Thursday, November 17, 2011

I2P - Anonymity for the Masses


1. Introduction

For many years people have wanted to protect their right to privacy. As technology changes, it seems that privacy evolves away more and more. I2P is a protocol used for an encrypted multi-proxy on the Internet. While, this sounds simple, there is actually a lot of work going on with I2P to achieve this. Unlike some multi-proxies, I2P will allow you to tunnel many more applications through it than just web browsing, making it a very robust protocol.
I2P is available for all platforms, not just Linux. For this example I have used Debian Sid to perform the installation. With the exception of 'apt-get', these instructions should work fine with any Linux distribution. But if you experience problems, please seek documentation for your distro or visit our new Linux Forum.

2. Legal Disclaimer

As I explain this to help you maintain priviacy, there will always be a few bad apples in the crowd. I do not condone this use of this article for anything illegal. Even if you are not passing illegal information on I2P, please check your country's laws on encryption and it's exportation before you begin.

3. The Problem with Tor

One would probably see I2P as an overkill without knowing the downfalls of its predicessor. Tor was once a wonderful multi-proxy used for hiding ip addresses and bouncing off servers all over the world. At one time, it was even trusted by most governments for strong anonymity. All of that seemed to change after an article was posted in 2600 Hacker Quartley. One author exposed how becoming an exit node for Tor allowed all the traffic on the Tor network to pass right through your machine. Becoming an exit node was the same as performing a Man-In-The-Middle attack. All one had to do was open up a packet sniffer and see all the traffic going through encrypted. Tor is still used by people trying to protect their privacy. But at the same time it has become a playground for hackers and governments monitoring what they consider suspicious. I2P has secured this problem while adding more functionality.

4. How it Works

Online privacy with Ip2I2P uses bundeled encryption over a multi-proxy like Tor. The packets are bounced all over the globe with anyone using I2P. However, the packets are encrypted with ElGamal and AES encryption. Using bundled encryption like this allows a packet to only decrypt the next hop as it passes through various nodes on its path. I2P is end-to-end encryption. Nothing is else is decrypted along its path including the sender and recipient. Once inside the network ip addresses are not even used. Your node is assigned an address of garbled text to use as an identifier. I2P is also a decentralized network. Every client is also a server on the network. This allows no single point of failure and more anonymity. There are tons of documents in the I2P control panel explaining this more in depth. For now, that should give you a good overview on how I2P works.

5. Beyond Web Surfing

There are many applications for the I2P protocol. I2P is used to tunnel just like SSH. Because of this, you can do many things with it. You can use it to tunnel SMTP and POP3 for anonymous email. You can use it for chat clients and P2P. What I found most interesting was anonymous hosting. I2P allows you to host what is referred to as an Eepsite. While some of these are indexed by Google, no one can connect to the site without using I2P. Blocking yourself from robots and spiders can allow you to host a complete darknet site. No one would know your site exists except you and the people you tell your domain. These are all things that other multi-proxies can't or won't let you do.

6. Installation

Before you begin, you should make sure you have Java 1.5 or greater installed. If not, install it now.
# apt-get install sun-java6-jre
Whether Debian or Ubuntu, the repos for this package are the same. Add the following lines repository sources.
# The actual repo for i2p on Debian, even though its ubuntu
deb http://ppa.launchpad.net/i2p-maintainers/i2p/ubuntu natty main
deb-src http://ppa.launchpad.net/i2p-maintainers/i2p/ubuntu natty main
Now we update our packages and use apt-get again to install I2P.
# apt-get update
# apt-get install i2p
Now that the package is installed, we still have one more thing to take care of. By default i2p runs on port 20,000. If you are using a NAT firewall you need to open that port in your router's settings. Depending on how iptables is configured in your OS, you may have to allow the port to be open there too. Here are some iptables commands that will allow traffic with TCP and UDP on that port.
iptables -I INPUT 1 -i wlan0 -p tcp --tcp-flags SYN,RST,ACK SYN 
--dport 20000 -m conntrack --ctstate NEW -j ACCEPT

