Triple your privacy with a Chromebook and two VPNs

Credit to Author: Michael Horowitz| Date: Fri, 31 Mar 2017 15:27:00 -0700

Now that Republicans in Congress have sold us out, everyone is writing about technical ways to prevent your Internet Service Provider (ISP) from watching your on-line activity. The FBI and the British Government complain about bad guys going dark, but now the rest of us have to do so too, if we want any shred of privacy.

The generic, knee-jerk reaction is to use either a VPN or Tor. Both offer encryption that stealths you to your ISP. I wrote about them back in September (A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers) but here I’m taking things a bit further. 

Nerds often say that Tor offers the best anonymity but it is far from perfect. For one thing Tor has a huge target painted on its back. Every spy agency in the world is focused on breaking it. And, the anonymity offered by Tor greatly depends on how you get to it.

The safest way to use Tor is by booting the Tails version of Linux off a CD, DVD or USB flash drive, but, this is too hard for many people. The Tor Browser is easier to use but not as secure. Just a few months ago, Darlene Storm wrote that a Firefox zero-day can be used to unmask Tor browser users

Some also suggest using HTTPS secure websites to hide from an ISP, but the privacy this offers is weak. While the contents of web pages are encrypted, the domain name is not. Just knowing that you visited the i-like-to-have-sex-with-turtles.com website is enough for blackmail.

By the way, have you heard the latest re-definition of ISP? Invade Subscriber Privacy. Hats off to whoever came up with that.

As a Defensive Computing guy, I have been focused on privacy invasions by an ISP for a while now. I’m well past generic reactions. Here I propose a Chromebook and two VPNs to dial your security and anonymity up to 11.

Part of the privacy boost comes from the Chromebook, part from the VPNs.

CHROMEBOOK ISOLATION AND LOCKDOWN

For the Chromebook, I suggest creating a Google account that is used only on the laptop and nowhere else. The point is to isolate the machine as much as possible.

Nothing new here, anyone serious about privacy should always isolate their private activity to a computer (real or virtual) devoted to that purpose. I would argue that the fatal flaw with Tor browser is that it typically runs on the same computer people use for other stuff.

For added protection, disable any active browser extensions. As I wrote about recently, there are extensions that can spy on you

And, of course, disable the Adobe Flash Player (it’s a plug-in, not an extension). To block Flash in Chrome, click the three vertical dots in the top right corner, then Settings, then “Show advanced settings..”, then the gray “Content settings…” button, then, in the Flash section, opt to “Block sites from running Flash”.

Private browsing mode (“incognito” to Chrome) is, of course, the friend of anyone wanting to hide their tracks. More on this later.

OS LEVEL VPN

The secret sauce here is using two VPNs concurrently.

Chrome OS, the operating system on a Chromebook, supports two types of VPN: OpenVPN and L2TP. I can only speak from experience about using L2TP.

Creating a new L2TP VPN definition on Chrome OS 56

Initial setup of an L2TP VPN connection (see above) involves entering five pieces of data: a VPN server name, a pre-shared key, a VPN userid, a VPN password, and a name by which to refer to this clump of data. All this data can be saved by checking the “Save identity and password” box.

Note that there is a bug in Chrome OS version 56. After entering the data for a new VPN connection, the button at the bottom of the window says “Connect”. It should say “OK”. Clicking the Connect button does not connect you to the just entered VPN, it merely saves the data you entered. Chrome OS version 57, released on March 29, 2017, fixes this.

Typically a VPN provider has dozens, if not hundreds of VPN servers that you can connect to. On Chrome OS, each server requires a different VPN definition. I always end up with connections named after the city where the VPN server resides.

Once the data defining a VPN connection is saved, you connect to it by clicking in the bottom right corner of the screen, what Windows folks would call the system tray. Then click on “VPN disconnected”, then the name of a VPN connection. There is no progress bar while the connection is being made, but a small (very small actually) key appears under the Wi-Fi signal strength indicator when the connection is made.

I recommend checking your public IP address before and after making the VPN connection to insure that it changes. You can do this at many sites including ipchicken.com, checkip.dyndns.com and ip2location.com. Also, after the connection is made, clicking the bottom right corner of the screen again will say “Connected to xxx” where xxx is the name of a VPN connection definition.

