Sunday, June 19, 2011

Why Foxy Proxy > Torbutton

Ok, so I said I'd post this the next day and well, I didn't.  Too much stuff going on.  Crash course Bitcoin mining, fun with KVM, and few other projects that I have plans to include tutorials on.

Now, before I get on to the topic, I'd like to point out that Tor/I2P, etc is just how I utilize the features in Foxy Proxy.  If you are in a country that actively censors and monitors your Internet connection and you use proxies to circumvent your government firewall and surveillance, the methods used here are highly recommended for this situation as well and I will add a few example rules at the end to give you an idea on how to set up dynamic auto-triggering proxy rules for Facebook, Twitter. Google, etc.

Alright. so why Foxy Proxy?

I hear lots of talk about Torbutton and I'll admit, I used it myself up until Firefox 4 came out and it was no longer supported.  So I waited. And I waited.  In the mean time I also happen to be interested in many other Darknet technologies such as I2P, Freenet, Tahoe-LAFS and their potential impact for the future of online communication.  Unfortunately, running these, especially at the same time, can be quite frustrating.  Usually the solution is to run them in different browsers, which is less than ideal.  It would be nice if I could just run them all seamlessly in the same Firefox session and somehow have Firefox intelligently use the proper proxy/Darknet depending on the link I load.  Of course, neither Torbutton nor the Firefox proxy tab is going to help you there.

Then, as I begun to get impatient waiting for the new Torbutton, I decided to give Foxy Proxy a shot.
Once I really dug in and started learning its features I found it to be so far beyond Torbutton that it really doesn't compare and magically, all these problems disappeared.

In fact, I would even go as far as to say that Foxy Proxy is not only a suitable drop in replacement for Torbutton, it can also go a bit further to protect your privacy.

Let me explain the concept first, then I will show how using Foxy Proxy can potentially improve your privacy over Torbutton.

With Foxy Proxy, you can set up multiple proxies and give each of them matching rules and put them in the order you want Foxy Proxy to look through them.  The first match found by Foxy Proxy will be used and the rest are then ignored for that link. If it helps, think of it the way a firewall like iptables works, the first match wins.

Let me give an example.  Let's say that you are behind some sort of firewall that blocks gmail or facebook or something of the sort.  Now lets say you have a proxy that will let you get to that site, but you only want that proxy used for that site and ignored otherwise.  Foxy Proxy, allows you to set up rules like this.
Basically, you just add an entry in Foxy Proxy (I will show how to do this in a bit) to use such and such proxy for gmail above the default no proxy rule.
Now if you go to gmail.com the first rule will match and your proxy will kick in.  If you instead go to yahoomail.com, it will ignore the first rule and go to yahoomail.com without a proxy.

Now, how does this relate to Tor and more importantly, how can this increase your privacy versus something like Torbutton?  Well it all comes down to the convenient fact that in most Darknet systems, the hidden services use a specialized domain name.  For Tor this is .onion.
Alright, so your thinking, "Ok, so Im using Torbutton or whatever and I click a .onion address and Im running Tor and it loads up and whats the problem?"
And thats fine, but the problem comes when you accidentally click on a .onion address and your are NOT using Tor.  Well, what happens then is you get a nice little error from your ISP saying basically "What the heck is that?"
Cause how does a Polar Be- err I mean ISP know what .onion is?
Well, they don't, but they logged the attempt anyways.
Get it?
Same goes for I2P, Freenet, etc.
This is where Foxy Proxy comes in.

What I will show you is not only how to set up Tor with Foxy Proxy, but also how to catch stuff that you only want sent through certain proxies and 404 them if that proxy is not running or broken before it leaves your machine and gets logged by your ISP.  This is especially useful for those living in countries that actively sensor and monitor their citizens Internet activity.
Of course, standard disclaimer:  The idea is to maintain your privacy, if you think your going do this and break the law and not get caught, well sorry to burst your bubble, but it won't. Tor and Darknets are not enough to break the law and never get caught. (Google "Tor timing attacks")

What it will show you is the best way (that I am aware) of seamlessly browsing sites and having them load automatically in the proxy/Darknet you want them to and not from anywhere else. I like to think of it as practicing good browser proxy hygiene.

So ok how does this work?
I'm going to use Tor and I2P for this example since they have unique domain names.  Freenet is a bit different  and I haven't really tried to use Foxy Proxy with it yet.

