PRISM Break

Article en anglais, je n'ai pas eu le courage de le traduire.

By now you may already have heard about PRISM. In short it is a surveillance program run by the NSA that collects data about (almost) everyone that uses the Internet.

The reasons why the collection of all this data was relatively easy is because the way we use the Internet has broken it.

Googlisation of teh Interwebs

Getting user data is easier when service providers participate. Getting service providers to participate is easier when they are few in numbers and big in market share.

Because most users are clustered around a very small number of service providers the situation is perfect. For email; Gmail, Microsoft and Yahoo would cover most of your surveillance needs. Add some Facebook, Twitter and a zest of Apple if you want more.

Half of the Interweb has Google Analytics following users (and most of those users have a Google account to be associated with), for everything else there's Facebook like buttons (like it or not). The most common scenario is that when you visit a page your browser sends requests to many (many) different servers to fetch content from, each request indicates to each server your IP, system (etc) and the page you are visiting. If you are connected to any of those services then those services can know where you have been. Among the lot are Javascript code which may do further analysis, for example how much time you've spent focused on each website.

The Email Trap: It's a Trap

Even if you run your own mail server, the unfortunate reality is that most email accounts are controlled by Google, Microsoft and Yahoo. That means that if most of your correspondence is with users of such services then most of your correspondence is available to PRISM or any similar program.

Either you stop communicating with most people, or you censor yourself. I'd love to hear some ideas actually because I must admit that too many people I know and care for use privacy leaking user exploiting products.

Certificate Authorities are Broken

One of the most broken things out there is the fact that almost everyone's browser is designed to trust a vast amount of Certificate Authorities to authenticate SSL certificates. The lock that says "this connection is secured and verified" means your browser checked that the certificate has been signed by one of the CAs it trusts.

The goals of certificates are to certify the identity of the website and encrypt the data transfered between the user's browser and the server. Any certificate for any domain will appear to you as valid and verified if it is signed by any one of the CAs that your browser trusts.

CAs can be compromised, for example Comodo and Diginotar, and then used to sign certificates for popular domains (Yahoo, Skype, Google) to impersonate them and intercept connections.

In corporate environments, some companies will add their own root CA to their users systems to allow them to intercept SSL traffic. One of the most widespread corporate malwares is called ProxySG from BlueCoat Systems, a company dedicated to breaking the Internet.

Certificate verification is as reliable as the weakest CA you trust, it takes only one compromised CA to void the whole system.

A Few Things You Can Do

Break Your "User Experience"

To limit your web footprint can use things like Request Policy and No Script to filter out quite a bit of useless traffic hoarding CPU consuming memory hogging junk.

Request Policy acts by blocking all content that does not come from the site you are visiting. If it may drive some users insane it will at least give a tangible sense of how many connections your browser is asked to make to load a single page. For those armed with calm and patience you can set up permissions as you go, temporary or permanent. The result is that you load what you want, not what the website wants.

No Script is another plugin that will break your user experience in pieces, in exchange you will gain control of what Javascript code can be executed. Same as with Request Policy, you can set temporary and/or permanent exceptions for websites you trust.

Once you are used to how these work and have configured them so the most common websites you visit work properly you might notice performance improvement. Indeed, one of the side effects of not executing every single Javascript that the Interweb throws at you is that your computer doesn't execute them... .. .

Trust No One

We've seen that trusting random CAs is bad, you can remove/untrust them. This depends on your browser so you may need to look in to that. With Firefox it is possible to compile yourself a version without any built-in CAs, I wont get into details with that as the experience and documentation for this is .... . not so up to date and so far doesn't work for me in more recent versions.

Regardless, I was inspired by this Life without a CA post and it has been a few years since I've been living like that. I cope by having at least 2 browsers. One with no CAs, this is the secure browser, I can manually verify certificate signatures, if they change I will be informed.

I use a second browser that will trust any CA included with it, a default Firefox (Iceweasel). I will consider that HTTPS via this browser is not verified and by default broken, I wont log in to anything here.

You can and/or use Certificate Patrol, this helps keep track of certificate changes. This can be very useful especially on the browser with all the default CAs.

Run Your Own Services

Internet was designed to be decentralised, to allow everyone and anyone to run their own services. To allow peers to communicate directly to each other. The term "web" was coined because if represented visually (web/Internet) it would look a bit like a web.

The software required to do so exists, there's plenty of quality Free Software out there for this task. By quality software I mean that most of the Internet already uses such software. It works, there are shitloads of documentation, it's free, and mostly it is Free. Free as in freedom and not free as in advertisement supported services that monetise users and their privacy.

Currently things are looking more like a wheel, big service providers are gathered in the centre and most users have an exclusively passive role in the structure. There's nothing wrong with a service becoming popular, like a good search engine. What's wrong is when that search engine is also your email, calendar, photo gallery, social web, maps, news, documents, and you get the picture by now.

As a community we've been letting the Internet down. It was built to allow everyone to have their space, but generally speaking we elected a few companies to run the whole thing for us. They promised they wouldn't do evil and some still believe them. That said, I don't think they deserve all the blame, the users were not forced into this situation, they were seduced. It's time for a cold shower.

Running your own services puts control of your Internet in your hands.

Because of our negligence, some ISPs don't even provide Internet access, what they provide is access to certain Internet services. They do not allow you to host services, they block ports, hijack DNS queries and regulate bandwidth according to where your traffic is going. That is not an Internet connection, it's a connection to Internet services.

Remove Tracking Devices From Your Websites

Google Analytics and "share/like" buttons are everywhere, with our without Javascript these items are tracking devices that follow users across the web. Most of these "share" buttons can be used without requiring the users to connect to a 3rd party.

There are other examples of content loaded from 3rd parties, like Javascript libraries (api.google*, Jquery, Gravatars), these things can be sent from your website to your visitors, either by having a local copy or by proxying the connection (I do that for Gravatar).

Users may employ Request Policy to avoid loading these things, the better solution would be for website design to take their user's privacy into account.

s/Internet/internets/

None of this is news to those who've been following. The news is relevant to many people because PRISM has reflected a lot of colourful light on a tangible bothersome aspect, privacy.

Some suggest using things like Tor and VPNs, encrypting emails and chat messages. I think those are very good tools (Tor is insanely beautiful), however they are not the solution to this problem we face today. Email encryption does not hide meta data (from/to/date/subject/IPs in some cases), using Tor to connect to Yahoo mail does not make your conversation private, it makes it anonymous on the condition that you never use your real name or other real details. OTR does not hide your relations and conversation timestamps, only the content of the messages.

Other solutions could be Meshnet(s), I really like this idea. The only thing that bothers me is having to re-invent and re-build The Network (Internet).

We need to think about what we want to do with our Internet while it still can be ours. Do we really want to cut off connections ? The goal of the Internet is to have one network open to everyone, do we want to replace that with multiple internets ?