BROWSER ONLY VPN

Now that Chrome OS is using a VPN, you can start another VPN from within the Chrome browser.

A handful of VPN providers offer their service as a web browser add-on. VPN connections made within a browser only protect web pages in that browser. In this way, they function much like the Tor browser. But, in Chrome OS, pretty much everything runs through the Chrome browser.

Making a browser-only VPN connection can be as easy as clicking a button or two, assuming you let the browser save the userid/password needed for this second VPN provider.

As with the initial Operating System level VPN, check the public IP address before and afterwards to insure the browser-only VPN connection has kicked in. It’s a nerd thrill to watch a computer go from its initial public IP address to a second and then to a third. Kind of like traveling around the world without actually going anywhere, especially if you check the public IP address using ip2location.com.

You sign up for this VPN service in a normal browser window. If you prefer, Chrome can save the necessary login information for you. Whether it does or not, you will need to initiate the VPN connection from a normal browser window, doing so from incognito mode does not work.

Incognito mode also blocks extensions by default. To let the browser-based VPN function in incognito mode, enter

    chrome://extensions

in the address bar. Find the extension for the VPN and check the “Allow in incognito” box. Thereafter, new incognito windows will be protected by the second VPN. You should, of course, verify this by checking the public IP address.

TAKING STOCK

So, exactly what have we done here?

Your ISP can see that you are using the Operating System level VPN (the first one). They have no clue, however, that you are also using a browser based VPN.

The provider of the Operating System VPN knows where you are and may even know who you are because you pay for the service. But all they see is that you made a connection to the VPN server of the browser level VPN provider. They too, are blind to your on-line activities.

The browser based VPN provider does see what you do online, just as a Tor exit node does. But, they don’t know where you are. They see that you came from a VPN server run by the first VPN provider. Still, it’s important that they not know who you are.

ANONYMITY

A key point to Tor is that none of the computers in the Tor network know who you are. The entry node (the first Tor computer you communicate with), however, knows where you are based on your public IP address, there is no getting around that. For the best possibly anonymity, don’t use Tor at home.

If you anonymously sign up with two VPN providers, then the scheme described here is virtually Tor. Far too many articles ignore the fact that you can pay for a VPN anonymously. 

Many VPN providers allow payment with Bitcoin or gift cards. Below is a screen shot from the website of Private Internet Access showing that they accept gift cards.

VPN provider Private Internet Access is one of many that accept gift cards for payment

For still more anonymity, I know of two VPN providers that take cash. You go to their website and get assigned a customer number. Then you mail them cash and tell them to credit that customer number.

Even with all that, you need to be aware that the use of VPNs and Tor is visible to an ISP.

Interesting story about that. Once upon a time, there was a college student who hadn’t studied for a test. So, he tried to cancel the test by generating a phony bomb scare. The techies at the university were able to identify who on their network had been using Tor around the time of the bomb scare. This narrowed down the list of suspects sufficiently to identify the guilty party.

The more people that use VPNs, the less they will stand out from the crowd. Thanks to Congress, more people will, undoubtedly, be using a VPN. 

FINALLY

Doubling up on VPNs is not something anyone would want to do constantly. It takes time to set up and there will be a performance hit going through two different VPNs.

In my limited experience with this, it has been faster than Tor, but your mileage will obviously vary. In part, this comes from the fact that VPNs compete based on speed. And, most VPNs let you chose a server that is physically close to you, something that is not an option with Tor.

As always, if the Operating System itself is hacked, all bets are off, regardless of VPNs and Tor. Chrome OS checks itself at system startup to insure that it hasn’t been hacked. The paranoid among us can refresh the system at any time with the built-in Powerwash feature.

Rest assured, if you are a Yankee fan living in Boston, doubling up on VPNs should keep your secret safe from Red Sox nation.

Next up: VPN providers that support Chrome OS

– – – – – – – 
Now that Computerworld, and all of parent company IDG’s websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput

http://www.computerworld.com/category/security/index.rss