The first one I will show is I2P, since you generally only are using I2P to browse I2P sites as its generally not designed to be an anonymous portal to the general Internet.
First grab the latest Foxy Proxy here: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Now when you open Foxy Proxy, you should be on the Proxies tab.
There should already be a "Default" proxy.  We are going to leave that one there and click on Add A New Proxy on the right.
A dialog box should open and now click on the tab for Proxy Details.
Default I2P uses localhost or 127.0.0.1 on port 4444 for http and 4445 for https
We are first creating the I2P http proxy, so enter 127.0.0.1 for the IP Address and 4444 for the port.
Make sure manual proxy is selected.
Now switch to the tab "URL Patterns"
The is where we specify what gets send to this proxy.  You can use both regular expressions or general wildcard method to create the rule.  I'm using the wildcard method because these rules are pretty straight forward.
What we want is all http:// sites that have a top level domain of .i2p to be sent to this proxy.
So what we do is click "Add New Pattern" and enter  http://*.i2p/*  as the url pattern, check whitelist to make this a whitelist, wildcards to specify the URL Pattern is using the wildcard method, and then click enable to turn it on.  Then click ok and now we just have to move to the General tab and give it a unique color.
The Foxy Proxy icon in your browser will turn the color of the current proxy being used and spin around so you know which one its using.  Just make sure that its a different color than the default.  (Blue I believe is what it the default "no-proxy" is set as)
Click "Enable" on the General tab and give it a name if you wish

Ok so if you managed that, the rest will be easy.  For the I2P https, we do the same exact thing but have the port as 4445, the URL Pattern as  https://*.i2p/* , and set it to its own unique color.
Now just make sure that you move the two new proxies above the Default one so they are checked by Foxy Proxy first and then change the top dropdown box from "Use Default for all" to "Use proxies based on their pre-defined patterns and priorities"

Now you are able to use the same Firefox session to browse I2P and the general Internet as well. If you click on a link with an address of .i2p Firefox will automatically use I2P to load the link and if you want to check your gmail or facebook or whatever, you just do this normally and Firefox will use your normal ISP internet connection (or whatever other nameserver you have set up).
Also, now if you click on an I2P link like in your bookmarks or something while you are not running I2P, Foxy Proxy will catch it, try to load the I2P proxy and fail without it ever getting sent to your ISP.

Now for the Tor rules.
While Tor allows the access to .onion hidden services it is also used as an anonymous portal for the general Internet, so the rules need to be a bit different.
We are going to want two rules, one for .onion addresses and one for everything else.
For the .onion proxy, we are going to do pretty much the same thing as we did for I2P.
Set the proxy as 127.0.0.1 and the port (assuming the default privoxy/polipo port) of 8118.
Then set the URL Pattern to *.onion* and set the rest as the same as was set up for I2P with the exception of the name and color for the proxy.  Move this proxy to be above the "Default" proxy.

For the second rule, we are going to do the exact same as the above Tor proxy, but we are going to set the URL Pattern to be simply "*"  (without the quotes). Make this proxy above the "Default" but under the .onion proxy and give it a decent name like "Default Tor"

Now with all the proxies enabled, you can browse I2P and Tor seamlessly without needing different browsers.
When you want to surf the general web, just open Foxy Proxy and disable the Default Tor proxy and you are again using the general Internet and if you click on a .onion address it will still use Tor or 404 depending on whether you are running Tor. Either way, nothing will get sent to your ISP that is related to Tor or I2P hidden service sites.  If you want even, you can browse I2P, Tor Hidden Services, and the general Internet all in one browsing session.
Just make sure to use the "Ref Control" (https://addons.mozilla.org/en-US/firefox/addon/refcontrol) Firefox plugin to prevent your referring URLs from being sent back and forth, but if you read my last post, you are already doing that.

Well there you go, and like promised, here are a few example wildcard URL Patterns for commonly blocked sites in censored countries:
*.facebook.com/*   *.twitter.com/*   *.gmail.com/*   *.wikileaks.org/*
Seeing a pattern yet?  Good, and dont forget to use the SSL or https://  secure versions of these sites!
In fact, head over to http://www.eff.org/https-everywhere now and grab the auto https plugin from the superheroes at eff.org.
Well I hope this was a help to someone.  Thanks for reading, one more short posting on how to filter known bad Tor exit nodes and that will complete this little round of Tor how tos.
Then hopefully on to a KVM networking tutorial or two.

-ng