iptables -I INPUT 1 -i wlan0 -p udp --dport 20000 -m conntrack --ctstate NEW -j ACCEPT
As you can see here, I am specifying wlan0 as the interface to apply this rule. You may need to supply a different interface or remove this and -i to make applicable to all interfaces. I will show you later how to change the port i2p is using. For now we need to get it running first.
The last thing we need to do is start our i2p router. This is what we will use each time to start and stop i2p on our machine.
$ sh /usr/bin/i2prouter start
Starting I2P Service...
Waiting for I2P Service.....
running: PID:26163
Since i2p is decentralized, you will need a few minutes to gather peers. While using kde, Konqueror will pop up shortly displaying the i2p router console. If not, you can navigate to http://127.0.0.1:7657/ in your browser after a few seconds. You should see something like the image below.
i2p router console
On the left panel, there is a section marked Peers. The i2p console suggests having at least ten peers before attempting to begin. However, depending on how much speed those peers are uploading, this may not be sufficent to connect to a web page. I've found fourty to sixty peers is usually a good place to start. This may the point you want to make a cup of coffee as the part can take a while.
When first starting, the console will be testing the network. The console will show this on the left panel underNetwork. In a few seconds you should either say Ok or Firewalled. Firewalled means i2p is not getting through your firewall. Under the Tunnels section you should see either Accepting or Rejecting Tunnels. These are self-explanitory. The i2p console states that both of these can show false positives for broken connections. But if you experience any problems this is a good place to start.
You can also click on Bandwidth In/Out to set up the upload and download speed you would like to handle. Keep in mind that this not only affects you, but the entire network. When too people don't upload the entire network may slow to a crawl. You can also set what port you want i2p to run on in this section. Using the default may aid an attacker in discovering what you're running should this protocol become vulerable.
Once we have enough peers, we just need to configure Firefox to use the proxy. Go to Firefox's edit tab and selectPreferences. Select the network tab and click the button marked Settings. Fill up the next pop-up box with these settings to tunnel Firefox through i2p.
settings to tunnel Firefox through i2p
Now we can surf the Internet without fear of everyone and their mother looking over our shoulder.

7. How Strong is I2P?

I2P claims to be strong enough to stop your mom, your ISP, or you government from finding where you connect. While I question the last one, I decided to test it for myself. I opened up Wireshark to sniff my packets while I did some surfing the net. Not only could I not see the websites I connected to, I couldn't see myself connecting the the I2P network either. On top of that, there was no http traffic shown. Mostly TCP packets that were blank or UDP that were only full of garbled text.
I decided to visit a site to try to reveal my ip and user-agent. What came back was an ip address on the other side of the globe and a user-agent string that claimed I was using Windows. This adds another level of protection as determining an OS is usually one of the first steps in an attack.

8. Where this can be improved

While this protocol just began in 2003, it is still very young. Worse yet, it is still very under-utilized. This is bad because very few people upload as much as they download. The more users who get on this network, the faster it will become. Perhaps some kind souls will dedicate some bandwidth to help this along.
Surfing the web seemed easy once you had enough peers. The only speed bump was that i2p does not play well with SSL. No https traffic makes it through. One can use a tool like sslstrip.py to rip the SSL out of your traffic. Perhaps this kind of thing could be done by the development team without sslstrip. Imagine that, using sslstrip to actually improve security! I'll take AES over SSL any day.

9. Conclusion

While there is no lock that can't be broken, i2p is certainly a challenge. There may come a time when this protocol is reduced to what Tor is now. But at the time of this writing I have not found a safer way to use the Internet that is free, open source and widely available to the public. I encourage you to try this application for yourself. The i2p router console contains tons of documents on anything you could possibly want to know about i2p. If you believe in free speech and a right to privacy, this is an up and coming tool for the digital age. Do your part to help this community grow!

No comments:

Post a Comment