new distribution Obscurix

Personal safety is not an area where fashion is followed. This is not some hobby, mobile development or design, this is about saving life and freedom. The innovations are not a tribute to aesthetics or comfort, but an attempt to provide even more reliable protection.

Security is anonymity

In the context of operating systems, some of the specific characteristics of “secure” systems are often spoken of:

  • competent separation of privileges;
  • mandatory control;
  • process isolation;
  • … and many many others.

Safety software processes – this is a slightly different topic. There, the problem is viewed from a different angle, interesting primarily to military, government and corporate clients who protect trade secrets, spy on employees, fight information leaks, and the like – usually to divide power and / or money. It’s funny that the surveillance of company employees or citizens of the state is often established for their own good: they say, this way they “feel more protected.”

We’re talking about personal human security, which, in principle, is impossible without guarantees of anonymity. This is completely different. As discussed earlier, in the modern world, personal safety directly depends on anonymity, otherwise no one guarantees your freedom after comments in the telegram or financial transactions. Any activity on the Internet can be punished after the adoption of new laws with retroactive effect… Now is the time, and it will be even worse.

In other words, personal protection is much more important than the corporate, military, or national interests of a state. Still, physical security concerns specific living organisms, and corporations and states are abstract entities invented relatively recently, that is, they are secondary.

It is in this context that the developers of most secure distributions consider security. They think about safety first. human, that is, about privacy, anonymity, protection from exploits, surveillance, deanonymization, and reliable encryption.

Obscurix

Obscurix (Obscure * nix) is a relatively new project. The operating system is still in alpha, so we should not expect stability from it yet.

This is a “live”, bootable from external media operating system based on Arch Linux, configured with an eye to privacy and anonymity (source, ISO image for a bootable flash drive). As expected, all traffic is securely routed through Tor. I2P and Freenet anonymizer networks are supported (but they are not chained).

The built-in firewall is configured via iptables and blocks all incoming traffic, allowing only outgoing connections over Tor, I2P or Freenet (iptables rules). NetworkManager.service does not start at all without iptables.

Application permissions are managed by the Linux module AppArmor, and Bubblewrap and Xpra are used for isolation.

Obscurix is ​​open source, you can build the same image that is available for download from it. Only open source programs are supplied with the distribution kit. The only proprietary snippets are microcode updates for AMD and Intel processors (packages amd-ucode and intel-ucode), and they are here only out of necessity: this is the only defense against hardware vulnerabilities like Meltdown and Specter.

The operating system has a UTC time zone, it is better not to change it so as not to distinguish yourself from the general mass of users. A similar disguise is recommended for all Internet behavior scenarios. As you know, fingerprinting of “anonymous” users is carried out by indirect bits of information, such as the list of installed extensions, the list of fonts in the operating system, the speed of graphics rendering (indicates the hardware configuration of the computer), the peculiarities of typing on the keyboard, etc.

Application selection:

  • IRC client Hexchat with privacy settings, no autostart;
  • VLC, collection of metadata is disabled;
  • Thunderbird with disabled features like Javascript, chats, SVG to reduce the attack surface; no telemetry and Google Safebrowsing; with anti-fingerprinting protection, enigmail plugin for mail encryption;
  • Evince viewer with disabled options evince-previewer and evince-thumbnailer;
  • Thunar file manager without thunar-volman, preview and bookmark for the web;
  • Pacman: thread isolation, HTTPS mirrors only;
  • GnuPG in reinforced configuration Jacob Applebaum;
  • Gedit, Eog, Electrum, Keepassxc.

For security, all unusual protocols and file systems, webcam and speaker modules, Bluetooth, Firewire, Thunderbolt are disabled in the system. All wireless devices are blocked (except WiFi), swap is disabled.

Time synchronization is critical for anonymity. But the NTP protocol is extremely vulnerable, not encrypted, does not work through Tor, and gives out local time in timestamps. Therefore, the author wrote a script Secure Time Synchronization for safer time synchronization.

A library is installed to collect additional entropy in the RNG jitterentropy and demon haveged

All potential identifiers in the system are obfuscated, MAC addresses spoof at boot, the intervals between keystrokes on the keyboard are obfuscated with the tool kloak

Obscurix does not support VPN for security reasons. When using Tor it is rather doubtful that a VPN provides additional protection and not vice versa… In this regard discussions are underway… Although, if Tor is blocked by DPI at the provider level, then a VPN really helps to hide traffic and start Tor.

Strengthening the core

Protected distributions are diligently hardened from the point of view of information security. Obscurix uses hardened_malloc, special settings for strengthening the core, and some security parameters are passed to the kernel via the bootloader. For example, here are the specific kernel execution parameters that are set by the utility sysctl:

  • kernel.dmesg_restrict=1 restricts kernel logs to root only, preventing an attacker from gathering information about the system
  • kernel.kptr_restrict=2 hides kernel symbols in /proc/kallsymsso that an attacker cannot use this information for an attack either
  • kernel.unprivileged_bpf_disabled=1 restricts the BPF JIT compiler to root only, preventing many possible attacks on the JIT compiler like spraying heaps
  • net.core.bpf_jit_harden=2 also protects the JIT compiler from some attacks
  • kernel.yama.ptrace_scope=2 sets a restriction on the use of a system call ptrace() only for root: this call is used to check and modify running processes, which is very dangerous
  • kernel.kexec_load_disabled=1 disables kexec which is used for kernel changes without rebooting
  • net.ipv4.tcp_syncookies=1 enables SYN cookie – a technique for countering SYN flood attacks (a type of DoS attack)
  • net.ipv4.tcp_rfc1337=1 prevents attacks like TIME-WAIT Assassination
  • net.ipv4.conf.default.rp_filter=1 and net.ipv4.conf.all.rp_filter=1 prevent certain methods of IP spoofing.
  • net.ipv4.conf.all.accept_redirects=0
    net.ipv4.conf.default.accept_redirects=0
    net.ipv4.conf.all.secure_redirects=0
    net.ipv4.conf.default.secure_redirects=0
    net.ipv6.conf.all.accept_redirects=0
    net.ipv6.conf.default.accept_redirects=0

    disables receiving ICMP redirects

  • net.ipv4.conf.all.send_redirects=0 and net.ipv4.conf.default.send_redirects=0 disable sending ICMP redirects
  • net.ipv4.icmp_echo_ignore_all=1 makes the system ignore ICMP requests
  • vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 improves ASLR efficiency for mmap
  • net.ipv4.tcp_timestamps=0 disables TCP timestamps that are used to determine the system time on your system
  • net.ipv4.tcp_sack=0 disables TCP SACK, this feature is almost useless, but often used in exploits
  • kernel.sysrq=0 disables the SysRq key to execute arbitrary commands that usually require root
  • kernel.unprivileged_userns_clone=0 disables unprivileged usernamespaces extending the surface of an elevated attack
  • kernel.deny_new_usb=1 blocks all new USB devices

This list gives an idea that there are a lot of attack vectors. Strengthening the core will never be superfluous.

Transparent Tor proxy

In secure distributions, absolutely all traffic goes through the network of anonymizers. Not a single packet will “accidentally” be sent through open channels, so you can feel safe in this regard.

Whonix has a built-in Whonix Gateway, other private distributions have a similar mechanism.

In Obscurix, the regular Tor daemon is disabled and the Tor system daemon opens SocksPort at 9150 to prevent Tor running over Tor.

Differences between Obscurix and Tails

Obscurix is ​​similar to Tails, but based on the Arch distribution, not Debian. Hence the main differences follow – more thorough strengthening of the kernel, sandbox and memory allocator, more recent versions of programs, etc.

In addition, Obscurix does not modify the Tor Browser, as the Tails developers do, so the browser fingerprint will not differ from the standard one, that is, it will not give out the user of a special Linux distribution.

Another difference in the support of multiple networks for anonymization: in addition to Tor, I2P and Freenet are supported. Non-anonymous networks Zeronet, IPFS, cjdns for encryption and decentralization are also supported.

Unlike Tails, Obscurix lacks an insecure browser Unsafe Browserthat allows direct connection bypassing Tor. Thus, after exploiting some other vulnerability, an attacker can easily find out the real IP address of the victim. By the way, in the latest versions of Tails it is already disabled by default.

Differences between Obscurix and Whonix

Distribution kit Whonix appeared several years ago, it is already a real practical tool, while Obscurix is ​​still at the experimental stage.

The main difference is that Whonix is ​​designed for a virtual machine. At the same time, Obscurix and Tails are loaded from a flash drive into RAM and leave no traces for computer forensics. In the case of Whonix / VM, there are theoretically additional layers of abstraction. On the other hand, Whonix is ​​more convenient, because a virtual machine can be run under any OS, including Windows and MacOS, in any OS manager.

Whonix is ​​often used in conjunction with Qubes OS… This desktop distribution for high-quality VM isolation praised Edward Snowden himself.

The diagram below shows the design of Qubes OS with a Whonix installation. Different colors of the modules correspond to different levels of trust: from black (maximum trust) to dangerous red (USB, network stack).

Compared to traditional live distributions, this is a more advanced approach. In the Qubes-Whonix bundle, a kind of double protection is obtained: a special secure Linux distribution inside another special distribution with high-quality process isolation. Still, bootable / live distributions are technically safer, because they do not leave any traces on the host (amnesiac) and even clear the RAM on output.

On the other hand, although the same Qubes OS is not considered ‘amnesiac’, full disk encryption is the default here. That is, in fact, there are still no traces left, but there is more convenience.

In general, the good old Tails is no longer alone in the arsenal of a free man.


Advertising

VDSina offers VDS for rent for any task, a huge selection of operating systems for automatic installation, it is possible to install any OS from your own ISO, a convenient control panel of our own design and a daily payment of the tariff, which you can create individually for your tasks.

Join the our chat on Telegram

Similar Posts

Leave a Reply